feat: Added variable load_balancer_controller_targetgroup_arns in iam-role-for-service-accounts-eks module (#402)

Co-authored-by: Anton Babenko <[email protected]>

Author: yutachaos

modules/iam-role-for-service-accounts-eks/README.md

@@ -221,6 +221,7 @@ No modules.
 | <a name="input_karpenter_sqs_queue_arn"></a> [karpenter\_sqs\_queue\_arn](#input\_karpenter\_sqs\_queue\_arn) | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | `string` | `null` | no |
 | <a name="input_karpenter_subnet_account_id"></a> [karpenter\_subnet\_account\_id](#input\_karpenter\_subnet\_account\_id) | Account ID of where the subnets Karpenter will utilize resides. Used when subnets are shared from another account | `string` | `""` | no |
 | <a name="input_karpenter_tag_key"></a> [karpenter\_tag\_key](#input\_karpenter\_tag\_key) | Tag key (`{key = value}`) applied to resources launched by Karpenter through the Karpenter provisioner | `string` | `"karpenter.sh/discovery"` | no |
+| <a name="input_load_balancer_controller_targetgroup_arns"></a> [load\_balancer\_controller\_targetgroup\_arns](#input\_load\_balancer\_controller\_targetgroup\_arns) | List of Target groups ARNs using Load Balancer Controller | `list(string)` | <pre>[<br>  "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"<br>]</pre> | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
 | <a name="input_node_termination_handler_sqs_queue_arns"></a> [node\_termination\_handler\_sqs\_queue\_arns](#input\_node\_termination\_handler\_sqs\_queue\_arns) | List of SQS ARNs that contain node termination events | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | Map of OIDC providers where each provider map should contain the `provider`, `provider_arn`, and `namespace_service_accounts` | `any` | `{}` | no |

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -1003,13 +1003,20 @@ data "aws_iam_policy_document" "load_balancer_controller_targetgroup_only" {
       "ec2:RevokeSecurityGroupIngress",
       "elasticloadbalancing:DescribeTargetGroups",
       "elasticloadbalancing:DescribeTargetHealth",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
       "elasticloadbalancing:ModifyTargetGroup",
       "elasticloadbalancing:ModifyTargetGroupAttributes",
       "elasticloadbalancing:RegisterTargets",
       "elasticloadbalancing:DeregisterTargets",
     ]
 
-    resources = ["*"]
+    resources = var.load_balancer_controller_targetgroup_arns
   }
 }
 

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -261,6 +261,12 @@ variable "attach_load_balancer_controller_targetgroup_binding_only_policy" {
   default     = false
 }
 
+variable "load_balancer_controller_targetgroup_arns" {
+  description = "List of Target groups ARNs using Load Balancer Controller"
+  type        = list(string)
+  default     = ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"]
+}
+
 # AWS Appmesh Controller
 variable "attach_appmesh_controller_policy" {
   description = "Determines whether to attach the Appmesh Controller policy to the role"

wrappers/iam-role-for-service-accounts-eks/main.tf

@@ -44,6 +44,7 @@ module "wrapper" {
   karpenter_sqs_queue_arn                                         = try(each.value.karpenter_sqs_queue_arn, var.defaults.karpenter_sqs_queue_arn, null)
   attach_load_balancer_controller_policy                          = try(each.value.attach_load_balancer_controller_policy, var.defaults.attach_load_balancer_controller_policy, false)
   attach_load_balancer_controller_targetgroup_binding_only_policy = try(each.value.attach_load_balancer_controller_targetgroup_binding_only_policy, var.defaults.attach_load_balancer_controller_targetgroup_binding_only_policy, false)
+  load_balancer_controller_targetgroup_arns                       = try(each.value.load_balancer_controller_targetgroup_arns, var.defaults.load_balancer_controller_targetgroup_arns, ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"])
   attach_appmesh_controller_policy                                = try(each.value.attach_appmesh_controller_policy, var.defaults.attach_appmesh_controller_policy, false)
   attach_appmesh_envoy_proxy_policy                               = try(each.value.attach_appmesh_envoy_proxy_policy, var.defaults.attach_appmesh_envoy_proxy_policy, false)
   attach_amazon_managed_service_prometheus_policy                 = try(each.value.attach_amazon_managed_service_prometheus_policy, var.defaults.attach_amazon_managed_service_prometheus_policy, false)