fix(eks): missing permissions to add and remove tags when creating EK…

…S cluster resource Added missing permissions for `eks:TagResource` and `eks:UntagResource`. Updated unit and integ test expectations to include the added permissions. Closes #7163
aws · Apr 10, 2020 · d150826 · d150826
1 parent ed851d8
commit d150826
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts
@@ -78,7 +78,16 @@ export class ClusterResource extends Construct {
     }));
 
     this.creationRole.addToPolicy(new iam.PolicyStatement({
-      actions: [ 'eks:CreateCluster', 'eks:DescribeCluster', 'eks:DeleteCluster', 'eks:UpdateClusterVersion', 'eks:UpdateClusterConfig', 'eks:CreateFargateProfile' ],
+      actions: [
+        'eks:CreateCluster',
+        'eks:DescribeCluster',
+        'eks:DeleteCluster',
+        'eks:UpdateClusterVersion',
+        'eks:UpdateClusterConfig',
+        'eks:CreateFargateProfile',
+        'eks:TagResource',
+        'eks:UntagResource'
+      ],
       resources: resourceArns
     }));
 

diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
@@ -784,7 +784,9 @@
                 "eks:DeleteCluster",
                 "eks:UpdateClusterVersion",
                 "eks:UpdateClusterConfig",
-                "eks:CreateFargateProfile"
+                "eks:CreateFargateProfile",
+                "eks:TagResource",
+                "eks:UntagResource"
               ],
               "Effect": "Allow",
               "Resource": [

diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts
@@ -718,7 +718,9 @@ export = {
                 'eks:DeleteCluster',
                 'eks:UpdateClusterVersion',
                 'eks:UpdateClusterConfig',
-                'eks:CreateFargateProfile'
+                'eks:CreateFargateProfile',
+                'eks:TagResource',
+                'eks:UntagResource'
               ],
               Effect: 'Allow',
               Resource: [ {
@@ -826,7 +828,9 @@ export = {
                 'eks:DeleteCluster',
                 'eks:UpdateClusterVersion',
                 'eks:UpdateClusterConfig',
-                'eks:CreateFargateProfile'
+                'eks:CreateFargateProfile',
+                'eks:TagResource',
+                'eks:UntagResource'
               ],
               Effect: 'Allow',
               Resource: [ '*' ]