Skip to main content
Version: 1.6.x

AWS Identity Matcher

AwsIdentityMatcher specifies matching workloads with AWS-specific identities.

For example, the following configuration will match any EC2 VM instance in account 123456789012, region ca-central-1 and zone ca-central-1b:

partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ec2: {}

The matcher can also be used to to limit to VMs associated with a specific IAM role as shown below:

partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ec2:
  iamRoleNames:
  - example-role

The following matcher will limit to ECS instances in the bookinfo cluster and with a specific IAM role:

partitions:
- aws
accounts:
- '123456789012'
regions:
- ca-central-1
zones:
- ca-central-1b
ecs:
  clusters:
  - prod-cluster
  iamRoleNames:
  - example-role

AwsIdentityMatcher

AwsIdentityMatcher specifies matching workloads with AWS-specific identities.

FieldDescriptionValidation Rule

partitions

List of string
Match workloads in these AWS Partitions.

E.g., aws, aws-cn, aws-us-gov, etc.

Empty list means match any partition.

See https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

repeated = {
  items: {string:{min_len:1}}
}

accounts

List of string
REQUIRED
Match workloads in these AWS Accounts.

E.g., 123456789012.

Cannot be empty.

See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

repeated = {
  min_items: 1
  items: {string:{pattern:^[0-9]{12}$}}
}

regions

List of string
Match workloads in these AWS Regions.

E.g., us-east-2, eu-west-3, cn-north-1, etc.

Empty list means match any region.

See https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints

repeated = {
  items: {string:{min_len:1}}
}

zones

List of string
Match workloads in these AWS Availability Zones.

E.g., us-east-2a, eu-west-3b, ap-southeast-1c, etc.

Empty list means match any availability zone.

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

repeated = {
  items: {string:{min_len:1}}
}

ec2

tetrateio.api.onboarding.authorization.aws.v1alpha1.Ec2InstanceMatcher
Match AWS EC2 instances with these instance specific criteria.

If present but empty, it matches any EC2 instance matching the other fields.

Ec2InstanceMatcher

Ec2Instance specifies matching AWS EC2 instances.

FieldDescriptionValidation Rule

iamRoleNames

List of string
Match AWS EC2 instances associated with these AWS IAM Role names.

E.g., example-role.

Empty list means match any EC2 instance (no matter whether it has an AWS IAM Role associated with it or not).

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

repeated = {
  items: {string:{min_len:1}}
}