Open clorichel opened 5 years ago
Following the Amazon EKS quickstart, where is the part where the "IAM user named bpkr-${BKPR_DNS_ZONE} is created " or is suppose to be created?
I get a warning about Re-using this user but it doesn't exist.
The logic in coded kubeprod/pkg/eks/platform.go so it is a part of the install procedure.
Assuming you follow the Amazon EKS Quickstart:
bpkr-${BKPR_DNS_ZONE}
is created with accurate policies, including anAllow route53:ChangeResourceRecordSets
on the specificarn:aws:route53:::hostedzone/THE_ID_OF_THE_HOSTED_ZONE
resourceNow, assuming you delete the Route53 hosted zone manually for whatever reason, but NOT the IAM user, then the IAM user is detected and console output mentions
Re-using existing IAM policy for External DNS integration
, which is great 👌But in that case, a new Route53 hosted zone (with a new id) is created while the IAM user is reused "as-is" without synchronizing/updating
THE_ID_OF_THE_HOSTED_ZONE
(from the example above) on theAllow route53:ChangeResourceRecordSets
policy. You end up in a situation where the IAM user isn't allowed to manage record sets for the zone, until you manually change the hosted zone id in the IAM user policies.