Skip to content

Commit

Permalink
feat: Add back in CloudWatch log group create deny policy to cluster …
Browse files Browse the repository at this point in the history
…IAM role (#1974)
  • Loading branch information
bryantbiggs authored Mar 30, 2022
1 parent 1c7e316 commit 98e137f
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,29 @@ resource "aws_iam_role" "this" {
permissions_boundary = var.iam_role_permissions_boundary
force_detach_policies = true

# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920
# Resources running on the cluster are still generaring logs when destroying the module resources
# which results in the log group being re-created even after Terraform destroys it. Removing the
# ability for the cluster role to create the log group prevents this log group from being re-created
# outside of Terraform due to services still generating logs during destroy process
dynamic "inline_policy" {
for_each = var.create_cloudwatch_log_group ? [1] : []
content {
name = local.iam_role_name

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["logs:CreateLogGroup"]
Effect = "Deny"
Resource = aws_cloudwatch_log_group.this[0].arn
},
]
})
}
}

tags = merge(var.tags, var.iam_role_tags)
}

Expand Down

0 comments on commit 98e137f

Please sign in to comment.