align IAM policies with latest changes for AWS CCM and autoscaler

Author: adamacosta

data.tf

@@ -80,7 +80,7 @@ data "aws_iam_policy_document" "aws_required" {
   }
 }
 
-# Required IAM Policy for AWS CCM
+# Required IAM policy for AWS CCM (https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies)
 data "aws_iam_policy_document" "aws_ccm" {
   count = var.iam_instance_profile == "" && var.enable_ccm ? 1 : 0
 
@@ -91,13 +91,13 @@ data "aws_iam_policy_document" "aws_ccm" {
       "autoscaling:DescribeAutoScalingGroups",
       "autoscaling:DescribeLaunchConfigurations",
       "autoscaling:DescribeTags",
-      "autoscaling:DescribeAutoScalingInstances",
       "ec2:DescribeInstances",
       "ec2:DescribeRegions",
       "ec2:DescribeRouteTables",
       "ec2:DescribeSecurityGroups",
       "ec2:DescribeSubnets",
       "ec2:DescribeVolumes",
+      "ec2:DescribeAvailabilityZones",
       "ec2:CreateSecurityGroup",
       "ec2:CreateTags",
       "ec2:CreateVolume",
@@ -112,6 +112,7 @@ data "aws_iam_policy_document" "aws_ccm" {
       "ec2:DetachVolume",
       "ec2:RevokeSecurityGroupIngress",
       "ec2:DescribeVpcs",
+      "ec2:DescribeInstanceTopology",
       "elasticloadbalancing:AddTags",
       "elasticloadbalancing:AttachLoadBalancerToSubnets",
       "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
@@ -148,6 +149,8 @@ data "aws_iam_policy_document" "aws_ccm" {
   }
 }
 
+# Required IAM policy for AWS Cluster Autoscaler
+# (https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended)
 data "aws_iam_policy_document" "aws_autoscaler" {
   count = var.enable_autoscaler ? 1 : 0
 
@@ -157,9 +160,11 @@ data "aws_iam_policy_document" "aws_autoscaler" {
       "autoscaling:DescribeAutoScalingInstances",
       "autoscaling:DescribeLaunchConfigurations",
       "autoscaling:DescribeScalingActivities",
-      "autoscaling:DescribeTags",
+      "ec2:DescribeImages",
       "ec2:DescribeInstanceTypes",
-      "ec2:DescribeLaunchTemplateVersions"
+      "ec2:DescribeLaunchTemplateVersions",
+      "ec2:GetInstanceTypesFromInstanceRequirements",
+      "eks:DescribeNodegroup"
     ]
     effect    = "Allow"
     resources = ["*"]
@@ -168,10 +173,7 @@ data "aws_iam_policy_document" "aws_autoscaler" {
   statement {
     actions = [
       "autoscaling:SetDesiredCapacity",
-      "autoscaling:TerminateInstanceInAutoScalingGroup",
-      "ec2:DescribeImages",
-      "ec2:GetInstanceTypesFromInstanceRequirements",
-      "eks:DescribeNodegroup"
+      "autoscaling:TerminateInstanceInAutoScalingGroup"
     ]
     effect    = "Allow"
     resources = ["*"]

examples/cloud-enabled/README.md

@@ -25,13 +25,14 @@ helm install aws-cloud-controller-manager aws-cloud-controller-manager/aws-cloud
 
 ## `cluster-autoscaler`
 
-Match region to your actual region, but it is `us-gov-west-1` in this example.
+Match region to your actual region, but it is `us-east-2` in this example. The cluster name also includes a UID suffix that will be created by Terraform at apply time, so change that to yours as well. The version here is coupled to the Kubernetes version. You can run `helm search repo -l autoscaler/cluster-autoscaler` to see all charts and the corresponding app version. Here, we grab the chart version that matches app version 1.33.0 because we are using `rke2` 1.33.
 
 ```sh
 helm repo add autoscaler https://kubernetes.github.io/autoscaler
 helm repo update
 helm install autoscaler autoscaler/cluster-autoscaler \
   --namespace kube-system \
-  --set autoDiscovery.clusterName=cloud-enabled-zjl \
-  --set awsRegion=us-gov-west-1
+  --version 9.51.0 \
+  --set autoDiscovery.clusterName=cloud-enabled-dyh \
+  --set awsRegion=us-east-2
 ```

modules/agent-nodepool/data.tf

@@ -1,4 +1,4 @@
-# Required IAM Policy for AWS CCM
+# Required IAM policy for AWS CCM (https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies)
 data "aws_iam_policy_document" "aws_ccm" {
   count = var.iam_instance_profile == "" && var.enable_ccm ? 1 : 0
 
@@ -14,42 +14,38 @@ data "aws_iam_policy_document" "aws_ccm" {
       "ecr:GetRepositoryPolicy",
       "ecr:DescribeRepositories",
       "ecr:ListImages",
-      "ecr:BatchGetImage",
-      "autoscaling:DescribeTags",
-      "autoscaling:DescribeAutoScalingGroups",
-      "autoscaling:DescribeLaunchConfigurations",
-      "autoscaling:DescribeTags",
+      "ecr:BatchGetImage"
     ]
   }
 }
 
-# Required IAM Policy for AWS Cluster Autoscaler
+# Required IAM policy for AWS Cluster Autoscaler
+# (https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended)
 data "aws_iam_policy_document" "aws_autoscaler" {
-  count = var.iam_instance_profile == "" && var.enable_autoscaler ? 1 : 0
+  count = var.enable_autoscaler ? 1 : 0
 
   statement {
-    effect    = "Allow"
-    resources = ["*"]
     actions = [
       "autoscaling:DescribeAutoScalingGroups",
       "autoscaling:DescribeAutoScalingInstances",
       "autoscaling:DescribeLaunchConfigurations",
       "autoscaling:DescribeScalingActivities",
-      "autoscaling:DescribeTags",
+      "ec2:DescribeImages",
       "ec2:DescribeInstanceTypes",
-      "ec2:DescribeLaunchTemplateVersions"
+      "ec2:DescribeLaunchTemplateVersions",
+      "ec2:GetInstanceTypesFromInstanceRequirements",
+      "eks:DescribeNodegroup"
     ]
+    effect    = "Allow"
+    resources = ["*"]
   }
 
   statement {
-    effect    = "Allow"
-    resources = ["*"]
     actions = [
       "autoscaling:SetDesiredCapacity",
-      "autoscaling:TerminateInstanceInAutoScalingGroup",
-      "ec2:DescribeImages",
-      "ec2:GetInstanceTypesFromInstanceRequirements",
-      "eks:DescribeNodegroup"
+      "autoscaling:TerminateInstanceInAutoScalingGroup"
     ]
+    effect    = "Allow"
+    resources = ["*"]
   }
 }