From 0800a25d9f181b4d42dd3681d92e51462ee8320c Mon Sep 17 00:00:00 2001
From: Martin Proffitt <mproffitt@choclab.net>
Date: Fri, 2 Aug 2024 15:28:03 +0200
Subject: [PATCH] Add ReplaceRoute to the capa-controller-policy

In certain circumstances, CAPA tries to replace routes but gets blocked
by IAM policy. This causes nodes to spin up in a `not-ready` state

changelog
---
 CHANGELOG.md                                     | 2 ++
 capa-controller-role/capa-controller-policy.json | 1 +
 2 files changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82dc123..9019c6f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Add `ec2:ReplaceRoute` permissions to the CAPA controller role
+
 ### Added
 
 - For cluster cleanup purposes, add the permissions `s3:GetBucketTagging` and `s3:ListAllMyBuckets` in order to scan for buckets owned by a management/workload cluster. Those buckets may not have a fixed name pattern (e.g. include AWS region or other dynamic string) and therefore searching by "owned" tag allows us to find and delete all such resources.
diff --git a/capa-controller-role/capa-controller-policy.json b/capa-controller-role/capa-controller-policy.json
index e2ddd69..72bd728 100644
--- a/capa-controller-role/capa-controller-policy.json
+++ b/capa-controller-role/capa-controller-policy.json
@@ -56,6 +56,7 @@
                 "ec2:ModifyNetworkInterfaceAttribute",
                 "ec2:ModifySubnetAttribute",
                 "ec2:ReleaseAddress",
+                "ec2:ReplaceRoute",
                 "ec2:RevokeSecurityGroupIngress",
                 "ec2:RevokeSecurityGroupEgress",
                 "ec2:RunInstances",