From 9d5f3b70b0f3c036fa0ce4be93d97215df1ca754 Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Mon, 8 Jul 2024 15:40:32 +0100
Subject: [PATCH] Fix pull_from_ecr policy attachment for nodes

The existing policy attachment resource loop only supported AWS managed
policies (as it assumes the structure of the ARN).
---
 terraform/deployments/cluster-infrastructure/main.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/terraform/deployments/cluster-infrastructure/main.tf b/terraform/deployments/cluster-infrastructure/main.tf
index 22ba83b90..42e2ab862 100644
--- a/terraform/deployments/cluster-infrastructure/main.tf
+++ b/terraform/deployments/cluster-infrastructure/main.tf
@@ -142,12 +142,16 @@ resource "aws_iam_policy" "pull_from_ecr" {
   policy      = data.aws_iam_policy_document.pull_from_ecr.json
 }
 
+resource "aws_iam_role_policy_attachment" "pull_from_ecr" {
+  policy_arn = aws_iam_policy.pull_from_ecr.arn
+  role       = aws_iam_role.node.name
+}
+
 resource "aws_iam_role_policy_attachment" "node" {
   for_each = toset([
     "AmazonEKSWorkerNodePolicy",
     "AmazonEKS_CNI_Policy",
     "AmazonSSMManagedInstanceCore",
-    aws_iam_policy.pull_from_ecr.name,
   ])
   policy_arn = "arn:aws:iam::aws:policy/${each.key}"
   role       = aws_iam_role.node.name