feat: Add back in CloudWatch log group create deny policy to cluster IAM role

[bryantbiggs]

Description

• Add back in CloudWatch log group create deny policy to cluster IAM role. A note has been added and reference to original issue to better explain the issue that is being solved

Motivation and Context

• Relates to a prior issue Cloudwatch Log Group created with options does not get auto destroyed #920 and uses a similar solution fix: Added Deny for CreateLogGroup action in EKS cluster role #1594

Breaking Changes

• No; to users the change will be functionally transparent but will show up in the next subsequent plan (if their use case creates an IAM role and CloudWatch log group)

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • Already in place
• I have tested and validated these changes using one or more of the provided examples/* projects
  • Validated with examples/eks_managed_node_group
• I have executed pre-commit run -a on my pull request

[antonbabenko]

Cool solution!

[antonbabenko]

This PR is included in version 18.17.0 🎉

[james-callahan]

For some reason terraform keeps showing this field as wanting to change; even after applying

  # module.eks.aws_iam_role.this[0] will be updated in-place
  ~ resource "aws_iam_role" "this" {
        # (13 unchanged attributes hidden)

      - inline_policy {}
      + inline_policy {
          + name   = "my-cluster"
          + policy = jsonencode(
                {
                  + Statement = [
                      + {
                          + Action   = [
                              + "logs:CreateLogGroup",
                            ]
                          + Effect   = "Deny"
                          + Resource = "arn:aws:logs:us-east-2:XXXXXXXXX:log-group:/aws/eks/my/cluster"
                        },
                    ]
                  + Version   = "2012-10-17"
                }
            )
        }
      + inline_policy {}
    }

[macropin]

I note that this is implemented as an inline policy. The original implementation (#1594) used an attached policy.

Inline policies should not be used as they are not compliant with the CIS AWS Foundations Benchmark security standard.

This should be reverted to the original implementation.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.