From 3ecbf53cb129a04d678cbb044134dba74dea70f7 Mon Sep 17 00:00:00 2001
From: architlatkar <archit.latkar@cloudera.com>
Date: Wed, 10 Jul 2024 01:51:52 +0530
Subject: [PATCH 1/2] add permissions to cloudformation to carryout create,
 modify, delete and describe DB Parameter Group

---
 .../docs/restricted-policy-doc-2.json5            | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/aws-iam-policies/docs/restricted-policy-doc-2.json5 b/aws-iam-policies/docs/restricted-policy-doc-2.json5
index dc7a323..f5364d3 100644
--- a/aws-iam-policies/docs/restricted-policy-doc-2.json5
+++ b/aws-iam-policies/docs/restricted-policy-doc-2.json5
@@ -55,8 +55,10 @@
         // Delete Placement Groups created by cf
         "elasticfilesystem:DescribeMountTargets",
         // Called by CF while creating EFS
-        "elasticfilesystem:DescribeFileSystems"
+        "elasticfilesystem:DescribeFileSystems",
         // Called by CF while creating EFS
+        "rds:DescribeEngineDefaultParameters"
+        // Describes default parameters of RDS. Required for Cloudformation operations
       ],
       "Resource": "*",
       "Condition": {
@@ -123,7 +125,8 @@
       "Sid": "CFDatabase",
       "Resource": [
         "arn:aws:rds:*:*:db:env-*-dwx-stack-rds",
-        "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*"
+        "arn:aws:rds:*:*:subgrp:env-*-dwx-stack-dbsubnetgroup-*",
+        "arn:aws:rds:*:*:pg:env-*-dwx-stack-rds-parameter-group"
       ],
       "Effect": "Allow",
       "Action": [
@@ -134,8 +137,14 @@
         // The DBSubnetGroup created during activation
         "rds:DescribeDBSubnetGroups",
         // Describe DBSubnetGroup instance created by cf
-        "rds:ListTagsForResource"
+        "rds:ListTagsForResource",
         // Lists tags on RDS DBsubnetgroup. Required for Cloudformation operations
+        "rds:CreateDBParameterGroup",
+        // Required by Cloudformation to create RDS Parameter Group
+        "rds:DeleteDBParameterGroup",
+        // Required by Cloudformation to delete RDS Parameter Group
+        "rds:ModifyDBParameterGroup"
+        // Required by Cloudformation to modify RDS Parameter Group
 
       ],
       "Condition": {

From 3140ac4a01f85ca1cae404242606a3f5e3bf54d7 Mon Sep 17 00:00:00 2001
From: architlatkar <archit.latkar@cloudera.com>
Date: Wed, 10 Jul 2024 01:59:15 +0530
Subject: [PATCH 2/2] add ec2:DeleteTag to restricted policy

---
 aws-iam-policies/docs/restricted-policy-doc-1.json5 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/aws-iam-policies/docs/restricted-policy-doc-1.json5 b/aws-iam-policies/docs/restricted-policy-doc-1.json5
index 0c24210..8442b36 100644
--- a/aws-iam-policies/docs/restricted-policy-doc-1.json5
+++ b/aws-iam-policies/docs/restricted-policy-doc-1.json5
@@ -198,6 +198,8 @@
         "ec2:CreateTags",
         // Tag subnets and eks security group
         // See footnote 2
+        "ec2:DeleteTags",
+        // Delete tags from shared subnet, delete any other tags
         "ec2:CreateKeyPair",
         // Create ssh Public key pair, pass to ec2
         // instances. Not required if passed/set/