From d6adebe39630bb1c04848ed893b3cd1f14da02d1 Mon Sep 17 00:00:00 2001
From: Osama Bin Junaid <32925504+ibnjunaid@users.noreply.github.com>
Date: Wed, 28 Feb 2024 02:59:25 +0530
Subject: [PATCH] Remove inline ELB and CloudWatch policies from Cluster Role
 (#7603)

* remove inline elb and cloud watch policy #7139

* fixed unit tests for removing extra inline policies
---
 pkg/cfn/builder/cluster_test.go |  7 -------
 pkg/cfn/builder/iam.go          |  8 +-------
 pkg/cfn/builder/statement.go    | 26 --------------------------
 3 files changed, 1 insertion(+), 40 deletions(-)

diff --git a/pkg/cfn/builder/cluster_test.go b/pkg/cfn/builder/cluster_test.go
index de834d919f..2ea1584c7a 100644
--- a/pkg/cfn/builder/cluster_test.go
+++ b/pkg/cfn/builder/cluster_test.go
@@ -281,18 +281,11 @@ var _ = Describe("Cluster Template Builder", func() {
 
 		It("should add iam resources and policies", func() {
 			Expect(clusterTemplate.Resources).To(HaveKey("ServiceRole"))
-			Expect(clusterTemplate.Resources).To(HaveKey("PolicyELBPermissions"))
-			Expect(clusterTemplate.Resources).To(HaveKey("PolicyCloudWatchMetrics"))
 		})
 
 		It("should add the correct policies and references to the ServiceRole ARN", func() {
 			Expect(clusterTemplate.Resources["ServiceRole"].Properties.ManagedPolicyArns).To(HaveLen(2))
 			Expect(clusterTemplate.Resources["ServiceRole"].Properties.ManagedPolicyArns).To(ContainElements(makePolicyARNRef("AmazonEKSClusterPolicy"), makePolicyARNRef("AmazonEKSVPCResourceController")))
-
-			cwPolicy := clusterTemplate.Resources["PolicyCloudWatchMetrics"].Properties
-			Expect(isRefTo(cwPolicy.Roles[0], "ServiceRole")).To(BeTrue())
-			elbPolicy := clusterTemplate.Resources["PolicyELBPermissions"].Properties
-			Expect(isRefTo(elbPolicy.Roles[0], "ServiceRole")).To(BeTrue())
 		})
 
 		It("should add iam outputs", func() {
diff --git a/pkg/cfn/builder/iam.go b/pkg/cfn/builder/iam.go
index 387c526927..422a03d323 100644
--- a/pkg/cfn/builder/iam.go
+++ b/pkg/cfn/builder/iam.go
@@ -105,13 +105,7 @@ func (c *ClusterResourceSet) addResourcesForIAM() {
 	if api.IsSetAndNonEmptyString(c.spec.IAM.ServiceRolePermissionsBoundary) {
 		role.PermissionsBoundary = gfnt.NewString(*c.spec.IAM.ServiceRolePermissionsBoundary)
 	}
-	refSR := c.newResource("ServiceRole", role)
-	c.rs.attachAllowPolicy("PolicyCloudWatchMetrics", refSR, cloudWatchMetricsStatements())
-	// These are potentially required for creating load balancers but aren't included in the
-	// AmazonEKSClusterPolicy
-	// See https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-api-permissions.html#required-permissions-v2
-	// and weaveworks/eksctl#2488
-	c.rs.attachAllowPolicy("PolicyELBPermissions", refSR, elbStatements())
+	c.newResource("ServiceRole", role)
 
 	c.rs.defineOutputFromAtt(outputs.ClusterServiceRoleARN, "ServiceRole", "Arn", true, func(v string) error {
 		c.spec.IAM.ServiceRoleARN = &v
diff --git a/pkg/cfn/builder/statement.go b/pkg/cfn/builder/statement.go
index 9c6dd1e91c..da2789a5a2 100644
--- a/pkg/cfn/builder/statement.go
+++ b/pkg/cfn/builder/statement.go
@@ -250,32 +250,6 @@ func loadBalancerControllerStatements() []cft.MapOfInterfaces {
 	}
 }
 
-func elbStatements() []cft.MapOfInterfaces {
-	return []cft.MapOfInterfaces{
-		{
-			"Effect":   effectAllow,
-			"Resource": resourceAll,
-			"Action": []string{
-				"ec2:DescribeAccountAttributes",
-				"ec2:DescribeAddresses",
-				"ec2:DescribeInternetGateways",
-			},
-		},
-	}
-}
-
-func cloudWatchMetricsStatements() []cft.MapOfInterfaces {
-	return []cft.MapOfInterfaces{
-		{
-			"Effect":   effectAllow,
-			"Resource": resourceAll,
-			"Action": []string{
-				"cloudwatch:PutMetricData",
-			},
-		},
-	}
-}
-
 func certManagerHostedZonesStatements() []cft.MapOfInterfaces {
 	return []cft.MapOfInterfaces{
 		{