terraform-aws-iam
terraform-aws-iam copied to clipboard
terraform-aws-modules
`aws_iam_policy_document.cluster_autoscaler` is missing `autoscaling:SetDesiredCapacity`
Description
The cluster autoscaler gets "permission denied" when trying to call SetDesiredCapacity for the ASGs
- [x] β I have searched the open/closed issues and my issue is not listed.
β οΈ Note
Before you submit an issue, please perform the following first:
- Remove the local
.terraformdirectory (! ONLY if state is stored remotely, which hopefully you are following that best practice!):rm -rf .terraform/ - Re-initialize the project root to pull down modules:
terraform init - Re-attempt your terraform plan or apply and check if the issue still persists
Versions
-
Module version [Required]: 5.2.0
-
Terraform version: 1.2.5
-
Provider version(s): aws 4.25.0 kubernetes 2.12.1
Reproduction Code [Required]
module "cluster_autoscaler" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "~> 5.2.0"
# https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/submodules/iam-role-for-service-accounts-eks
role_name = "cluster-autoscaler-${var.cluster_id}"
attach_cluster_autoscaler_policy = true
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system:cluster-autoscaler"]
}
}
}
Steps to reproduce the behavior:
Build a cluster using the EKS provider with EKS-managed node groups and the above role.
Expected behavior
The ASGs should be able to scale up and down
Actual behavior
ASGs end up permanently in the backoff state because of:
"eventSource": "autoscaling.amazonaws.com", "eventName": "SetDesiredCapacity", "userAgent": "aws-sdk-go/1.35.24 (go1.14.15; linux; amd64)", "errorCode": "AccessDenied",
Terminal Output Screenshot(s)
Additional context
Manually adding autoscaling:SetDesiredCapacity to the created policy instance restores proper ASG behavior.
