search

spotinst / terraform-spotinst-ocean-aws-k8s

A Terraform module to create an Ocean Cluster.
Apache License 2.0
4 stars 4 forks source link

IAM:PassRole not working on self-managed node group #45

Open Vermyndax opened 1 month ago

Vermyndax commented 1 month ago

What happened: Deploying via Terraform did not succeed. During the apply action, we received the following error message:

Error: [0m Error: [ERROR] failed to create cluster: POST https://api.spotinst.io/ocean/aws/k8s/cluster?accountId=***: 400 (request: "176e8002-0820-4901-8841-e426bb3177bf") GENERAL_ERROR: Can't create instances
│ POST https://api.spotinst.io/ocean/aws/k8s/cluster?accountId=***: 400 (request: "176e8002-0820-4901-8841-e426bb3177bf") UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::(redacted):assumed-role/Spotinst-Onboarding-Role/spotinst.session.1722375230779 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::(redacted):role/ocean_demo_self_eks_ng-node-group-20240730182840577400000001 because no identity-based policy allows the iam:PassRole action.

What you expected to happen: The Terraform should deploy successfully. It may be that we missed a step somewhere.

How to reproduce it (as minimally and precisely as possible): Run Terraform apply.

Anything else we need to know:

Relevant Terraform code:

provider "spotinst" {
  alias   = "ocean_demo"
  token   = var.spotinst_token
  account = var.spotinst_account
}

module "ocean_aws_k8s" {
  source  = "spotinst/ocean-aws-k8s/spotinst"
  version = "1.4.0"

  depends_on = [
    module.ocean_controller
  ]

  providers = {
    spotinst = spotinst.ocean_demo
  }

  cluster_name                = module.ocean_demo_eks.cluster_name
  region                      = var.aws_region
  subnet_ids                  = module.vpc.private_subnets
  worker_instance_profile_arn = module.ocean_demo_eks.self_managed_node_groups["ocean_demo_self_eks_ng"].iam_instance_profile_arn
  security_groups             = [module.ocean_demo_eks.node_security_group_id]

  max_scale_down_percentage = 100

}

module "ocean_controller" {
  source  = "spotinst/ocean-controller/spotinst"
  version = "0.54.0"

  spotinst_token   = var.spotinst_token
  spotinst_account = var.spotinst_account

  cluster_identifier = module.ocean_demo_eks.cluster_name
}

Environment: development/GitHub

santiago-roig commented 1 month ago

I'm having the same issue here:

worker_instance_profile_arn = local.eks_managed_node_group_iam_role_arn

I get the error:

for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name

I also tried to use the role name, but receive the same error.