Add permissions policy to the EKS nodegroup IAM role for Nomad Autoscaler [ONPREM-129] #181
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christian-stephen
force-pushed
the
ONPREM-129/nodegroup-policy
branch
11 times, most recently
from
7aac82d to
2855435
Compare
atulsingh0
approved these changes
Oct 4, 2023
christian-stephen
force-pushed
the
ONPREM-129/nodegroup-policy
branch
9 times, most recently
from
3953235 to
e3e5199
Compare
christian-stephen
force-pushed
the
ONPREM-129/nodegroup-policy
branch
from
e3e5199 to
cc8525f
Compare
|
|
||
| resource "aws_iam_role_policy" "nomad_nodegroup_iam_role_policy" { | ||
| count = var.create_nomad_nodegroup_iam_role_policy ? 1 : 0 |
There was a problem hiding this comment.
We need a flag for the count here since we cannot depend on a computed variable. Otherwise, we'll need to do a terraform apply in two steps, which isn't great.
There was a problem hiding this comment.
cc @atulsingh0
christian-stephen
force-pushed
the
ONPREM-129/nodegroup-policy
branch
from
cc8525f to
9d426b6
Compare
christian-stephen
added a commit
that referenced
this pull request
Nov 1, 2023
…#185) * Revert "Merge pull request #182 from CircleCI-Public/ONPREM-129/worker-policy" This reverts commit b6befb4, reversing changes made to 8fc0b83. * Revert "Merge pull request #181 from CircleCI-Public/ONPREM-129/nodegroup-policy" This reverts commit 8fc0b83, reversing changes made to 4388a74. * Unrevert README updates * Temporarily ignore failing `tfsec` hits to pass CI * Fix dead link
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
⚙️ Issue
Jira: https://circleci.atlassian.net/browse/ONPREM-129
AWS requires the Nomad Autoscaler daemon to have a certain set of permissions associated with its EKS nodegroup IAM role. This PR attaches a policy to that role with the required permissions.
✅ Fix
❓ Tests
I've done some testing of this against our internal server-infrastructure to ensure that the policy gets created and associated with the EKS node group IAM role as expected: https://github.com/circleci/server-infrastructure/pull/22