terraform: fix aws worker node permission (#1683)

2024-10-01 01:36:09 -04:00 · 2023-04-27 11:52:32 +02:00 · 2023-04-27 11:52:32 +02:00 · 074844d0cb
commit 074844d0cb
parent 1bdf410b52
1 changed files with 31 additions and 1 deletions
--- a/cli/internal/terraform/terraform/iam/aws/main.tf
+++ b/cli/internal/terraform/terraform/iam/aws/main.tf
@ -130,7 +130,7 @@ resource "aws_iam_role_policy_attachment" "attach_control_plane_policy" {

 resource "aws_iam_instance_profile" "worker_node_instance_profile" {
  name = "${var.name_prefix}_worker_node_instance_profile"
-  role = aws_iam_role.control_plane_role.name
+  role = aws_iam_role.worker_node_role.name
 }

 resource "aws_iam_role" "worker_node_role" {
@ -190,3 +190,33 @@ resource "aws_iam_role_policy_attachment" "attach_worker_node_policy" {
  role       = aws_iam_role.worker_node_role.name
  policy_arn = aws_iam_policy.worker_node_policy.arn
 }
+
+
+// Add all permissions here, which are needed by the bootstrapper
+resource "aws_iam_policy" "constellation_bootstrapper_policy" {
+  name   = "${var.name_prefix}_constellation_bootstrapper_policy"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "elasticloadbalancing:DescribeLoadBalancers"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "attach_bootstrapper_policy_worker" {
+  role       = aws_iam_role.worker_node_role.name
+  policy_arn = aws_iam_policy.constellation_bootstrapper_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "attach_bootstrapper_policy_control_plane" {
+  role       = aws_iam_role.control_plane_role.name
+  policy_arn = aws_iam_policy.constellation_bootstrapper_policy.arn
+}