From d9d7ba8fd8a3a4c525ef3f245f5d6aa7df4a6e75 Mon Sep 17 00:00:00 2001
From: Thomas O'Neill <toneill818@gmail.com>
Date: Sun, 4 Oct 2020 14:08:02 -0400
Subject: [PATCH] feat: Add AmazonEKSVPCResourceController to cluster policy to
 be able to set AWS Security Groups for pod (#1011)

Co-authored-by: Thomas O'Neill <toneill@new-innov.com>
---
 cluster.tf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cluster.tf b/cluster.tf
index 0df121f2583..1693926247a 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -43,6 +43,7 @@ resource "aws_eks_cluster" "this" {
     aws_security_group_rule.cluster_https_worker_ingress,
     aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy,
     aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy,
+    aws_iam_role_policy_attachment.cluster_AmazonEKSVPCResourceControllerPolicy,
     aws_cloudwatch_log_group.this
   ]
 }
@@ -133,6 +134,12 @@ resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" {
   role       = local.cluster_iam_role_name
 }
 
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSVPCResourceControllerPolicy" {
+  count      = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+  policy_arn = "${local.policy_arn_prefix}/AmazonEKSVPCResourceController"
+  role       = local.cluster_iam_role_name
+}
+
 /*
  Adding a policy to cluster IAM role that allow permissions
  required to create AWSServiceRoleForElasticLoadBalancing service-linked role by EKS during ELB provisioning