fix: Added Deny for CreateLogGroup action in EKS cluster role (#1594)

main.tf

@@ -195,3 +195,38 @@ resource "aws_iam_role_policy_attachment" "cluster_elb_sl_role_creation" {
   policy_arn = aws_iam_policy.cluster_elb_sl_role_creation[0].arn
   role       = local.cluster_iam_role_name
 }
+
+/*
+ Adding a policy to cluster IAM role that deny permissions to logs:CreateLogGroup
+ it is not needed since we create the log group ourselve in this module, and it is causing trouble during cleanup/deletion
+*/
+
+data "aws_iam_policy_document" "cluster_deny_log_group" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  statement {
+    effect = "Deny"
+    actions = [
+      "logs:CreateLogGroup"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "cluster_deny_log_group" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  name_prefix = "${var.cluster_name}-deny-log-group"
+  description = "Deny CreateLogGroup"
+  policy      = data.aws_iam_policy_document.cluster_deny_log_group[0].json
+  path        = var.iam_path
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_deny_log_group" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  policy_arn = aws_iam_policy.cluster_deny_log_group[0].arn
+  role       = local.cluster_iam_role_name
+}