OCPBUGS-31017: fix ec2:DisassociateAddress requirement

We only need this permission when using public IPv4 pool, so change the
permissions to reflect that.

This is a follow-up to openshift#8247

Author: r4f4

pkg/asset/installconfig/aws/permissions.go

@@ -42,6 +42,9 @@ const (
 
 	// PermissionKMSEncryptionKeys is an additional set of permissions required when the installer uses user provided kms encryption keys.
 	PermissionKMSEncryptionKeys PermissionGroup = "kms-encryption-keys"
+
+	// PermissionPublicIpv4Pool is an additional set of permissions required when the installer uses public IPv4 pools.
+	PermissionPublicIpv4Pool PermissionGroup = "public-ipv4-pool"
 )
 
 var permissions = map[PermissionGroup][]string{
@@ -231,8 +234,6 @@ var permissions = map[PermissionGroup][]string{
 		"ec2:DeleteVpc",
 		"ec2:DeleteVpcEndpoints",
 		"ec2:DetachInternetGateway",
-		// Needed by terraform when EIPs are created
-		"ec2:DisassociateAddress",
 		"ec2:DisassociateRouteTable",
 		"ec2:ReleaseAddress",
 		"ec2:ReplaceRouteTableAssociation",
@@ -261,6 +262,10 @@ var permissions = map[PermissionGroup][]string{
 		"kms:CreateGrant",
 		"kms:ListGrants",
 	},
+	PermissionPublicIpv4Pool: {
+		// Needed by terraform because of bootstrap EIP created
+		"ec2:DisassociateAddress",
+	},
 }
 
 // ValidateCreds will try to create an AWS session, and also verify that the current credentials

pkg/asset/installconfig/platformpermscheck.go

@@ -98,6 +98,10 @@ func (a *PlatformPermsCheck) Generate(dependencies asset.Parents) error {
 			}
 		}
 
+		if ic.Config.AWS.PublicIpv4Pool != "" {
+			permissionGroups = append(permissionGroups, awsconfig.PermissionPublicIpv4Pool)
+		}
+
 		ssn, err := ic.AWS.Session(ctx)
 		if err != nil {
 			return err