search

aws-ia / terraform-aws-eks-blueprints-addons

Terraform module which provisions addons on Amazon EKS clusters
https://aws-ia.github.io/terraform-aws-eks-blueprints-addons/main/
Apache License 2.0
272 stars 127 forks source link

Unable to create AWS Load Balancer Controller IAM policy #189

Closed caleb-devops closed 1 year ago

caleb-devops commented 1 year ago

Description

I am unable to create the aws_load_balancer_controller policy in AWS GovCloud due to the policy exceeding the PolicySize quota of 6144 bytes. This is likely caused by the policy already being close to the maximum size, and the aws-us-gov partition name pushing it over the limit.

Error: creating IAM Policy (alb-controller-20230619214405868900000001): LimitExceeded: Cannot exceed quota for PolicySize: 6144
│       status code: 409, request id: 4f59220c-e7e7-4eea-88a1-64a6a53a384c
│ 
│   with module.eks_blueprints_addons.module.aws_load_balancer_controller.aws_iam_policy.this[0],
│   on .terraform/modules/eks_blueprints_addons.aws_load_balancer_controller/main.tf line 237, in resource "aws_iam_policy" "this":
│  237: resource "aws_iam_policy" "this" {

⚠️ Note

Versions

Terraform v1.4.2
on linux_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v5.1.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/helm v2.10.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.21.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Reproduction Code [Required]

module "eks_blueprints_addons" {
  source = "aws-ia/eks-blueprints-addons/aws"

  cluster_name      = module.eks.cluster_name
  cluster_endpoint  = module.eks.cluster_endpoint
  cluster_version   = module.eks.cluster_version
  oidc_provider_arn = module.eks.oidc_provider_arn

  eks_addons = {
    aws-ebs-csi-driver = {
      most_recent = true
    }
    coredns = {
      most_recent = true
    }
    vpc-cni = {
      most_recent = true
    }
    kube-proxy = {
      most_recent = true
    }
  }

  enable_aws_load_balancer_controller  = true
}

Steps to reproduce the behavior:

Enable the AWS Load Balancer Controller in the eks_blueprints_addons module and attempt to deploy to AWS GovCloud.

Expected behavior

The policy should be created with no issues.

Actual behavior

Error: creating IAM Policy (alb-controller-20230619214405868900000001): LimitExceeded: Cannot exceed quota for PolicySize: 6144
quannhoang commented 1 year ago

I am having the exact issue today, is there any temporary work around while waiting for the fix?