From 4ff32883a13bad03256466044311c7f665eb6cd1 Mon Sep 17 00:00:00 2001 From: Jonathan Innis Date: Tue, 17 Oct 2023 00:08:39 -0700 Subject: [PATCH] Add eks:UpdateClusterConfig permission --- .github/actions/e2e/create-cluster/action.yaml | 13 ++++--------- test/cloudformation/iam_cloudformation.yaml | 13 +++++++------ 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml index 0ddafc10c839..eb81c8abeb15 100644 --- a/.github/actions/e2e/create-cluster/action.yaml +++ b/.github/actions/e2e/create-cluster/action.yaml @@ -113,6 +113,10 @@ runs: - key: CriticalAddonsOnly value: "true" effect: NoSchedule + cloudWatch: + clusterLogging: + enableTypes: ["*"] + logRetentionInDays: 30 iam: serviceRolePermissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary" serviceAccounts: @@ -152,8 +156,6 @@ runs: # We need to call these update iamserviceaccount commands again since the "eksctl upgrade cluster" action # doesn't handle updates to IAM serviceaccounts correctly when the roles assigned to them change eksctl update iamserviceaccount -f clusterconfig.yaml --approve - - - name: tag oidc provider of the cluster if: always() shell: bash @@ -162,13 +164,6 @@ runs: arn="arn:aws:iam::${{ inputs.account_id }}:oidc-provider/${oidc_id}" aws iam tag-open-id-connect-provider --open-id-connect-provider-arn $arn \ --tags Key=testing/type,Value=e2e Key=github.com/run-url,Value=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - - name: enable control-plane logging for the cluster - shell: bash - run: | - aws eks update-cluster-config \ - --region ${{ inputs.region }} \ - --name ${{ inputs.cluster_name }} \ - --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}' - name: give KarpenterNodeRole permission to bootstrap shell: bash run: | diff --git a/test/cloudformation/iam_cloudformation.yaml b/test/cloudformation/iam_cloudformation.yaml index cb8a8c7a4c03..ac71c57b4056 100644 --- a/test/cloudformation/iam_cloudformation.yaml +++ b/test/cloudformation/iam_cloudformation.yaml @@ -144,12 +144,12 @@ Resources: - eks:CreateCluster - eks:CreateAddon - eks:CreateNodegroup + - eks:UpdateClusterConfig - eks:DeleteCluster - eks:ListFargateProfiles - eks:TagResource - eks:DescribeCluster - Resource: - - !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*" + Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:cluster/*" Condition: StringEquals: aws:RequestedRegion: @@ -169,16 +169,17 @@ Resources: - eks:DeleteNodegroup - eks:DescribeNodegroup - eks:TagResource - Resource: - - !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*" + Resource: !Sub "arn:${AWS::Partition}:eks:*:${AWS::AccountId}:nodegroup/*" Condition: StringEquals: aws:RequestedRegion: Ref: Regions + - Effect: Allow + Action: logs:PutRetentionPolicy + Resource: !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/eks/*" - Effect: Allow Action: fis:CreateExperimentTemplate - Resource: - - !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:action/*" + Resource: !Sub "arn:${AWS::Partition}:fis:*:${AWS::AccountId}:action/*" Condition: StringEquals: aws:RequestedRegion: