Bug Report: VPC CNI IPv6 policy missing `ec2:ModifyNetworkInterfaceAttribute` permission

[ajaykumarmandapati]

Description

The VPC CNI IPv6 policy generated by the iam-role-for-service-accounts-eks module is missing the ec2:ModifyNetworkInterfaceAttribute permission, causing MissingIAMPermissions errors in aws-node pods when using IPv6 clusters.

Affected Versions

• ✅ Confirmed in v5.x (tested with ~> 5.0)
• ✅ Confirmed in v6.0.0 (verified via source code)
• ❓ Likely affects all versions with IPv6 support

Module Configuration

module "vpc_cni_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "~> 5.0"  # or 6.0.0

  role_name_prefix      = "vpc_cni"
  attach_vpc_cni_policy = true
  vpc_cni_enable_ipv6   = true  # This triggers the incomplete policy

  oidc_providers = {
    main = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["kube-system:aws-node"]
    }
  }
}

Expected Behavior

The IPv6 VPC CNI policy should include all permissions required by AWS VPC CNI documentation, including ec2:ModifyNetworkInterfaceAttribute.

Actual Behavior

IPv4/General Policy (✅ correct):

actions = [
  "ec2:DescribeTags",
  "ec2:DescribeNetworkInterfaces", 
  "ec2:DescribeInstanceTypes",
  "ec2:DescribeSubnets",
  "ec2:DetachNetworkInterface",
  "ec2:ModifyNetworkInterfaceAttribute",  # ✅ Present
  "ec2:UnassignPrivateIpAddresses"
]

IPv6 Policy (❌ incomplete):

# Generated when vpc_cni_enable_ipv6 = true
actions = [
  "ec2:AssignIpv6Addresses",
  "ec2:DescribeInstances",
  "ec2:DescribeTags", 
  "ec2:DescribeNetworkInterfaces",
  "ec2:DescribeInstanceTypes",
  # ❌ MISSING: ec2:ModifyNetworkInterfaceAttribute
]

Error Evidence

aws-node pods show this error:

Unauthorized operation: failed to call ec2:ModifyNetworkInterfaceAttribute due to missing permissions. 
Please refer https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md to attach relevant policy to IAM role

Root Cause Analysis

According to AWS VPC CNI IAM documentation, both IPv4 and IPv6 modes require ec2:ModifyNetworkInterfaceAttribute. However, the module's IPv6 policy block only includes a subset of permissions.

The issue is in policies.tf around line 160+ where the IPv6 dynamic statement is missing this permission.

Proposed Solution

Add ec2:ModifyNetworkInterfaceAttribute to the IPv6 policy block:

dynamic "statement" {
  for_each = var.vpc_cni_enable_ipv6 ? [1] : []

  content {
    sid = "IPV6"
    actions = [
      "ec2:AssignIpv6Addresses",
      "ec2:DescribeInstances",
      "ec2:DescribeTags",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DescribeInstanceTypes",
      "ec2:ModifyNetworkInterfaceAttribute",  # ADD THIS
    ]
    resources = ["*"]
  }
}

Current Workaround

Users must add an additional IAM policy:

resource "aws_iam_policy" "vpc_cni_additional" {
  name_prefix = "vpc-cni-additional"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = ["ec2:ModifyNetworkInterfaceAttribute"]
      Resource = "*"
    }]
  })
}

Environment

• Terraform Version: 1.13.3
• AWS Provider: 5.100.0
• EKS Cluster: IPv6 enabled (cluster_ip_family = "ipv6")
• Tested and Verified: Issue persists across v5.x and v6.0.0