update(config/cluster): adjust iam role for autoscaler

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
falcosecurity · Jul 17, 2024 · 594e58a · 594e58a
1 parent 37f76fa
commit 594e58a
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf
@@ -35,14 +35,27 @@ data "aws_iam_policy_document" "cluster_autoscaler_policy_doc" {
   statement {
     effect    = "Allow"
     resources = ["*"]
+
     actions = [
       "autoscaling:DescribeAutoScalingGroups",
       "autoscaling:DescribeAutoScalingInstances",
       "autoscaling:DescribeLaunchConfigurations",
-      "autoscaling:DescribeTags",
+      "autoscaling:DescribeScalingActivities",
+      "ec2:DescribeImages",
+      "ec2:DescribeInstanceTypes",
+      "ec2:DescribeLaunchTemplateVersions",
+      "ec2:GetInstanceTypesFromInstanceRequirements",
+      "eks:DescribeNodegroup",
+    ]
+  }
+
+  statement {
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
       "autoscaling:SetDesiredCapacity",
       "autoscaling:TerminateInstanceInAutoScalingGroup",
-      "ec2:DescribeLaunchTemplateVersions"
     ]
   }
 }