DNM/SPLAT-2452: Add SetSecurityGroups IAM permission to master nodes

[mfbonfigli]

Do Not Merge / Work In Progress

This PR adds the elasticloadbalancing:SetSecurityGroups IAM permission to master nodes, which is required for the BYO Security Groups feature for AWS Network Load Balancers on AWS CCM.

Summary by CodeRabbit

• Bug Fixes
  • Fixed missing AWS load balancer security group management permissions for cluster master nodes.

[openshift-ci-robot]

@mfbonfigli: This pull request references SPLAT-2452 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Do Not Merge / Work In Progress

This PR adds the elasticloadbalancing:SetSecurityGroups IAM permission to master nodes, which is required for the BYO Security Groups feature for AWS Network Load Balancers on AWS CCM.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8fecb925-83ed-471c-9a37-04de1e2c3d58

📥 Commits

Reviewing files that changed from the base of the PR and between 0bd82bc and f0c7b3e.

📒 Files selected for processing (1)

• pkg/infrastructure/aws/clusterapi/iam.go

---

Walkthrough

Updated the IAM policy document for the master role in AWS cluster API infrastructure to include an additional ELB permission: elasticloadbalancing:SetSecurityGroups. The change adds a single action entry to the allowed permissions list without modifying any logic or control flow.

Changes

Cohort / File(s)	Summary
IAM Policy Update pkg/infrastructure/aws/clusterapi/iam.go	Added elasticloadbalancing:SetSecurityGroups action to the master role's inline IAM policy document.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding the SetSecurityGroups IAM permission to master nodes, which matches the single-line code change in the IAM policy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only IAM configuration without adding or modifying any Ginkgo test declarations, making the test naming check inapplicable.
Test Structure And Quality	✅ Passed	This check is not applicable to the provided pull request. The PR only modifies an IAM policy configuration file by adding a permission to the master node policy document. There are no Ginkgo test files included in this PR, so the test structure and quality requirements specified in the custom check do not apply.
Microshift Test Compatibility	✅ Passed	This PR modifies AWS IAM policy configuration, not Ginkgo e2e test code, so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only infrastructure configuration file (iam.go) with IAM policy updates and contains no Ginkgo e2e test additions.
Topology-Aware Scheduling Compatibility	✅ Passed	Pull request adds only an AWS IAM permission to master node policy; does not modify deployment manifests, controller code, or introduce Kubernetes scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	Pull request adds elasticloadbalancing:SetSecurityGroups permission to IAM policy in iam.go line 74, a purely data change within var policies block with no process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not add any Ginkgo e2e tests or tests at all, only modifies an AWS IAM policy configuration file.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tthvo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/infrastructure/aws/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtulio]

Thanks for submitting PR, I think it makes sense as CCM uses CP instance profile.

PTAL to the detected policies by SREP-3643 and if it would be required too here, looks like some are not included to the master profile as well.

Also for follow up:

• We need to make sure OCP docs is updated with new set of permissions (follow up card from your Epic)
• review/update the UPI assets:

  installer/upi/aws/cloudformation/03_cluster_security.yaml

  Line 489 in 0bd82bc

  MasterIamRole:

• I think we need to review the CAPA IAM too:

  installer/pkg/infrastructure/aws/clusterapi/iam.go

  Lines 98 to 99 in 0bd82bc

  	// createIAMRoles creates the roles used by control-plane and compute nodes.
  	func createIAMRoles(ctx context.Context, infraID string, ic *installconfig.InstallConfig) error {