Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent creating log group by the iam role #132

Merged
merged 2 commits into from
Nov 6, 2021
Merged

Prevent creating log group by the iam role #132

merged 2 commits into from
Nov 6, 2021

Conversation

nitrocode
Copy link
Member

@nitrocode nitrocode commented Nov 4, 2021
edited
Loading

what

  • Prevent creating log group by the iam role

why

See: hashicorp/terraform#14750, terraform-aws-modules/terraform-aws-eks#920

This is happening because EKS Cluster gets destroyed after Terraform delete the Cloudwatch Log Group. The AmazonEKSServicePolicy IAM policy (that is assigned to EKS Cluster role by default within this module) has permissions to CreateLogGroup and anything else needed to continue to logging correctly. When the Terraform destroys the Cloudwatch Log Group, the EKS Cluster that is running create it again. Then, when you run Terraform Apply again, the Cloudwatch Log Group doesn't exist in your state anymore (because the Terraform actually destroyed it) and the Terraform doesn't know this resource created outside him. terraform-aws-modules/terraform-aws-eks/issues/920

references

@nitrocode nitrocode requested review from a team as code owners November 4, 2021 23:57
@nitrocode
Copy link
Member Author

/test all

@nitrocode nitrocode added the patch A minor, backward compatible change label Nov 5, 2021
Gowiem
Gowiem approved these changes Nov 5, 2021
View reviewed changes
Copy link
Member

@Gowiem Gowiem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Funky bug, but looks like a good fix 👍

@nitrocode nitrocode merged commit 5439d06 into master Nov 6, 2021
@nitrocode nitrocode deleted the cluster-deny-log-group branch November 6, 2021 00:05
@z0rc z0rc mentioned this pull request Nov 22, 2021
Closed
@Nuru
Copy link
Sponsor Contributor

Nuru commented Nov 30, 2021

@nitrocode @Gowiem For future reference, as shown in #135, it does not work to have multiple aws_iam_role_policy resources attached to a single role. If we need multiple policies, then we combine policies into one aws_iam_role_policy by using an aws_iam_policy_document data source, or create multiple aws_iam_policy resources and attach them via aws_iam_role_policy_attachment resources. The latter is more flexible and generally better, because it allows other Terraform (or other actors) to attach additional policies that this Terraform will not manage/remove, but there is a limit of 10 attachments per role (can be raised to 20), which we can run into if we are not careful.

@nitrocode nitrocode mentioned this pull request Dec 1, 2021
Closed
@Nuru Nuru mentioned this pull request Dec 6, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gowiem Gowiem Gowiem approved these changes

@jhosteny jhosteny Awaiting requested review from jhosteny jhosteny was automatically assigned from cloudposse/contributors

@joe-niland joe-niland Awaiting requested review from joe-niland joe-niland was automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
patch A minor, backward compatible change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Creating CloudWatch Log Group failed: ResourceAlreadyExistsException:
4 participants
@nitrocode @Nuru @Gowiem @cloudpossebot