duplicate volume statement for serviceaccunt

eks-cluster-autoscaler-clusterrolebinding.tf

 resource "kubernetes_cluster_role" "cluster_autoscaler_clusterrole" {
   metadata {
-    name = "autoscaler-svc-acc"
+    name = "cluster-autoscaler-svc-acc"
   }
 
   rule {
     api_groups = [""]
     resources  = ["events", "endpoints"]
     verbs      = ["create", "patch"]
+  }
 
+  rule {
     api_groups = [""]
     resources  = ["pods/eviction"]
     verbs      = ["create"]
+  }
 
+  rule {
     api_groups = [""]
     resources  = ["pods/status"]
     verbs      = ["update"]
+  }
 
-    api_groups = [""]
-    resources  = ["endpoints"]
-    verbs      = ["get", "update"]
+  rule {
+    api_groups     = [""]
+    resources      = ["endpoints"]
+    resource_names = ["cluster-autoscaler"]
+    verbs          = ["get", "update"]
+  }
 
+  rule {
     api_groups = [""]
     resources  = ["nodes"]
     verbs      = ["watch", "list", "get", "update"]
+  }
 
+  rule {
     api_groups = [""]
-    resources  = ["pods", "services", "replicationControllers", "persistentvolumeclaims", "persistentvolumes"]
+    resources  = ["pods", "services", "replicationcontrollers", "persistentvolumeclaims", "persistentvolumes"]
     verbs      = ["watch", "list", "get"]
+  }
 
+  rule {
     api_groups = ["batch"]
     resources  = ["jobs", "cronjobs"]
     verbs      = ["watch", "list", "get"]
+  }
 
+  rule {
     api_groups = ["extensions"]
     resources  = ["replicasets", "daemonsets"]
     verbs      = ["watch", "list", "get"]
+  }
 
+  rule {
     api_groups = ["policy"]
-    resources  = ["poddistruptionpolicy"]
+    resources  = ["poddisruptionbudgets"]
     verbs      = ["watch", "list"]
+  }
 
+  rule {
     api_groups = ["apps"]
-    resources  = ["replicasets", "statefulsets"]
+    resources  = ["replicasets", "statefulsets", "daemonsets"]
     verbs      = ["watch", "list", "get"]
+  }
+
+  rule {
+    api_groups     = [""]
+    resources      = ["configmaps"]
+    resource_names = ["cluster-autoscaler-status"]
+    verbs          = ["get", "delete", "update"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps"]
+    verbs      = ["create"]
+  }
 
-    api_groups = ["storage"]
-    resources  = ["storageclass"]
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["storageclasses"]
     verbs      = ["watch", "list", "get"]
   }
 }
 
-resource "kubernetes_cluster_role_binding" "external_dns_role_bind" {
+resource "kubernetes_role" "autoscaler_role" {
+  metadata {
+    name = "cluster-autoscaler-svc-acc"
+
+    labels {
+      "k8s-addon" = "cluster-autoscaler.addons.k8s.io"
+      "k8s-app"   = "cluster-autoscaler"
+    }
+  }
+
+  rule {
+    api_groups     = [""]
+    resources      = ["configmaps"]
+    resource_names = ["cluster-autoscaler-status"]
+    verbs          = ["get", "delete", "update"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps"]
+    verbs      = ["create"]
+  }
+}
+
+resource "kubernetes_role_binding" "cluster_autoscaler_role_bind" {
   metadata {
-    name = "autoscaler-svc-acc"
+    name = "cluster-autoscaler-svc-acc"
   }
 
   role_ref {
     api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = "cluster-autoscaler"
+    kind      = "Role"
+    name      = "cluster-autoscaler-svc-acc"
   }
 
   subject {
     kind      = "ServiceAccount"
-    name      = "autoscaler-svc-acc"
+    name      = "cluster-autoscaler-svc-acc"
     namespace = "kube-system"
     api_group = ""
   }
+}
 
-  subject {
-    kind      = "Group"
-    name      = "system:serviceaccount"
+resource "kubernetes_cluster_role_binding" "cluster_autoscaler_clusterrole_bind" {
+  metadata {
+    name = "cluster-autoscaler-svc-acc"
+  }
+
+  role_ref {
     api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-autoscaler-svc-acc"
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = "cluster-autoscaler-svc-acc"
+    namespace = "kube-system"
+    api_group = ""
   }
 }

eks-cluster-autoscaler.tf

@@ -36,15 +36,18 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
 
         volume {
           name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}"
-          name = "autoscaler-ssl-volume"
 
           secret {
             secret_name = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}"
           }
         }
 
+        volume {
+          name = "autoscaler-ssl-volume"
+        }
+
         container {
-          image             = "k8s.gcr.io/cluster-autoscaler:v1.13.1"
+          image             = "k8s.gcr.io/cluster-autoscaler:v1.3.6"
           name              = "cluster-autoscaler-container"
           image_pull_policy = "IfNotPresent"
           args              = ["./cluster-autoscaler", "--cloud-provider=aws", "--node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled", "--skip-nodes-with-local-storage=false", "--stderrthreshold=info", "--expander=least-waste", "--v=4"]
@@ -53,8 +56,10 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
             mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
             name       = "${kubernetes_service_account.cluster_autoscaler_service_account.default_secret_name}"
             read_only  = true
+          }
 
-            mount_path = "/etc/ssl/certs/"
+          volume_mount {
+            mount_path = "/etc/ssl/certs/ca-bundle.crt"
             name       = "autoscaler-ssl-volume"
             read_only  = true
           }
@@ -69,6 +74,11 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
           port {
             container_port = 8085
           }
+
+          env {
+            name  = "AWS_REGION"
+            value = "us-east-1"
+          }
         }
       }
     }