Synchronize/update dns-zone IAM user policy for AWS EKS

[clorichel]

Assuming you follow the Amazon EKS Quickstart:

• the appropriate Route53 hosted zone is created
• an IAM user named bpkr-${BKPR_DNS_ZONE} is created with accurate policies, including an Allow route53:ChangeResourceRecordSets on the specific arn:aws:route53:::hostedzone/THE_ID_OF_THE_HOSTED_ZONE resource

Now, assuming you delete the Route53 hosted zone manually for whatever reason, but NOT the IAM user, then the IAM user is detected and console output mentions Re-using existing IAM policy for External DNS integration, which is great 👌

But in that case, a new Route53 hosted zone (with a new id) is created while the IAM user is reused "as-is" without synchronizing/updating THE_ID_OF_THE_HOSTED_ZONE (from the example above) on the Allow route53:ChangeResourceRecordSets policy. You end up in a situation where the IAM user isn't allowed to manage record sets for the zone, until you manually change the hosted zone id in the IAM user policies.

[caleno]

Following the Amazon EKS quickstart, where is the part where the "IAM user named bpkr-${BKPR_DNS_ZONE} is created " or is suppose to be created?

I get a warning about Re-using this user but it doesn't exist.

[caleno]

The logic in coded kubeprod/pkg/eks/platform.go so it is a part of the install procedure.