From c653a83be9b012a01625a196a59320f4670fbee3 Mon Sep 17 00:00:00 2001
From: Peter Rifel <peter.rifel@datadoghq.com>
Date: Fri, 23 Apr 2021 09:31:10 -0500
Subject: [PATCH] Document the newly required SQS permissions for NTH

---
 docs/addons.md              | 6 ++++--
 docs/releases/1.21-NOTES.md | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/addons.md b/docs/addons.md
index 14e45dc4a5..be798ee623 100644
--- a/docs/addons.md
+++ b/docs/addons.md
@@ -139,7 +139,7 @@ spec:
 
 If `enableSQSTerminationDraining` is true Node Termination Handler will operate in Queue Processor mode. In addition to the events mentioned above, Queue Processor mode allows Node Termination Handler to take care of ASG Scale-In, AZ-Rebalance, Unhealthy Instances, EC2 Instance Termination via the API or Console, and more. kOps will provision the necessary infrastructure: an SQS queue, EventBridge rules, and ASG Lifecycle hooks. `managedASGTag` can be configured with Queue Processor mode to distinguish resource ownership between multiple clusters.
 
-The kOps CLI requires additional IAM permissions to create the requisite EventBridge rules and SQS queue:
+The kOps CLI requires additional IAM permissions to manage the requisite EventBridge rules and SQS queue:
 
 ```json
 {
@@ -150,7 +150,9 @@ The kOps CLI requires additional IAM permissions to create the requisite EventBr
             "Action": [
                 "events:PutEvents",
                 "events:PutTargets",
-                "sqs:CreateQueue"
+                "sqs:CreateQueue",
+                "sqs:ListQueues",
+                "sqs:DeleteQueue",
             ],
             "Resource": "*"
         }
diff --git a/docs/releases/1.21-NOTES.md b/docs/releases/1.21-NOTES.md
index 792937614d..af7853d348 100644
--- a/docs/releases/1.21-NOTES.md
+++ b/docs/releases/1.21-NOTES.md
@@ -21,6 +21,8 @@ In 1.21, this feature is behind a feature flag as node role name, labels, taints
 
 # Required Actions
 
+* To support [Node Termination Handler's Queue Process mode](/addons/#node-termination-handler), AWS cluster deletion now requires the kops CLI have `sqs:ListQueues` permission regardless of whether or not the addon is used.
+
 # Deprecations
 
 * Support for Kubernetes versions 1.15 and 1.16 are deprecated and will be removed in kOps 1.22.