Explicitly grant ELB AddTags permission

acdha · web-flow · commit 7fbe7ec9decc · 2023-05-19T10:01:40.000-04:00
As per AWS customer notifications, the elasticloadbalancing:AddTags permission will be required soon for anyone calling CreateLoadBalancer with tags:

&gt; On June 1, 2023, we will be adding an additional layer of security to ELB ‘Create*' API calls where API callers must have explicit access to add tags in their Identity and Access Management (IAM) policy [1]. Currently, access to attach tags was implicitly granted with access to 'Create*' APIs. … We will be allowing 'Create*' API calls with the current policy to be accepted until August 30, 2023. After this date, the 'Create*' API call will fail and return an error if the the attribute is specified and permission is not granted.
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -795,6 +795,7 @@ data "aws_iam_policy_document" "load_balancer_controller" {
 
   statement {
     actions = [
+      "elasticloadbalancing:AddTags",
       "elasticloadbalancing:CreateLoadBalancer",
       "elasticloadbalancing:CreateTargetGroup",
     ]

Original file line number	Diff line number	Diff line change
`@@ -795,6 +795,7 @@ data "aws_iam_policy_document" "load_balancer_controller" {`
`795`	`795`
`796`	`796`	`statement {`
`797`	`797`	`actions = [`
	`798`	`+ "elasticloadbalancing:AddTags",`
`798`	`799`	`"elasticloadbalancing:CreateLoadBalancer",`
`799`	`800`	`"elasticloadbalancing:CreateTargetGroup",`
`800`	`801`	`]`