fix permissions required for NTH Queue Processor

2021-04-23 13:10:29 -05:00 · 2021-04-23 13:10:29 -05:00 · c2a9bdc515
parent 7d936548ca
commit c2a9bdc515
3 changed files with 35 additions and 28 deletions
--- a/docs/addons.md
+++ b/docs/addons.md
@ -143,20 +143,27 @@ The kOps CLI requires additional IAM permissions to manage the requisite EventBr
 ```json
 {
-    "Version": "2012-10-17",
+  "Version": "2012-10-17",
-    "Statement": [
+  "Statement": [
-        {
+    {
-            "Effect": "Allow",
+      "Effect": "Allow",
-            "Action": [
+      "Action": [
-                "events:PutEvents",
+        "events:DeleteRule",
-                "events:PutTargets",
+        "events:ListRules",
-                "sqs:CreateQueue",
+        "events:ListTargetsByRule",
-                "sqs:ListQueues",
+        "events:ListTagsForResource",
-                "sqs:DeleteQueue",
+        "events:PutEvents",
-            ],
+        "events:PutTargets",
-            "Resource": "*"
+        "events:RemoveTargets",
-        }
+        "sqs:CreateQueue",
-    ]
+        "sqs:DeleteQueue",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ListQueueTags"
      ],
      "Resource": "*"
    }
  ]
 }
 ```
--- a/docs/releases/1.21-NOTES.md
+++ b/docs/releases/1.21-NOTES.md
@ -21,7 +21,7 @@ In 1.21, this feature is behind a feature flag as node role name, labels, taints
 # Required Actions
-* To support [Node Termination Handler's Queue Process mode](/addons/#node-termination-handler), AWS cluster deletion now requires the kops CLI have `sqs:ListQueues` permission regardless of whether or not the addon is used.
+* To support [Node Termination Handler's Queue Process mode](/addons/#node-termination-handler), AWS cluster deletion now requires the kops CLI have `sqs:ListQueues` and `events:ListRules` permissions regardless of whether or not the addon is used.
 # Deprecations
--- a/pkg/resources/aws/eventbridge.go
+++ b/pkg/resources/aws/eventbridge.go
@ -48,19 +48,19 @@ func DeleteEventBridgeRule(cloud fi.Cloud, r *resources.Resource) error {
 	if err != nil {
 		return fmt.Errorf("error listing targets for EventBridge rule %q: %v", r.Name, err)
 	}
-
+	if len(targets.Targets) > 0 {
-	var ids []*string
+		var ids []*string
-	for _, target := range targets.Targets {
+		for _, target := range targets.Targets {
-		ids = append(ids, target.Id)
+			ids = append(ids, target.Id)
-	}
+		}
-
+		klog.V(2).Infof("Removing EventBridge Targets for rule %q", r.Name)
-	klog.V(2).Infof("Removing EventBridge Targets for rule %q", r.Name)
+		_, err = c.EventBridge().RemoveTargets(&eventbridge.RemoveTargetsInput{
-	_, err = c.EventBridge().RemoveTargets(&eventbridge.RemoveTargetsInput{
+			Ids:  ids,
-		Ids:  ids,
+			Rule: aws.String(r.Name),
-		Rule: aws.String(r.Name),
+		})
-	})
+		if err != nil {
-	if err != nil {
+			return fmt.Errorf("error removing targets for EventBridge rule %q: %v", r.Name, err)
-		return fmt.Errorf("error removing targets for EventBridge rule %q: %v", r.Name, err)
+		}
 	}
 	klog.V(2).Infof("Deleting EventBridge rule %q", r.Name)