bug: blueprints `cert_manager` implementation doesn't work in govcloud
Closed this issue · 2 comments
zack-is-cool commented
We will need our own implementation for IRSA things for this module for cert_manager due to govcloud api limitations. This might need to contain wildcards.
https://cert-manager.io/docs/configuration/acme/dns01/route53/#set-up-an-iam-role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws-us-gov:route53:::change/*"
},
{
"Effect": "Allow",
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws-us-gov:route53:*:*:hostedzone/*"
},
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │ Error: creating IAM Policy (cert-manager-20240326161327081300000039): MalformedPolicyDocument: Resource arn:aws-us-gov:route53:*:*:hostedzone/* can not contain region information.
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │ status code: 400, request id: c4655233-6b97-41dc-9002-aabbef6f74c7
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │ with module.eks.module.eks_blueprints_kubernetes_addons.module.cert_manager.aws_iam_policy.this[0],
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │ on .terraform/modules/eks.eks_blueprints_kubernetes_addons.cert_manager/main.tf line 242, in resource "aws_iam_policy" "this":
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │ 242: resource "aws_iam_policy" "this" {
TestExamplesCompleteSecure 2024-03-26T16:16:27Z logger.go:66: │
My assumption is that this error is due to this:
https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-r53.html
zack-is-cool commented
For now, I think we disable cert_manager and bottlerocket_update_operator
zack-is-cool commented
Not a real issue. This was my mistake trusting copilot to make an arn format for me.