Update IAM policy template

eduardoweiland · eduardoweiland · commit 470bcc2e528d · 2023-07-28T15:15:06.000-03:00
This is the same fix included upstream kubernetes-sigs/aws-load-balancer-controller#3046
diff --git a/iam.tf b/iam.tf
@@ -268,6 +268,39 @@ data "aws_iam_policy_document" "lb_controller" {
     effect = "Allow"
   }
 
+  statement {
+    actions = [
+      "elasticloadbalancing:AddTags"
+    ]
+
+    resources = [
+      "arn:${var.arn_format}:elasticloadbalancing:*:*:targetgroup/*/*",
+      "arn:${var.arn_format}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+      "arn:${var.arn_format}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "elasticloadbalancing:CreateAction"
+
+      values = [
+        "CreateTargetGroup",
+        "CreateLoadBalancer"
+      ]
+    }
+
+    condition {
+      test     = "Null"
+      variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
+
+      values = [
+        "false"
+      ]
+    }
+
+    effect = "Allow"
+  }
+
   statement {
     actions = [
       "elasticloadbalancing:ModifyLoadBalancerAttributes",
@@ -368,4 +401,4 @@ resource "aws_iam_role_policy_attachment" "lb_controller" {
   count      = var.enabled ? 1 : 0
   role       = aws_iam_role.lb_controller[0].name
   policy_arn = aws_iam_policy.lb_controller[0].arn
-}
+}
