@@ -28,18 +28,32 @@ module "alb_controller" {
2828 iam_role_enabled = true
2929 # https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.1/docs/install/iam_policy.json
3030 iam_policy_statements =
31+ {
32+ sid = " AllowCreateServiceLinkedRole"
33+ effect = " Allow"
34+ resources = [" *"
35+
36+ actions = [" iam:CreateServiceLinkedRole"
37+ conditions = [
38+ {
39+ test = " StringEquals"
40+ variable = " AWSServiceName"
41+ values = [" elasticloadbalancing.amazonaws.com"
42+ }
43+ ]
44+ },
3145 {
3246 sid = " AllowManageCompute"
3347 effect = " Allow"
3448 resources = [" *"
3549
3650 actions = [
37- " iam:CreateServiceLinkedRole"
3851 " ec2:DescribeAccountAttributes"
3952 " ec2:DescribeAddresses"
4053 " ec2:DescribeAvailabilityZones"
4154 " ec2:DescribeInternetGateways"
4255 " ec2:DescribeVpcs"
56+ " ec2:DescribeVpcPeeringConnections"
4357 " ec2:DescribeSubnets"
4458 " ec2:DescribeSecurityGroups"
4559 " ec2:DescribeInstances"
@@ -259,6 +273,37 @@ module "alb_controller" {
259273 }
260274 ]
261275 },
276+ {
277+ sid = " AllowAddTagsOnCreate"
278+ effect = " Allow"
279+
280+ resources = [
281+ " arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
282+ " arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
283+ " arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
284+ ]
285+
286+ actions = [" elasticloadbalancing:AddTags"
287+
288+ conditions = [
289+ {
290+ test = " StringEquals"
291+ variable = " elasticloadbalancing:CreateAction"
292+
293+ values = [
294+ " CreateTargetGroup"
295+ " CreateLoadBalancer"
296+ # See https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2692#issuecomment-1426242236
297+ " CreateListener"
298+ ]
299+ },
300+ {
301+ test = " Null"
302+ variable = " aws:RequestTag/elbv2.k8s.aws/cluster"
303+ values = [" false"
304+ }
305+ ]
306+ },
262307 {
263308 sid = " AllowRegisterTargets"
264309 effect = " Allow"
0 commit comments