feat: Add additional IAM policy to allow cluster role to use KMS key provided for cluster encryption (#1915)

examples/eks_managed_node_group/main.tf

@@ -31,6 +31,14 @@ module "eks" {
   # IPV6
   cluster_ip_family = "ipv6"
 
+  # We are using the IRSA created below for permissions
+  # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
+  # and then turn this off after the cluster/node group is created. Without this initial policy,
+  # the VPC CNI fails to assign IPs and nodes cannot join the cluster
+  # See https://github.com/aws/containers-roadmap/issues/1666 for more context
+  # TODO - remove this policy once AWS releases a managed version similar to AmazonEKS_CNI_Policy (IPv4)
+  create_cni_ipv6_iam_policy = true
+
   cluster_addons = {
     coredns = {
       resolve_conflicts = "OVERWRITE"