From 992e04569b85a58e0166fc98f6a007428fe3d291 Mon Sep 17 00:00:00 2001
From: Ramazan Kara <git@r-kara.de>
Date: Wed, 12 Nov 2025 15:58:39 +0100
Subject: [PATCH] feat: add wafv2:ListWebACLs permission for ALB controller

The AWS Load Balancer Controller requires the wafv2:ListWebACLs permission
to resolve WAF ACL names to ARNs when using the wafv2-acl-name annotation.

Without this permission, the controller cannot find the WAF ACL by name,
resulting in ingress creation failures.

This change adds the missing permission to the IAM policy for the
aws-load-balancer-controller service account.
---
 aws_lb_controller.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aws_lb_controller.tf b/aws_lb_controller.tf
index 22bb645..9ebaab2 100644
--- a/aws_lb_controller.tf
+++ b/aws_lb_controller.tf
@@ -71,6 +71,7 @@ data "aws_iam_policy_document" "lb_controller" {
       "wafv2:GetWebACLForResource",
       "wafv2:AssociateWebACL",
       "wafv2:DisassociateWebACL",
+      "wafv2:ListWebACLs",
       "shield:GetSubscriptionState",
       "shield:DescribeProtection",
       "shield:CreateProtection",