feat: Add back in CloudWatch log group create deny policy to cluster IAM role (#1974)

2026-01-17 00:57:28 +01:00 · 2022-03-30 08:34:44 -04:00
parent 1c7e3164b0
commit 98e137fad9
1 changed files with 23 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@@ -219,6 +219,29 @@ resource "aws_iam_role" "this" {
  permissions_boundary  = var.iam_role_permissions_boundary
  force_detach_policies = true

+  # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920
+  # Resources running on the cluster are still generaring logs when destroying the module resources
+  # which results in the log group being re-created even after Terraform destroys it. Removing the
+  # ability for the cluster role to create the log group prevents this log group from being re-created
+  # outside of Terraform due to services still generating logs during destroy process
+  dynamic "inline_policy" {
+    for_each = var.create_cloudwatch_log_group ? [1] : []
+    content {
+      name = local.iam_role_name
+
+      policy = jsonencode({
+        Version = "2012-10-17"
+        Statement = [
+          {
+            Action   = ["logs:CreateLogGroup"]
+            Effect   = "Deny"
+            Resource = aws_cloudwatch_log_group.this[0].arn
+          },
+        ]
+      })
+    }
+  }
+
  tags = merge(var.tags, var.iam_role_tags)
 }