From ef889244627c9c69ea7e5068c0843cb41eb24b89 Mon Sep 17 00:00:00 2001
From: Ohad Aharoni <oaharoni@redhat.com>
Date: Fri, 24 Jan 2025 16:11:38 -0500
Subject: [PATCH] Add new policy creation for shared vpc

---
 pkg/aws/aws_client/role.go | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/pkg/aws/aws_client/role.go b/pkg/aws/aws_client/role.go
index d93ede6..fd05a5e 100644
--- a/pkg/aws/aws_client/role.go
+++ b/pkg/aws/aws_client/role.go
@@ -463,6 +463,33 @@ func (client *AWSClient) CreatePolicyForSharedVPC(policyName string) (string, er
 	return client.CreatePolicy(policyName, statement)
 }
 
+func (client *AWSClient) CreatePolicyForSharedVPCEndpoint(policyName string) (string, error) {
+	statement := map[string]interface{}{
+		"Sid":    "Statement1",
+		"Effect": "Allow",
+		"Action": []string{
+			"ec2:CreateVpcEndpoint",
+			"ec2:DescribeVpcEndpoints",
+			"ec2:ModifyVpcEndpoint",
+			"ec2:DeleteVpcEndpoints",
+			"ec2:CreateTags",
+			"ec2:CreateSecurityGroup",
+			"ec2:AuthorizeSecurityGroupIngress",
+			"ec2:AuthorizeSecurityGroupEgress",
+			"ec2:DeleteSecurityGroup",
+			"ec2:RevokeSecurityGroupIngress",
+			"ec2:RevokeSecurityGroupEgress",
+			"ec2:DescribeSecurityGroups",
+			"ec2:DescribeVpcs",
+			"route53:ListHostedZones",
+			"route53:ChangeResourceRecordSets",
+			"route53:ListResourceRecordSets",
+		},
+		"Resource": "*",
+	}
+	return client.CreatePolicy(policyName, statement)
+}
+
 func (client *AWSClient) CreateRoleForAdditionalPrincipals(roleName string, installerRoleArn string) (types.Role, error) {
 	statement := map[string]interface{}{
 		"Sid":    "Statement1",