AWS EKS - version locking for hashicorp/aws

[thinkl33t]

Description of Problem:

We have seen an issue where the file describing what iam permissions the user needs has become outdated, and the new version of the terraform aws plugin requires differing permissions.

We fixed this by researching its provenance and manually updating this file, but it was unclear from just the repo where this file had come from, and why it didn't match the reality of what we were seeing when trying to run terraform.

Looking at the release cadance of the provider, it doesn't seem to use semantic versioning when its iam role requirements are changed, (the hop from 3.20 in versions.tf to 3.42 was enough to break this), so we can't usefully set an unbounded range or minor version match on it without risking this file getting out of sync again.

Potential Solutions:

I suggest we either:

• Set a specific version of the terraform aws provider (current release is working fine)
• Copy the upstream iam-required-permissions.md file from the blessed version
• Add a comment in the versions.tf file which mentions the above file needs updating when the aws provider version is updated
• Add a comment to the iam-required-permissions.md file, linking back to upstream and versions.tf

or:

• Replace the contents of iam-required-permissions.md with a link to the same file upstream, and expect the user to be using the latest release of the aws provider

[benjamb]

Just going to throw in my vote for the first option.

[caishaoping]

Just joined today, hope I can learn from this the resolution from this issue or even help the resolution. Thanks

[thinkl33t]

Went today to implement suggestion 1 above, and the upstream file seems to no longer actually exist, which is non-ideal.