Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent creating log group by the iam role #132

Merged
merged 2 commits into from
Nov 6, 2021
Merged

Conversation

nitrocode
Copy link
Member

@nitrocode nitrocode commented Nov 4, 2021

what

  • Prevent creating log group by the iam role

why

See: hashicorp/terraform#14750, terraform-aws-modules/terraform-aws-eks#920

This is happening because EKS Cluster gets destroyed after Terraform delete the Cloudwatch Log Group. The AmazonEKSServicePolicy IAM policy (that is assigned to EKS Cluster role by default within this module) has permissions to CreateLogGroup and anything else needed to continue to logging correctly. When the Terraform destroys the Cloudwatch Log Group, the EKS Cluster that is running create it again. Then, when you run Terraform Apply again, the Cloudwatch Log Group doesn't exist in your state anymore (because the Terraform actually destroyed it) and the Terraform doesn't know this resource created outside him. terraform-aws-modules/terraform-aws-eks/issues/920

references

@nitrocode nitrocode requested review from a team as code owners November 4, 2021 23:57
@nitrocode
Copy link
Member Author

/test all

@nitrocode nitrocode added the patch A minor, backward compatible change label Nov 5, 2021
Copy link
Member

@Gowiem Gowiem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Funky bug, but looks like a good fix 👍

@nitrocode nitrocode merged commit 5439d06 into master Nov 6, 2021
@nitrocode nitrocode deleted the cluster-deny-log-group branch November 6, 2021 00:05
@Nuru
Copy link
Contributor

Nuru commented Nov 30, 2021

@nitrocode @Gowiem For future reference, as shown in #135, it does not work to have multiple aws_iam_role_policy resources attached to a single role. If we need multiple policies, then we combine policies into one aws_iam_role_policy by using an aws_iam_policy_document data source, or create multiple aws_iam_policy resources and attach them via aws_iam_role_policy_attachment resources. The latter is more flexible and generally better, because it allows other Terraform (or other actors) to attach additional policies that this Terraform will not manage/remove, but there is a limit of 10 attachments per role (can be raised to 20), which we can run into if we are not careful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
patch A minor, backward compatible change
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Creating CloudWatch Log Group failed: ResourceAlreadyExistsException:
4 participants