feat: Add wafv2:ListWebACLs permission for ALB controller
#47
+1
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The AWS Load Balancer Controller requires the wafv2:ListWebACLs permission to resolve WAF ACL names to ARNs when using the wafv2-acl-name annotation. Without this permission, the controller cannot find the WAF ACL by name, resulting in ingress creation failures. This change adds the missing permission to the IAM policy for the aws-load-balancer-controller service account.
RamazanKara
changed the title
RamazanKara
changed the title
bryantbiggs
changed the title
wafv2:ListWebACLs permission for ALB controller
bryantbiggs
approved these changes
Nov 12, 2025
bryantbiggs
merged commit 9117ea6
into
terraform-aws-modules:master
7 of 9 checks passed
antonbabenko
pushed a commit
that referenced
this pull request
Nov 12, 2025
## [2.3.0](v2.2.1...v2.3.0) (2025-11-12) ### Features * Add `wafv2:ListWebACLs` permission for ALB controller ([#47](#47)) ([9117ea6](9117ea6))
Member
|
This PR is included in version 2.3.0 🎉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The AWS Load Balancer Controller requires the
wafv2:ListWebACLspermission to resolve WAF ACL names to ARNs when using thewafv2-acl-nameannotation.Without this permission, the controller cannot find the WAF ACL by name, resulting in ingress creation failures.
This change adds the missing permission to the IAM policy for the aws-load-balancer-controller service account.
Motivation and Context
This change is required since AWS Load Balancer Controller v2.14+ supports referencing WAF ACLs by name via the
alb.ingress.kubernetes.io/wafv2-acl-nameannotation instead of requiring ARNs. This simplifies configuration management as WAF ACL names are static while ARNs can change across environments.The controller needs
wafv2:ListWebACLspermission to query the WAF API and resolve the ACL name to its ARN before associating it with the load balancer. This permission complements the existingwafv2:GetWebACL,wafv2:AssociateWebACL, andwafv2:DisassociateWebACLpermissions already present in the policy.Breaking Changes
No breaking changes. This is an additive change that expands the existing WAFv2 permissions to enable name-based WAF ACL references.
How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectswafv2-acl-nameannotations successfully resolve and associate WAF ACLspre-commit run -aon my pull request