From 2922a78fbf76914d21040ddb188b8ff5ce981524 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Alberto=20Novoa=20Rojas?=
 <112587171+iamjanr@users.noreply.github.com>
Date: Mon, 26 Feb 2024 15:49:52 +0100
Subject: [PATCH] Update eks permissions (#493)

---
 docs/aws/Permissions/EKS/eks_Errros.md                         | 1 +
 docs/aws/Permissions/EKS/eks_permission.adoc                   | 1 +
 docs/aws/Permissions/EKS/eks_permission_ref.json               | 1 +
 .../en/modules/ROOT/assets/attachments/stratio-eks-policy.json | 1 +
 .../es/modules/ROOT/assets/attachments/stratio-eks-policy.json | 3 ++-
 5 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/aws/Permissions/EKS/eks_Errros.md b/docs/aws/Permissions/EKS/eks_Errros.md
index 5e41419486..53547894c0 100644
--- a/docs/aws/Permissions/EKS/eks_Errros.md
+++ b/docs/aws/Permissions/EKS/eks_Errros.md
@@ -95,3 +95,4 @@ $> aws sts decode-authorization-message --encoded-message <encoded message from
 | ERROR "Reconciler error" err="failed to reconcile control plane for AWSManagedControlPlane cluster-eks-cl02/eks-cl02-control-plane: failed reconciling cluster version: failed to update EKS cluster: AccessDeniedException: User is not authorized to perform this action" controller="awsmanagedcontrolplane" controllerGroup="controlplane.cluster.x-k8s.io" controllerKind="AWSManagedControlPlane" AWSManagedControlPlane="cluster-eks-cl02/eks-cl02-control-plane" namespace="cluster-eks-cl02" name="eks-cl02-control-plane" reconcileID="27682de5-0bc5-4fb5-97b6-33ea18a3cf6d". | 83 |
 | ERROR "Reconciler error" err="failed to reconcile network for AWSManagedControlPlane cluster-eks-cl01/eks-cl01-control-plane: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::<account-id>:user/cloud-provisioner-eks is not authorized to perform: ec2:AssociateVpcCidrBlock on resource: arn:aws:ec2:eu-west-1:<account-id>:vpc/<vpc-id> because no identity-based policy allows the ec2:AssociateVpcCidrBlock action. | 84 |
 | ERROR failed to modify network interfaces on instance "i-09beac8d97ff9dcee": failed to modify interface "eni-0e1891db15e7b4b17" to have security groups [sg-0b0568ce15f34f4b3 sg-00ea9d4da6fb534a7]: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::963353511234:user/cloud-provisioner-eks is not authorized to perform: ec2:ModifyNetworkInterfaceAttribute on resource: arn:aws:ec2:eu-west-1:963353511234:security-group/sg-00ea9d4da6fb534a7 because no identity-based policy allows the ec2:ModifyNetworkInterfaceAttribute action. | 85 |
+| ERROR "error deleting network for AWSManagedControlPlane" err=<UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::963353511234:user/cloud-provisioner-eks is not authorized to perform: ec2:DisassociateVpcCidrBlock on resource: arn:aws:ec2:eu-west-1:963353511234:vpc/vpc-09d5be7178005aa6b because no identity-based policy allows the ec2:DisassociateVpcCidrBlock action. | 86 |
diff --git a/docs/aws/Permissions/EKS/eks_permission.adoc b/docs/aws/Permissions/EKS/eks_permission.adoc
index 54664bb8c6..16948a4587 100644
--- a/docs/aws/Permissions/EKS/eks_permission.adoc
+++ b/docs/aws/Permissions/EKS/eks_permission.adoc
@@ -158,6 +158,7 @@ kubectl --kubeconfig local_kubeconfig -n cluster-<cluster-name> delete cluster <
 | ec2:DeleteVpc | Attempting to delete VPC | Grants permission to delete the specified VPC. |  arn:aws:ec2:eu-west-1:<account-id>:vpc/* | cloud-provisioner
 | eks:DeleteCluster | Attempting to delete cluster | Grants permission to delete the specified cluster. |  arn:aws:eks:eu-west-1:<account-id>:cluster/* | cloud-provisioner
 | iam:DeleteOpenIDConnectProvider | Attempting to delete OpenID Connect provider | Grants permission to delete an IAM OpenID Connect (OIDC) provider resource object in IAM. |  arn:aws:iam::268367799918:oidc-provider/* | cloud-provisioner
+| ec2:DisassociateVpcCidrBlock | Attempting to disassociate CIDR block | Grants permission to disassociate a CIDR block from a VPC. | arn:aws:ec2:eu-west-1:<account-id>:vpc/* | cloud-provisioner
 |===
 
 === Retain (No additional permissions needed)
diff --git a/docs/aws/Permissions/EKS/eks_permission_ref.json b/docs/aws/Permissions/EKS/eks_permission_ref.json
index 3be31d7acb..f86362aa41 100644
--- a/docs/aws/Permissions/EKS/eks_permission_ref.json
+++ b/docs/aws/Permissions/EKS/eks_permission_ref.json
@@ -56,6 +56,7 @@
                 "ec2:CreateNatGateway",
                 "ec2:CreateSecurityGroup",
                 "ec2:DescribeVpcAttribute",
+                "ec2:DisassociateVpcCidrBlock",
                 "ec2:ModifySubnetAttribute",
                 "ec2:ModifyVpcAttribute",
                 "ecr:BatchCheckLayerAvailability",
diff --git a/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json b/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json
index c50e262ed0..9072f87210 100644
--- a/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json
+++ b/stratio-docs/en/modules/ROOT/assets/attachments/stratio-eks-policy.json
@@ -54,6 +54,7 @@
               "ec2:CreateNatGateway",
               "ec2:CreateSecurityGroup",
               "ec2:DescribeVpcAttribute",
+              "ec2:DisassociateVpcCidrBlock",
               "ec2:ModifySubnetAttribute",
               "ec2:ModifyVpcAttribute",
               "ecr:BatchCheckLayerAvailability",
diff --git a/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json b/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json
index c50e262ed0..3d2d0b45c6 100644
--- a/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json
+++ b/stratio-docs/es/modules/ROOT/assets/attachments/stratio-eks-policy.json
@@ -44,7 +44,7 @@
           "Action": [
               "ec2:AllocateAddress",
               "ec2:AssociateRouteTable",
-	      "ec2:AssociateVpcCidrBlock",
+	          "ec2:AssociateVpcCidrBlock",
               "ec2:AttachInternetGateway",
               "ec2:CreateVpc",
               "ec2:CreateRoute",
@@ -54,6 +54,7 @@
               "ec2:CreateNatGateway",
               "ec2:CreateSecurityGroup",
               "ec2:DescribeVpcAttribute",
+              "ec2:DisassociateVpcCidrBlock",
               "ec2:ModifySubnetAttribute",
               "ec2:ModifyVpcAttribute",
               "ecr:BatchCheckLayerAvailability",