Hi,
We have a client that wants a very restricted installation of OpenShift 4.12 in AWS with predefined VPC, Security Groups... and doesn't want to grant some permissions to the installer account, for example:
iam:PassRole
ec2:AuthorizeSecurityGroupIngress
ec2:CreateSecurityGroup
ec2:RevokeSecurityGroupIngress
The problem of <Iam:PassRole = resource "*" is that they want to make it more granular on the specified resource.
We are struggling with that because the resources (instance profiles) are created dynamically during installation so we don't know how to target them beforehand.
And there's also the Security Group problem, we can't figure out how to target predefined SGs in the terraform files. But we are also close.
Any help will be welcome :)
Thx