Merge pull request #39 from DNXLabs/feature/upgrade-iam

Updating iam policy for supporting newer charts

Author: adenot

README.md

@@ -51,7 +51,7 @@ module "load_balancer_controller" {
 | helm\_chart\_name | AWS Load Balancer Controller Helm chart name. | `string` | `"aws-load-balancer-controller"` | no |
 | helm\_chart\_release\_name | AWS Load Balancer Controller Helm chart release name. | `string` | `"aws-load-balancer-controller"` | no |
 | helm\_chart\_repo | AWS Load Balancer Controller Helm repository name. | `string` | `"https://aws.github.io/eks-charts"` | no |
-| helm\_chart\_version | AWS Load Balancer Controller Helm chart version. | `string` | `"1.4.4"` | no |
+| helm\_chart\_version | AWS Load Balancer Controller Helm chart version. | `string` | `"1.10.1"` | no |
 | mod\_dependency | Dependence variable binds all AWS resources allocated by this module, dependent modules reference this variable. | `any` | `null` | no |
 | namespace | AWS Load Balancer Controller Helm chart namespace which the service will be created. | `string` | `"kube-system"` | no |
 | permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |

_variables.tf

@@ -39,7 +39,7 @@ variable "helm_chart_repo" {
 
 variable "helm_chart_version" {
   type        = string
-  default     = "1.4.4"
+  default     = "1.10.1"
   description = "AWS Load Balancer Controller Helm chart version."
 }
 
@@ -105,4 +105,4 @@ variable "tags" {
   type        = map(string)
   default     = null
   description = "Optional Parameter to add tags to the lb IAM role"
-}
+}

iam.tf

@@ -42,6 +42,7 @@ data "aws_iam_policy_document" "lb_controller" {
       "ec2:DescribeTags",
       "ec2:GetCoipPoolUsage",
       "ec2:DescribeCoipPools",
+      "ec2:GetSecurityGroupsForVpc",
       "elasticloadbalancing:DescribeLoadBalancers",
       "elasticloadbalancing:DescribeLoadBalancerAttributes",
       "elasticloadbalancing:DescribeListeners",
@@ -51,7 +52,9 @@ data "aws_iam_policy_document" "lb_controller" {
       "elasticloadbalancing:DescribeTargetGroups",
       "elasticloadbalancing:DescribeTargetGroupAttributes",
       "elasticloadbalancing:DescribeTargetHealth",
-      "elasticloadbalancing:DescribeTags"
+      "elasticloadbalancing:DescribeTags",
+      "elasticloadbalancing:DescribeTrustStores",
+      "elasticloadbalancing:DescribeListenerAttributes"
     ]
     resources = [
       "*",
@@ -272,6 +275,29 @@ data "aws_iam_policy_document" "lb_controller" {
     effect = "Allow"
   }
 
+  statement {
+    actions = [
+      "elasticloadbalancing:ModifyLoadBalancerAttributes",
+      "elasticloadbalancing:SetIpAddressType",
+      "elasticloadbalancing:SetSecurityGroups",
+      "elasticloadbalancing:SetSubnets",
+      "elasticloadbalancing:DeleteLoadBalancer",
+      "elasticloadbalancing:ModifyTargetGroup",
+      "elasticloadbalancing:ModifyTargetGroupAttributes",
+      "elasticloadbalancing:DeleteTargetGroup",
+      "elasticloadbalancing:ModifyListenerAttributes"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "Null"
+      variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
+
+      values = [
+        "false"
+      ]
+    }
+  }
+
   statement {
     actions = [
       "elasticloadbalancing:AddTags"
@@ -305,34 +331,6 @@ data "aws_iam_policy_document" "lb_controller" {
     effect = "Allow"
   }
 
-  statement {
-    actions = [
-      "elasticloadbalancing:ModifyLoadBalancerAttributes",
-      "elasticloadbalancing:SetIpAddressType",
-      "elasticloadbalancing:SetSecurityGroups",
-      "elasticloadbalancing:SetSubnets",
-      "elasticloadbalancing:DeleteLoadBalancer",
-      "elasticloadbalancing:ModifyTargetGroup",
-      "elasticloadbalancing:ModifyTargetGroupAttributes",
-      "elasticloadbalancing:DeleteTargetGroup"
-    ]
-
-    resources = [
-      "*"
-    ]
-
-    condition {
-      test     = "Null"
-      variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
-
-      values = [
-        "false"
-      ]
-    }
-
-    effect = "Allow"
-  }
-
   statement {
     actions = [
       "elasticloadbalancing:RegisterTargets",