update IAM policy template (kubernetes-sigs#3046)

kishorj · jdn5126 · Apollorion · web-flow · commit 8632213c9bad · 2023-02-22T19:59:06.000-08:00
* update IAM policy template

* Update docs/install/iam_policy_us-gov.json

Co-authored-by: Joey Stout &lt;joey@apollorion.com&gt;

* Update docs/install/iam_policy_cn.json

Co-authored-by: Joey Stout &lt;joey@apollorion.com&gt;

* fix upstream prow tests for 2.4 branch

set ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.20, since 2.4 branch uses go 1.19

---------

Co-authored-by: Jeff Nelson &lt;jdnelson@amazon.com&gt;
Co-authored-by: Joey Stout &lt;joey@apollorion.com&gt;
diff --git a/docs/install/iam_policy.json b/docs/install/iam_policy.json
@@ -177,6 +177,28 @@
                 "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
             ]
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "elasticloadbalancing:CreateAction": [
+                        "CreateTargetGroup",
+                        "CreateLoadBalancer"
+                    ]
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
diff --git a/docs/install/iam_policy_cn.json b/docs/install/iam_policy_cn.json
@@ -177,6 +177,28 @@
                 "arn:aws-cn:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
             ]
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": [
+                "arn:aws-cn:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws-cn:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws-cn:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "elasticloadbalancing:CreateAction": [
+                        "CreateTargetGroup",
+                        "CreateLoadBalancer"
+                    ]
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
diff --git a/docs/install/iam_policy_us-gov.json b/docs/install/iam_policy_us-gov.json
@@ -177,6 +177,28 @@
                 "arn:aws-us-gov:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
             ]
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": [
+                "arn:aws-us-gov:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws-us-gov:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws-us-gov:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "elasticloadbalancing:CreateAction": [
+                        "CreateTargetGroup",
+                        "CreateLoadBalancer"
+                    ]
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
