From 884bcaac63d0ee0659eadaa9b2907cadd859ec2a Mon Sep 17 00:00:00 2001
From: Tobias Birmili <birmili@mecodia.de>
Date: Mon, 29 Jun 2020 15:47:16 +0200
Subject: [PATCH] feat: add the possibility to restrict service user to
 specific zones

---
 iam.tf       | 6 ++----
 variables.tf | 5 +++++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/iam.tf b/iam.tf
index fd5fc66..98680ee 100644
--- a/iam.tf
+++ b/iam.tf
@@ -17,12 +17,9 @@ data "aws_iam_policy_document" "external_dns" {
 
     actions = [
       "route53:ChangeResourceRecordSets",
-      "route53:ListTagsForResource"
     ]
 
-    resources = [
-      "arn:aws:route53:::hostedzone/*",
-    ]
+    resources = [ for id in var.policy_allowed_zone_ids: "arn:aws:route53:::hostedzone/${id}"]
 
     effect = "Allow"
   }
@@ -33,6 +30,7 @@ data "aws_iam_policy_document" "external_dns" {
     actions = [
       "route53:ListHostedZones",
       "route53:ListResourceRecordSets",
+      "route53:ListTagsForResource",
     ]
 
     resources = [
diff --git a/variables.tf b/variables.tf
index 9c08fc4..b900b60 100644
--- a/variables.tf
+++ b/variables.tf
@@ -3,6 +3,11 @@ variable "cluster_name" {}
 variable "cluster_identity_oidc_issuer" {}
 variable "cluster_identity_oidc_issuer_arn" {}
 
+variable "policy_allowed_zone_ids" {
+  type = list(string)
+  default = ["*"]
+}
+
 # external-dns
 variable "enabled" {
   type = bool