Merge pull request #39 from redpanda-data/paulz/fix-cross-region-pl-perm

paulzhang97 · web-flow · commit 12d153ff93ce · 2026-01-30T09:24:27.000-06:00
Bug fix: fix the issue that vpce:AllowMultiRegion can not be tied to specific resources
diff --git a/iam_redpanda_agent.tf b/iam_redpanda_agent.tf
@@ -979,8 +979,6 @@ data "aws_iam_policy_document" "redpanda_agent_private_link" {
       "ec2:RejectVpcEndpointConnections",
       "ec2:StartVpcEndpointServicePrivateDnsVerification",
       "ec2:DescribeVpcEndpointServicePermissions",
-      "ec2:VpceSupportedRegion",
-      "vpce:AllowMultiRegion",
     ]
     dynamic "condition" {
       for_each = var.condition_tags
@@ -999,6 +997,18 @@ data "aws_iam_policy_document" "redpanda_agent_private_link" {
     ]
   }
 
+  statement {
+    effect = "Allow"
+    actions = [
+      "vpce:AllowMultiRegion",
+    ]
+    resources = [
+      # the ID of the VPC endpoint service is not known until after the cluster has been created and does not support
+      # user specification of the id or an id prefix
+      "arn:aws:ec2:${var.region}:${local.aws_account_id}:vpc-endpoint-service/*"
+    ]
+  }
+
   statement {
     effect = "Allow"
     actions = [
