Fix StringLike condition key for ebsCSIController IAM policy

The IAM condition key StringLike was used incorrectly in the policy and it doesn't work with wildcard (*) in the key itself. Wildcard is only supported in the value of the key. This fixes issue in cases where a volume dynamically provisioned via the older in-tree CSI plugin is being deleted by the new EBS CSI driver, because such volumes don't have the tags used in the policy.

The changes made are inspired from the AWS managed AmazonEBSCSIDriverPolicy.

pkg/cfn/builder/iam_test.go

@@ -545,18 +545,6 @@ const expectedEbsPolicyDocument = `{
 	  "Effect": "Allow",
 	  "Resource": "*"
 	},
-	{
-	  "Action": [
-		"ec2:CreateVolume"
-	  ],
-	  "Condition": {
-		"StringLike": {
-		  "aws:RequestTag/kubernetes.io/cluster/*": "owned"
-		}
-	  },
-	  "Effect": "Allow",
-	  "Resource": "*"
-	},
 	{
 	  "Action": [
 		"ec2:DeleteVolume"
@@ -587,7 +575,7 @@ const expectedEbsPolicyDocument = `{
 	  ],
 	  "Condition": {
 		"StringLike": {
-		  "ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
+		  "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
 		}
 	  },
 	  "Effect": "Allow",

pkg/cfn/builder/statement.go

@@ -457,18 +457,6 @@ func ebsStatements() []cft.MapOfInterfaces {
 				},
 			},
 		},
-		{
-			"Effect": "Allow",
-			"Action": []string{
-				"ec2:CreateVolume",
-			},
-			"Resource": "*",
-			"Condition": cft.MapOfInterfaces{
-				"StringLike": cft.MapOfInterfaces{
-					"aws:RequestTag/kubernetes.io/cluster/*": "owned",
-				},
-			},
-		},
 		{
 			"Effect": "Allow",
 			"Action": []string{
@@ -502,7 +490,7 @@ func ebsStatements() []cft.MapOfInterfaces {
 			"Resource": "*",
 			"Condition": cft.MapOfInterfaces{
 				"StringLike": cft.MapOfInterfaces{
-					"ec2:ResourceTag/kubernetes.io/cluster/*": "owned",
+					"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*",
 				},
 			},
 		},