From a272574a5f9ac13fcf0f7c46d15a0de4ea62799b Mon Sep 17 00:00:00 2001
From: Brent Bain <brent@anyscale.com>
Date: Thu, 5 Sep 2024 10:28:08 -0800
Subject: [PATCH] upd: aws-anyscale-iam - EKS Node S3 access

Changes to be committed:
	modified:   modules/aws-anyscale-iam/README.md
	modified:   modules/aws-anyscale-iam/eks-iam-main.tf
	modified:   modules/aws-anyscale-iam/eks-node.tfpl
---
 modules/aws-anyscale-iam/README.md       | 1 +
 modules/aws-anyscale-iam/eks-iam-main.tf | 6 ++++++
 modules/aws-anyscale-iam/eks-node.tfpl   | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/aws-anyscale-iam/README.md b/modules/aws-anyscale-iam/README.md
index b271b1a..6a0d4f5 100644
--- a/modules/aws-anyscale-iam/README.md
+++ b/modules/aws-anyscale-iam/README.md
@@ -58,6 +58,7 @@ No modules.
 | [aws_iam_role_policy_attachment.anyscale_eks_node_amazonekscnipolicy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_eks_node_amazoneksworkernodepolicy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_eks_node_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.anyscale_eks_node_s3access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_iam_role_container_registry_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_iam_role_custom_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.anyscale_iam_role_servicesv2_policy_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
diff --git a/modules/aws-anyscale-iam/eks-iam-main.tf b/modules/aws-anyscale-iam/eks-iam-main.tf
index 229e7d2..1aa6ec0 100644
--- a/modules/aws-anyscale-iam/eks-iam-main.tf
+++ b/modules/aws-anyscale-iam/eks-iam-main.tf
@@ -115,6 +115,12 @@ resource "aws_iam_role_policy_attachment" "anyscale_eks_node_amazonec2containerr
   role       = aws_iam_role.eks_node_role[0].name
 }
 
+resource "aws_iam_role_policy_attachment" "anyscale_eks_node_s3access" {
+  count = local.create_eks_node_role ? 1 : 0
+
+  policy_arn = aws_iam_policy.anyscale_s3_access_policy[0].arn
+  role       = aws_iam_role.eks_node_role[0].name
+}
 
 # ---------------------------
 # EKS EBS CSI Driver Role
diff --git a/modules/aws-anyscale-iam/eks-node.tfpl b/modules/aws-anyscale-iam/eks-node.tfpl
index a833776..3420ab9 100644
--- a/modules/aws-anyscale-iam/eks-node.tfpl
+++ b/modules/aws-anyscale-iam/eks-node.tfpl
@@ -3,7 +3,7 @@
   "Statement" : [
 %{ if anyscale_efs_arn != "none" }
     {
-      "Sid": "S3BucketAccess",
+      "Sid": "EFSAccess",
       "Effect" : "Allow",
       "Action" : [
         "elasticfilesystem:ClientMount",