Too much permissions with "iam::aws:policy/AmazonS3FullAccess" about jx3-terraform-eks HOT 3 OPEN

I will change that. Thanks for the detailed issue.

from jx3-terraform-eks.

So, all of those roles which have wide access, also have an option where you can use ur own role (https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/variables.tf#L478), and customize it as much as u want (it's what I also do at work).
So the tekton role will be used in the pipeline, and it's not possible for us to know ahead of time, what kind of things the end users will be doing with the jx pipelines (they may have tasks where they want to create a bucket, run some tests with it, and then delete it), I think that was the motivation behind some of these being wide open.
For security/production purposes, I would highly recommend managing the iam roles outside of this module by setting create_tekton_role to false (in case of tekton, similar for other roles). Does this help? Also this applies only for tekton, I have to look into the other roles.

EDIT: Having said that, this does not make sense to me: https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/modules/cluster/irsa.tf#L232, and I will open a PR to fix it.

from jx3-terraform-eks.

@ankitm123 I appreciate your opinion. By this, I would suggest permit choose the name of the policy of this S3 access if you create or use another (like vpc_id in variable.tf file or cluster_name, or other choosable options), and by default, if you don't write this, the process using iam::aws:policy/AmazonS3FullAccess

What do you think?

from jx3-terraform-eks.