-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.16.z
-
None
-
False
-
This is a clone of issue OCPBUGS-33171 The following is the description of the original issue:
-
Description of problem:
Currently, CAPA performs ec2:CreateTags on ENIs after they have been created via EC2 instance creation, but it's possible to tag the ENIs through the ec2:RunInstances action (i.e. during instance creation). It's beneficial to tag the ENIs during instance creation to eliminate the possibility of accidentally performing actions against other ENIs in customer AWS accounts.
For example, we could use an AWS IAM Policy for CAPA that looks like:
{
"Sid": "CreateTagsRunInstances",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
],
"aws:RequestTag/red-hat-managed": "true"
}
}
}
as opposed to also requiring - there's no known codepath where we accidentally tag a customer EBS volume/ENI, but the bug report is emphasizing that we have the permissions to accidentally do so.
{
"Sid": "ReconcileTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
Version-Release number of selected component (if applicable):
All
How reproducible:
100%
Steps to Reproduce:
1. Create an AWS HyperShift cluster (not specific to ROSA HCP, it's a CAPA bug)
Actual results:
Observe that volumes/ENIs are not tagged during ec2:RunInstances. In CloudTrail, the request for ec2:RunInstances will only have:
"tagSpecificationSet": {
"items": [
{
"resourceType": "instance",
"tags": [...]
}
]
},
and no tags for resourceType volume/network-interface
Expected results:
ec2:RunInstances tags volumes/network-interfaces on creation
Additional info:
- depends on
-
-
- Closed
-
- is depended on by
-
-
- ASSIGNED
-
- links to