Merge pull request #83 from worldcoin/INFRA-5911-create-short-AWS-LB-Controller-role

danielllek · web-flow · commit 8cbb6f8d4ca3 · 2026-02-23T11:29:54.000+01:00
INFRA-5911 Fix AWS LB Controller for clusters with long names
diff --git a/iam-aws-load-balancer.tf b/iam-aws-load-balancer.tf
@@ -343,6 +343,20 @@ resource "aws_iam_role_policy" "aws_load_balancer" {
   policy = data.aws_iam_policy_document.aws_load_balancer.json
 }
 
+resource "aws_iam_role" "aws_lbc" {
+  count              = var.aws_load_balancer_iam_role_enabled ? 1 : 0
+  name               = "aws-lbc-${var.cluster_name}"
+  path               = "/system/"
+  assume_role_policy = data.aws_iam_policy_document.aws_load_balancer_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy" "aws_lbc" {
+  count  = var.aws_load_balancer_iam_role_enabled ? 1 : 0
+  name   = "aws-lbc-${var.cluster_name}"
+  role   = aws_iam_role.aws_lbc[0].id
+  policy = data.aws_iam_policy_document.aws_load_balancer.json
+}
+
 moved {
   from = aws_iam_role.aws_load_balancer
   to   = aws_iam_role.aws_load_balancer[0]
diff --git a/main.tf b/main.tf
@@ -65,13 +65,13 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
 }
 
 data "aws_iam_roles" "aws_load_balancer_controller" {
-  name_regex  = "^aws-load-balancer-controller-${var.cluster_name}$"
+  name_regex  = "^(aws-load-balancer-controller|aws-lbc)-${var.cluster_name}$"
   path_prefix = "/system/"
 }
 
 locals {
   aws_load_balancer_controller_role_exists = var.enable_aws_load_balancer_controller_explicit_deny ? length(data.aws_iam_roles.aws_load_balancer_controller.names) > 0 : false
-  aws_load_balancer_controller_role_name   = local.aws_load_balancer_controller_role_exists ? sort(tolist(data.aws_iam_roles.aws_load_balancer_controller.names))[0] : null
+  aws_load_balancer_controller_role_names  = local.aws_load_balancer_controller_role_exists ? toset(data.aws_iam_roles.aws_load_balancer_controller.names) : toset([])
 }
 
 data "aws_iam_policy_document" "aws_load_balancer_controller_explicit_deny" {
@@ -84,14 +84,14 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_explicit_deny" {
 
 resource "aws_iam_policy" "aws_load_balancer_controller_explicit_deny" {
   count  = local.aws_load_balancer_controller_role_exists ? 1 : 0
-  name   = "aws-load-balancer-controller-${var.cluster_name}-explicit-deny-elb"
+  name   = "aws-lbc-${var.cluster_name}-explicit-deny-elb"
   path   = "/system/"
   policy = data.aws_iam_policy_document.aws_load_balancer_controller_explicit_deny.json
 }
 
 resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller_explicit_deny" {
-  count      = local.aws_load_balancer_controller_role_exists ? 1 : 0
-  role       = local.aws_load_balancer_controller_role_name
+  for_each   = local.aws_load_balancer_controller_role_names
+  role       = each.value
   policy_arn = aws_iam_policy.aws_load_balancer_controller_explicit_deny[0].arn
 }
-  
+  
diff --git a/variables.tf b/variables.tf
@@ -7,8 +7,8 @@ variable "cluster_name" {
   description = "The name of the cluster. Has to be unique per region per account."
   type        = string
   validation {
-    condition     = can(regex("\\w-", var.cluster_name))
-    error_message = "Cluster name must be lowercase alphanumeric characters"
+    condition     = can(regex("^[a-z0-9]([a-z0-9-]*[a-z0-9])?$", var.cluster_name)) && length(var.cluster_name) <= 48
+    error_message = "Cluster name must contain only lowercase alphanumeric characters or hyphens and be at most 48 characters long"
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -65,13 +65,13 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`data "aws_iam_roles" "aws_load_balancer_controller" {`
`68`		`- name_regex = "^aws-load-balancer-controller-${var.cluster_name}$"`
	`68`	`+ name_regex = "^(aws-load-balancer-controller\|aws-lbc)-${var.cluster_name}$"`
`69`	`69`	`path_prefix = "/system/"`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`locals {`
`73`	`73`	`aws_load_balancer_controller_role_exists = var.enable_aws_load_balancer_controller_explicit_deny ? length(data.aws_iam_roles.aws_load_balancer_controller.names) > 0 : false`
`74`		`- aws_load_balancer_controller_role_name = local.aws_load_balancer_controller_role_exists ? sort(tolist(data.aws_iam_roles.aws_load_balancer_controller.names))[0] : null`
	`74`	`+ aws_load_balancer_controller_role_names = local.aws_load_balancer_controller_role_exists ? toset(data.aws_iam_roles.aws_load_balancer_controller.names) : toset([])`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`data "aws_iam_policy_document" "aws_load_balancer_controller_explicit_deny" {`
`@@ -84,14 +84,14 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_explicit_deny" {`
`84`	`84`
`85`	`85`	`resource "aws_iam_policy" "aws_load_balancer_controller_explicit_deny" {`
`86`	`86`	`count = local.aws_load_balancer_controller_role_exists ? 1 : 0`
`87`		`- name = "aws-load-balancer-controller-${var.cluster_name}-explicit-deny-elb"`
	`87`	`+ name = "aws-lbc-${var.cluster_name}-explicit-deny-elb"`
`88`	`88`	`path = "/system/"`
`89`	`89`	`policy = data.aws_iam_policy_document.aws_load_balancer_controller_explicit_deny.json`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller_explicit_deny" {`
`93`		`- count = local.aws_load_balancer_controller_role_exists ? 1 : 0`
`94`		`- role = local.aws_load_balancer_controller_role_name`
	`93`	`+ for_each = local.aws_load_balancer_controller_role_names`
	`94`	`+ role = each.value`
`95`	`95`	`policy_arn = aws_iam_policy.aws_load_balancer_controller_explicit_deny[0].arn`
`96`	`96`	`}`
`97`		`-`
	`97`	`+`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@ variable "cluster_name" {`
`7`	`7`	`description = "The name of the cluster. Has to be unique per region per account."`
`8`	`8`	`type = string`
`9`	`9`	`validation {`
`10`		`- condition = can(regex("\\w-", var.cluster_name))`
`11`		`- error_message = "Cluster name must be lowercase alphanumeric characters"`
	`10`	`+ condition = can(regex("^[a-z0-9]([a-z0-9-]*[a-z0-9])?$", var.cluster_name)) && length(var.cluster_name) <= 48`
	`11`	`+ error_message = "Cluster name must contain only lowercase alphanumeric characters or hyphens and be at most 48 characters long"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`