From d150826b1c15e1692b371cb038ffb1e147f71981 Mon Sep 17 00:00:00 2001
From: Shiv Lakshminarayan <shivlaks@amazon.com>
Date: Fri, 10 Apr 2020 10:32:07 -0700
Subject: [PATCH] fix(eks):  missing permissions to add and remove tags when
 creating EKS cluster resource

Added missing permissions for `eks:TagResource` and `eks:UntagResource`.
Updated unit and integ test expectations to include the added permissions.

Closes #7163
---
 packages/@aws-cdk/aws-eks/lib/cluster-resource.ts     | 11 ++++++++++-
 .../aws-eks/test/integ.eks-cluster.expected.json      |  4 +++-
 packages/@aws-cdk/aws-eks/test/test.cluster.ts        |  8 ++++++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts
index 080044b0b36ea..b8c364f8759ed 100644
--- a/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts
+++ b/packages/@aws-cdk/aws-eks/lib/cluster-resource.ts
@@ -78,7 +78,16 @@ export class ClusterResource extends Construct {
     }));
 
     this.creationRole.addToPolicy(new iam.PolicyStatement({
-      actions: [ 'eks:CreateCluster', 'eks:DescribeCluster', 'eks:DeleteCluster', 'eks:UpdateClusterVersion', 'eks:UpdateClusterConfig', 'eks:CreateFargateProfile' ],
+      actions: [
+        'eks:CreateCluster',
+        'eks:DescribeCluster',
+        'eks:DeleteCluster',
+        'eks:UpdateClusterVersion',
+        'eks:UpdateClusterConfig',
+        'eks:CreateFargateProfile',
+        'eks:TagResource',
+        'eks:UntagResource'
+      ],
       resources: resourceArns
     }));
 
diff --git a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
index b880d3f94c350..d18ed1c8c32d1 100644
--- a/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
+++ b/packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
@@ -784,7 +784,9 @@
                 "eks:DeleteCluster",
                 "eks:UpdateClusterVersion",
                 "eks:UpdateClusterConfig",
-                "eks:CreateFargateProfile"
+                "eks:CreateFargateProfile",
+                "eks:TagResource",
+                "eks:UntagResource"
               ],
               "Effect": "Allow",
               "Resource": [
diff --git a/packages/@aws-cdk/aws-eks/test/test.cluster.ts b/packages/@aws-cdk/aws-eks/test/test.cluster.ts
index 4677bdc5733f8..c76bd3b47a601 100644
--- a/packages/@aws-cdk/aws-eks/test/test.cluster.ts
+++ b/packages/@aws-cdk/aws-eks/test/test.cluster.ts
@@ -718,7 +718,9 @@ export = {
                 'eks:DeleteCluster',
                 'eks:UpdateClusterVersion',
                 'eks:UpdateClusterConfig',
-                'eks:CreateFargateProfile'
+                'eks:CreateFargateProfile',
+                'eks:TagResource',
+                'eks:UntagResource'
               ],
               Effect: 'Allow',
               Resource: [ {
@@ -826,7 +828,9 @@ export = {
                 'eks:DeleteCluster',
                 'eks:UpdateClusterVersion',
                 'eks:UpdateClusterConfig',
-                'eks:CreateFargateProfile'
+                'eks:CreateFargateProfile',
+                'eks:TagResource',
+                'eks:UntagResource'
               ],
               Effect: 'Allow',
               Resource: [ '*' ]