feat: Use aws_iam_role_policies_exclusive

kimxogus · kimxogus · commit 0c9148e79631 · 2024-10-31T11:59:20.000+09:00
diff --git a/main.tf b/main.tf
@@ -411,32 +411,38 @@ resource "aws_iam_role" "this" {
   permissions_boundary  = var.iam_role_permissions_boundary
   force_detach_policies = true
 
-  # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920
-  # Resources running on the cluster are still generating logs when destroying the module resources
-  # which results in the log group being re-created even after Terraform destroys it. Removing the
-  # ability for the cluster role to create the log group prevents this log group from being re-created
-  # outside of Terraform due to services still generating logs during destroy process
-  dynamic "inline_policy" {
-    for_each = var.create_cloudwatch_log_group ? [1] : []
-    content {
-      name = local.iam_role_name
-
-      policy = jsonencode({
-        Version = "2012-10-17"
-        Statement = [
-          {
-            Action   = ["logs:CreateLogGroup"]
-            Effect   = "Deny"
-            Resource = "*"
-          },
-        ]
-      })
-    }
-  }
-
   tags = merge(var.tags, var.iam_role_tags)
 }
 
+# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920
+# Resources running on the cluster are still generating logs when destroying the module resources
+# which results in the log group being re-created even after Terraform destroys it. Removing the
+# ability for the cluster role to create the log group prevents this log group from being re-created
+# outside of Terraform due to services still generating logs during destroy process
+resource "aws_iam_role_policy" "this" {
+  count = local.create_iam_role && var.create_cloudwatch_log_group ? 1 : 0
+
+  name   = local.iam_role_name
+  role   = aws_iam_role.this[0].name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action   = ["logs:CreateLogGroup"]
+        Effect   = "Deny"
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policies_exclusive" "this" {
+  count = local.create_iam_role && var.create_cloudwatch_log_group ? 1 : 0
+
+  role_name = aws_iam_role.this[0].name
+  policy_names = [local.iam_role_name]
+}
+
 # Policies attached ref https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
 resource "aws_iam_role_policy_attachment" "this" {
   for_each = { for k, v in {
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.61"
+      version = ">= 5.68"
     }
     tls = {
       source  = "hashicorp/tls"

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.61"`
	`7`	`+ version = ">= 5.68"`
`8`	`8`	`}`
`9`	`9`	`tls = {`
`10`	`10`	`source = "hashicorp/tls"`