Assume EKSAdmin role in manifests from templates

[ettiee]

@jnavarro86 and I are experiencing the following:

I created a cluster with this module yesterday.

Today @jnavarro86 ran a terraform plan on https://github.com/cookpad/global-aws and got some in-place changes from this module:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement
Terraform will perform the following actions:
  # module.iam.aws_iam_policy.cookpad_global_1_research_data_writable will be created
  + resource "aws_iam_policy" "cookpad_global_1_research_data_writable" {
      + arn         = (known after apply)
      + description = "Access to read/write artifacts in/from research-data.cookpad-global-1 in cookpad-global-1 AWS cookpad account."
      + id          = (known after apply)
      + name        = "cookpad-global-1-research-data-writable"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:PutObjectAcl",
                          + "s3:PutObject",
                          + "s3:ListBucketVersions",
                          + "s3:ListBucket",
                          + "s3:GetObjectVersion",
                          + "s3:GetObjectAcl",
                          + "s3:GetObject",
                          + "s3:DeleteObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::research-data.cookpad-global-1/*",
                          + "arn:aws:s3:::research-data.cookpad-global-1",
                        ]
                      + Sid      = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
    }
  # module.iam.aws_iam_role_policy_attachment.attach_cookpad_global_1_research_data_writable_to_MLServicesDeployment will be created
  + resource "aws_iam_role_policy_attachment" "attach_cookpad_global_1_research_data_writable_to_MLServicesDeployment" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "MLServicesDeploymentsstaging"
    }
  # module.testing-eks-cluster.module.aws_auth.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "2876031626230467720" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "fd0b2cd0d1b8c03172146eb2ae05d934101ea3c9" -> "cf2ffb9f14ddf3310b0a8d4c0e653ad2cf4d4cfc"
        }
    }
  # module.testing-eks-cluster.module.aws_node_termination_handler.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "6960512851880308979" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "f776501a0a073a3468954b3e49d0f3072f719d06" -> "8900a3db6e4471100784c62183483ae71c552ba5"
        }
    }
  # module.testing-eks-cluster.module.cluster_autoscaler.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "7127138984923775440" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "a9f328dacbea6796d3278ac7df0d3adf3f96eb65" -> "600acb30f72144b0e00155d12fac8023a48aaa89"
        }
    }
  # module.testing-eks-cluster.module.metrics_server.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "8957918169943094131" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "b557313e65407769f40427871758f980c7eaf0e9" -> "14cff8c248aec8a589090dffa2dab79c80dae9dc"
        }
    }
  # module.testing-eks-cluster.module.pod_nanny.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "2349652268422680257" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "a9d96d1424a177997c7849c78e192fd5b9b481be" -> "d4a0a0ac2380b275d8fbf529b743384053e6df4f"
        }
    }
  # module.testing-eks-cluster.module.prometheus_node_exporter.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "8495425553566447814" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "ece2ae801ea663851bc22a0af667937c680a5547" -> "e9c91943f6fb87a6ce824a9779b1163938aba250"
        }
    }
  # module.testing-eks-cluster.module.storage_classes.null_resource.apply[0] must be replaced
-/+ resource "null_resource" "apply" {
      ~ id       = "1737947817272327439" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "manifest_sha1" = "a5349d15d4301f5ab68d91e15175bc9726602cdd" -> "b12737dd4e9aac3c336e59b06146cbdcb1aff152"
        }
    }
Plan: 9 to add, 0 to change, 7 to destroy.

I believe updating the manifest templates to assume the EKSAdmin role will stop us seeing these diffs?

[errm]

I think these changes are just popping up because of changes I have made to to this module to fix these issues. There is another change in #64 so perhaps just wait for that to land!

[ettiee]

I think these changes are just popping up because of changes I have made to to this module to fix these issues. There is another change in #64 so perhaps just wait for that to land!

Great will do 👍