AWS Identity Matcher

AwsIdentityMatcher specifies matching workloads with AWS-specific identities.

For example, the following configuration will match any EC2 VM instance in account 123456789012, region ca-central-1 and zone ca-central-1b:

partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ec2: {}

The matcher can also be used to to limit to VMs associated with a specific IAM role as shown below:

partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ec2:
  iamRoleNames:
  - example-role

The following matcher will limit to ECS instances in the bookinfo cluster and with a specific IAM role:

partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ecs:
  clusters:
  - prod-cluster
  iamRoleNames:
  - example-role

AwsIdentityMatcher

AwsIdentityMatcher specifies matching workloads with AWS-specific identities.

Field	Description	Validation Rule
partitions	List of string Match workloads in these `AWS Partitions`. E.g., `aws`, `aws-cn`, `aws-us-gov`, etc. Empty list means match any partition. See https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html	repeated = { items: `{string:{min_len:1}}` }
accounts	List of string REQUIRED Match workloads in these `AWS Accounts`. E.g., `123456789012`. Cannot be empty. See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html	repeated = { min_items: `1` items: `{string:{pattern:^[0-9]{12}$}}` }
regions	List of string Match workloads in these `AWS Regions`. E.g., `us-east-2`, `eu-west-3`, `cn-north-1`, etc. Empty list means match any region. See https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints	repeated = { items: `{string:{min_len:1}}` }
zones	List of string Match workloads in these `AWS Availability Zones`. E.g., `us-east-2a`, `eu-west-3b`, `ap-southeast-1c`, etc. Empty list means match any availability zone. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html	repeated = { items: `{string:{min_len:1}}` }
ec2	tetrateio.api.onboarding.authorization.aws.v1alpha1.Ec2InstanceMatcher ^{oneof kind} Match `AWS EC2` instances with these instance specific criteria. If present but empty, it matches any `EC2` instance matching the other fields.	–

Ec2InstanceMatcher

Ec2Instance specifies matching AWS EC2 instances.

Field Description Validation Rule

Field	Description	Validation Rule
iamRoleNames	List of string Match `AWS EC2` instances associated with these `AWS IAM Role` names. E.g., `example-role`. Empty list means match any `EC2` instance (no matter whether it has an `AWS IAM Role` associated with it or not). See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html	repeated = { items: `{string:{min_len:1}}` }

iamRoleNames

List of string
Match AWS EC2 instances associated with these AWS IAM Role names.

E.g., example-role.

Empty list means match any EC2 instance (no matter whether it has an AWS IAM Role associated with it or not).

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

repeated = {
items: {string:{min_len:1}}
}

TSB

最近更新于 2023-09-19