Add ELB listener tagging policy (aws-ia#718)

Co-authored-by: Caleb Hansard <caleb.hansard@caci.com>
allamand · Dec 15, 2022 · 378cafc · 378cafc
1 parent e4f9967
commit 378cafc
Showing 1 changed file with 30 additions and 1 deletion.
diff --git a/modules/kubernetes-addons/aws-load-balancer-controller/data.tf b/modules/kubernetes-addons/aws-load-balancer-controller/data.tf
@@ -1,4 +1,17 @@
 data "aws_iam_policy_document" "aws_lb" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["iam:CreateServiceLinkedRole"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "iam:AWSServiceName"
+      values   = ["elasticloadbalancing.amazonaws.com"]
+    }
+  }
+
   statement {
     sid       = ""
     effect    = "Allow"
@@ -28,7 +41,6 @@ data "aws_iam_policy_document" "aws_lb" {
       "elasticloadbalancing:DescribeTargetGroupAttributes",
       "elasticloadbalancing:DescribeTargetGroups",
       "elasticloadbalancing:DescribeTargetHealth",
-      "iam:CreateServiceLinkedRole",
     ]
   }
 
@@ -234,6 +246,23 @@ data "aws_iam_policy_document" "aws_lb" {
     }
   }
 
+  statement {
+    sid    = ""
+    effect = "Allow"
+
+    resources = [
+      "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener/net/*/*/*",
+      "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener/app/*/*/*",
+      "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+      "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener-rule/app/*/*/*",
+    ]
+
+    actions = [
+      "elasticloadbalancing:AddTags",
+      "elasticloadbalancing:RemoveTags",
+    ]
+  }
+
   statement {
     sid       = ""
     effect    = "Allow"