From c799fecd85ea1879305f67fcb4106d13119e1a79 Mon Sep 17 00:00:00 2001
From: Rich Lafferty <rlafferty@pagerduty.com>
Date: Tue, 6 Oct 2020 03:24:22 -0400
Subject: [PATCH] fix: Use customer managed policy instead of inline policy for
 `cluster_elb_sl_role_creation` (#1039)

NOTE: The usage of customer managed policy, not an inline policy, for the `cluster_elb_sl_role_creation policy` is common for "enterprise" AWS users to disallow inline policies with an SCP rule for auditing-related reasons, and this accomplishes the same thing.
---
 cluster.tf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cluster.tf b/cluster.tf
index 1693926247..34b7314b5c 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -158,9 +158,15 @@ data "aws_iam_policy_document" "cluster_elb_sl_role_creation" {
   }
 }
 
-resource "aws_iam_role_policy" "cluster_elb_sl_role_creation" {
+resource "aws_iam_policy" "cluster_elb_sl_role_creation" {
   count       = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
   name_prefix = "${var.cluster_name}-elb-sl-role-creation"
-  role        = local.cluster_iam_role_name
+  description = "Permissions for EKS to create AWSServiceRoleForElasticLoadBalancing service-linked role"
   policy      = data.aws_iam_policy_document.cluster_elb_sl_role_creation[0].json
 }
+
+resource "aws_iam_role_policy_attachment" "cluster_elb_sl_role_creation" {
+  count      = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+  policy_arn = aws_iam_policy.cluster_elb_sl_role_creation[0].arn
+  role       = local.cluster_iam_role_name
+}