Note: This release introduced a bug in setting the IAM policy for the service role. Update to 0.44.0 or roll back to 0.43.2.
🚀 Enhancements
Prevent creating log group by the iam role @nitrocode (#132)
what
- Prevent creating log group by the iam role
why
See: hashicorp/terraform#14750, terraform-aws-modules/terraform-aws-eks#920
This is happening because EKS Cluster gets destroyed after Terraform delete the Cloudwatch Log Group. The AmazonEKSServicePolicy IAM policy (that is assigned to EKS Cluster role by default within this module) has permissions to CreateLogGroup and anything else needed to continue to logging correctly. When the Terraform destroys the Cloudwatch Log Group, the EKS Cluster that is running create it again. Then, when you run Terraform Apply again, the Cloudwatch Log Group doesn't exist in your state anymore (because the Terraform actually destroyed it) and the Terraform doesn't know this resource created outside him. terraform-aws-modules/terraform-aws-eks/issues/920
references
- Closes #67
- Original fix terraform-aws-modules/terraform-aws-eks#1594 thanks to @haarchri and thanks to @Nuru for pointing out the fix