From ed0809145a8bda30eb92f0cd37a9f495acb6c914 Mon Sep 17 00:00:00 2001 From: Rafi Greenberg Date: Wed, 4 Jun 2025 09:21:33 -0400 Subject: [PATCH 1/2] fix: Update IAM permissions for load balancer controller 2.13.x Latest release of AWS LBC (v2.13.x) adds this permission `ec2:DescribeRouteTables` Motivation and Context latest IAM Policy for AWS LBC: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json Breaking Changes No. How Has This Been Tested? I have updated at least one of the examples/* to demonstrate and validate my change(s) I have tested and validated these changes using one or more of the provided examples/* projects I have executed pre-commit run -a on my pull request Closes: https://github.com/terraform-aws-modules/terraform-aws-iam/issues/568 --- modules/iam-role-for-service-accounts-eks/policies.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 3ca5fe9c..753d9a06 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -851,6 +851,7 @@ data "aws_iam_policy_document" "load_balancer_controller" { "ec2:DescribeVpcs", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeSubnets", + "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", From 58807689dc96231f52e4d124a5b3caad5bbaeec0 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 4 Jun 2025 14:14:01 -0500 Subject: [PATCH 2/2] chore: Update policy by copy+paste from https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity/blob/6d4aa31990e4179640c869505169ebc78f200e10/aws_lb_controller.tf#L24-L278 Signed-off-by: Bryant Biggs --- .pre-commit-config.yaml | 2 +- modules/iam-role-for-service-accounts-eks/policies.tf | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7900442e..2c7d5334 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.99.0 + rev: v1.99.1 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf index 753d9a06..bfa4fd3f 100644 --- a/modules/iam-role-for-service-accounts-eks/policies.tf +++ b/modules/iam-role-for-service-accounts-eks/policies.tf @@ -17,7 +17,6 @@ data "aws_iam_policy_document" "aws_gateway_controller" { } } - resource "aws_iam_policy" "aws_gateway_controller" { count = var.create_role && var.attach_aws_gateway_controller_policy ? 1 : 0 @@ -851,7 +850,6 @@ data "aws_iam_policy_document" "load_balancer_controller" { "ec2:DescribeVpcs", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeSubnets", - "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", @@ -860,6 +858,7 @@ data "aws_iam_policy_document" "load_balancer_controller" { "ec2:DescribeCoipPools", "ec2:GetSecurityGroupsForVpc", "ec2:DescribeIpamPools", + "ec2:DescribeRouteTables", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", @@ -904,6 +903,12 @@ data "aws_iam_policy_document" "load_balancer_controller" { actions = [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", + ] + resources = ["*"] + } + + statement { + actions = [ "ec2:CreateSecurityGroup", ] resources = ["*"] @@ -963,7 +968,6 @@ data "aws_iam_policy_document" "load_balancer_controller" { statement { actions = [ - "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup", ] @@ -978,7 +982,6 @@ data "aws_iam_policy_document" "load_balancer_controller" { statement { actions = [ - "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:CreateRule",