chore: Add aps permission to role and clean up permissions (#142)

* chore: Add aps permission to role and clean up permissions

Signed-off-by: Jorge Turrado <[email protected]>

* Fix typo and add comment

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>

terraform/modules/aws/iam/main.tf

@@ -71,41 +71,10 @@ resource "aws_iam_role_policy_attachment" "keda_role_assignement" {
   policy_arn = aws_iam_policy.policy.arn
 }
 
-// TO REMOVE AFTER MERGING https://github.com/kedacore/keda/pull/5061
-resource "aws_iam_role" "roles" {
-  count = length(aws_iam_openid_connect_provider.oidc_providers)
-  name  = var.identity_providers[count.index].role_name
-  tags  = var.tags
-
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Federated": "${aws_iam_openid_connect_provider.oidc_providers[count.index].arn}"
-            },
-            "Action": "sts:AssumeRoleWithWebIdentity",
-            "Condition": {
-                "StringEquals": {
-                    "${replace(var.identity_providers[count.index].oidc_issuer_url, "https://", "")}:sub": "system:serviceaccount:keda:keda-operator",
-                    "${replace(var.identity_providers[count.index].oidc_issuer_url, "https://", "")}:aud": "sts.amazonaws.com"
-                }
-            }
-        }
-    ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "role_assignements" {
-  count      = length(aws_iam_role.roles)
-  role       = aws_iam_role.roles[count.index].name
-  policy_arn = aws_iam_policy.policy.arn
-}
-// END TO REMOVE
-
+// This is the primary role to be used for almost all the
+// e2e tests. It allows any action over any (suported resource)
+// except over the assume role queues. This role also allows
+// to assume workload-1 role using sts:AssumeRole
 resource "aws_iam_policy" "policy" {
   name = "e2e-test-policy"
   tags = var.tags
@@ -114,100 +83,26 @@ resource "aws_iam_policy" "policy" {
 {
     "Version": "2012-10-17",
     "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "dynamodb:*",
-            "Resource": [
-                "arn:aws:dynamodb:*:589761922677:table/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "dynamodb:*",
-            "Resource": [
-                "arn:aws:dynamodb:*:589761922677:table/*/stream/*",
-                "arn:aws:dynamodb:*:589761922677:table/*/index/*",
-                "arn:aws:dynamodb:*:589761922677:table/*/backup/*",
-                "arn:aws:dynamodb:*:589761922677:table/*/export/*",
-                "arn:aws:dynamodb::589761922677:global-table/*",
-                "arn:aws:dynamodb:*:589761922677:table/*/import/*"
-            ]
-        },
         {
             "Effect": "Allow",
             "Action": [
-                "cloudwatch:PutMetricData",
-                "cloudwatch:GetMetricData",
-                "dynamodb:ListTables",
-                "kinesis:ListShards",
-                "dynamodb:PurchaseReservedCapacityOfferings",
-                "cloudwatch:DeleteAnomalyDetector",
-                "cloudwatch:ListMetrics",
-                "cloudwatch:DescribeAnomalyDetectors",
-                "kinesis:ListStreams",
-                "dynamodb:DescribeReservedCapacityOfferings",
-                "cloudwatch:DescribeAlarmsForMetric",
-                "cloudwatch:ListDashboards",
-                "cloudwatch:PutAnomalyDetector",
-                "dynamodb:ListImports",
-                "cloudwatch:GetMetricWidgetImage",
-                "dynamodb:DescribeLimits",
-                "dynamodb:ListExports",
-                "kinesis:DescribeLimits",
-                "kinesis:DisableEnhancedMonitoring",
-                "cloudwatch:PutManagedInsightRules",
-                "cloudwatch:DescribeInsightRules",
-                "sqs:ListQueues",
-                "kinesis:EnableEnhancedMonitoring",
-                "dynamodb:ListBackups",
-                "cloudwatch:GetMetricStatistics",
-                "cloudwatch:ListManagedInsightRules",
-                "dynamodb:ListStreams",
-                "kinesis:UpdateStreamMode",
-                "dynamodb:ListContributorInsights",
-                "dynamodb:ListGlobalTables",
-                "cloudwatch:ListMetricStreams",
-                "dynamodb:DescribeReservedCapacity",
-                "secretsmanager:CreateSecret",
-                "secretsmanager:GetSecretValue",
-                "secretsmanager:DeleteSecret",
-                "kinesis:UpdateShardCount"
+                "aps:*",
+                "cloudwatch:*",
+                "dynamodb:*",
+                "kinesis:*",
+                "sqs:*",
+                "secretsmanager:*",
+                "kms:*"
             ],
             "Resource": "*"
         },
-        {
-            "Effect": "Allow",
-            "Action": "sqs:*",
-            "Resource": [
-                "arn:aws:sqs:*:589761922677:*"
-            ]
-        },
         {
             "Effect": "Deny",
             "Action": "sqs:GetQueueAttributes",
             "Resource": [
                 "arn:aws:sqs:*:589761922677:assume-role-*"
             ]
         },
-        {
-            "Effect": "Allow",
-            "Action": "cloudwatch:*",
-            "Resource": [
-                "arn:aws:cloudwatch:*:589761922677:alarm:*",
-                "arn:aws:cloudwatch:*:589761922677:metric-stream/*",
-                "arn:aws:cloudwatch:*:589761922677:insight-rule/*",
-                "arn:aws:cloudwatch::589761922677:dashboard/*"
-            ]
-        },
-        {
-            "Effect": "Allow",
-            "Action": "kinesis:*",
-            "Resource": [
-                "arn:aws:kms:*:589761922677:key/*",
-                "arn:aws:kinesis:*:589761922677:*/*/consumer/*:*",
-                "arn:aws:kinesis:*:589761922677:stream/*"
-            ]
-        },
         {
             "Effect": "Allow",
             "Action": "sts:AssumeRole",