STOR-2766: Allow aws ebs driver to copy volumes

[dfajmon]

Based on kubernetes-sigs/aws-ebs-csi-driver#2716
this is coming to OCP 4.22 in openshift/aws-ebs-csi-driver#301

Summary by CodeRabbit

• New Features
  • Enabled EC2 volume copying capability in the AWS provider configuration.

[openshift-ci-robot]

@dfajmon: This pull request references STOR-2766 which is a valid jira issue.

Details

In response to this:

Based on kubernetes-sigs/aws-ebs-csi-driver#2716
this is coming to OCP 4.22 in openshift/aws-ebs-csi-driver#301

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

A single AWS permission ec2:CopyVolumes has been added to the Allow statement within the AWSProviderSpec's statementEntries in the CredentialsRequest manifest.

Changes

Cohort / File(s)	Summary
AWS Credentials Configuration manifests/03_credentials_request_aws.yaml	Added ec2:CopyVolumes permission to the first Allow statement in AWSProviderSpec statementEntries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding AWS EC2 permission for the EBS driver to copy volumes, which directly matches the single line modification in the manifest file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies only manifests/03_credentials_request_aws.yaml to add ec2:CopyVolumes permission, with no Ginkgo test code modifications.
Test Structure And Quality	✅ Passed	PR modifies only a manifest file for AWS permissions; no Ginkgo test code changes present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@dfajmon: This pull request references STOR-2766 which is a valid jira issue.

Details

In response to this:

Based on kubernetes-sigs/aws-ebs-csi-driver#2716
this is coming to OCP 4.22 in openshift/aws-ebs-csi-driver#301

Summary by CodeRabbit

• New Features
• Enabled EC2 volume copying capability in the AWS provider configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

manifests/03_credentials_request_aws.yaml (1)

21-40: ⚠️ Potential issue | 🟠 Major

Scope ec2:CopyVolumes separately instead of inheriting resource: "*"

CopyVolumes authorization in AWS applies to both the source volume and the copied (destination) volume. The current statement grants it with resource: "*" and no conditions, allowing the controller to copy any EBS volume visible to it. The AWS-managed AmazonEBSCSIDriverPolicy follows a stricter approach: it scopes CopyVolumes to volume ARNs and enforces request-tag conditions requiring either aws:RequestTag/ebs.csi.aws.com/cluster=true or aws:RequestTag/CSIVolumeName to be set on the destination. This prevents unauthorized volume duplication. Please move ec2:CopyVolumes to its own statement with equivalent resource and tag-based condition constraints.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@manifests/03_credentials_request_aws.yaml` around lines 21 - 40, The IAM
statement currently grants ec2:CopyVolumes under the same statement with
resource: "*" — split out a new statement for the ec2:CopyVolumes action
(separate from the other EC2 actions) and scope it to the relevant volume ARNs
instead of "*", adding the request-tag condition keys used by
AmazonEBSCSIDriverPolicy (aws:RequestTag/ebs.csi.aws.com/cluster = "true" OR
aws:RequestTag/CSIVolumeName exists) so the destination copy requires the
appropriate tags; update the new statement to mirror AmazonEBSCSIDriverPolicy’s
resource and Condition entries for ec2:CopyVolumes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@manifests/03_credentials_request_aws.yaml`:
- Around line 21-40: The IAM statement currently grants ec2:CopyVolumes under
the same statement with resource: "*" — split out a new statement for the
ec2:CopyVolumes action (separate from the other EC2 actions) and scope it to the
relevant volume ARNs instead of "*", adding the request-tag condition keys used
by AmazonEBSCSIDriverPolicy (aws:RequestTag/ebs.csi.aws.com/cluster = "true" OR
aws:RequestTag/CSIVolumeName exists) so the destination copy requires the
appropriate tags; update the new statement to mirror AmazonEBSCSIDriverPolicy’s
resource and Condition entries for ec2:CopyVolumes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8ca4d1b5-47c6-4592-80d0-8501b4dbd7af

📥 Commits

Reviewing files that changed from the base of the PR and between 6739f8a and 6136fda.

📒 Files selected for processing (1)

• manifests/03_credentials_request_aws.yaml

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfajmon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dfajmon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jsafrane]

/lgtm
/retest-required

[openshift-ci]

@dfajmon: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/hypershift-aws-e2e-external	6136fda	link	true	/test hypershift-aws-e2e-external

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[stbenjam]

/hold