From 46b9369a6eeca4202f8afa249c83fc484462132c Mon Sep 17 00:00:00 2001
From: Jonathan Innis <joinnis@amazon.com>
Date: Tue, 17 Oct 2023 00:08:39 -0700
Subject: [PATCH] Add eks:UpdateClusterConfig permission

---
 .github/actions/e2e/create-cluster/action.yaml | 13 ++++---------
 test/cloudformation/iam_cloudformation.yaml    |  1 +
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/.github/actions/e2e/create-cluster/action.yaml b/.github/actions/e2e/create-cluster/action.yaml
index 0ddafc10c839..eb81c8abeb15 100644
--- a/.github/actions/e2e/create-cluster/action.yaml
+++ b/.github/actions/e2e/create-cluster/action.yaml
@@ -113,6 +113,10 @@ runs:
           - key: CriticalAddonsOnly
             value: "true"
             effect: NoSchedule
+      cloudWatch:
+        clusterLogging:
+          enableTypes: ["*"]
+          logRetentionInDays: 30
       iam:
         serviceRolePermissionsBoundary: "arn:aws:iam::${{ inputs.account_id }}:policy/GithubActionsPermissionsBoundary"
         serviceAccounts:
@@ -152,8 +156,6 @@ runs:
       # We need to call these update iamserviceaccount commands again since the "eksctl upgrade cluster" action
       # doesn't handle updates to IAM serviceaccounts correctly when the roles assigned to them change
       eksctl update iamserviceaccount -f clusterconfig.yaml --approve
-      
-
   - name: tag oidc provider of the cluster
     if: always()
     shell: bash
@@ -162,13 +164,6 @@ runs:
       arn="arn:aws:iam::${{ inputs.account_id }}:oidc-provider/${oidc_id}"
       aws iam tag-open-id-connect-provider --open-id-connect-provider-arn $arn \
          --tags Key=testing/type,Value=e2e  Key=github.com/run-url,Value=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  - name: enable control-plane logging for the cluster
-    shell: bash
-    run: |
-      aws eks update-cluster-config \
-        --region ${{ inputs.region }} \
-        --name ${{ inputs.cluster_name }} \
-        --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
   - name: give KarpenterNodeRole permission to bootstrap
     shell: bash
     run: |
diff --git a/test/cloudformation/iam_cloudformation.yaml b/test/cloudformation/iam_cloudformation.yaml
index cb8a8c7a4c03..94fdaf110ec9 100644
--- a/test/cloudformation/iam_cloudformation.yaml
+++ b/test/cloudformation/iam_cloudformation.yaml
@@ -144,6 +144,7 @@ Resources:
               - eks:CreateCluster
               - eks:CreateAddon
               - eks:CreateNodegroup
+              - eks:UpdateClusterConfig
               - eks:DeleteCluster
               - eks:ListFargateProfiles
               - eks:TagResource