Skip to content

Commit 7c49d24

Browse files
MartinEmrichMartinEmrich
authored
Add latest changes to AWS Load Balancer Controller IAM Policy (#8316)
1 parent e51e7e0 commit 7c49d24

File tree

2 files changed

+21
-7
lines changed

2 files changed

+21
-7
lines changed

pkg/cfn/builder/iam_test.go

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -497,17 +497,21 @@ const expectedAWSLoadBalancerControllerPolicyDocument = `{
497497
"ec2:DescribeTags",
498498
"ec2:GetCoipPoolUsage",
499499
"ec2:DescribeCoipPools",
500+
"ec2:GetSecurityGroupsForVpc",
501+
"ec2:DescribeIpamPools",
500502
"elasticloadbalancing:DescribeLoadBalancers",
501503
"elasticloadbalancing:DescribeLoadBalancerAttributes",
502504
"elasticloadbalancing:DescribeListeners",
503-
"elasticloadbalancing:DescribeListenerAttributes",
504505
"elasticloadbalancing:DescribeListenerCertificates",
505506
"elasticloadbalancing:DescribeSSLPolicies",
506507
"elasticloadbalancing:DescribeRules",
507508
"elasticloadbalancing:DescribeTargetGroups",
508509
"elasticloadbalancing:DescribeTargetGroupAttributes",
509510
"elasticloadbalancing:DescribeTargetHealth",
510-
"elasticloadbalancing:DescribeTags"
511+
"elasticloadbalancing:DescribeTags",
512+
"elasticloadbalancing:DescribeTrustStores",
513+
"elasticloadbalancing:DescribeListenerAttributes",
514+
"elasticloadbalancing:DescribeCapacityReservation"
511515
],
512516
"Effect": "Allow",
513517
"Resource": "*"
@@ -667,15 +671,17 @@ const expectedAWSLoadBalancerControllerPolicyDocument = `{
667671
},
668672
{
669673
"Action": [
670-
"elasticloadbalancing:ModifyListenerAttributes",
671674
"elasticloadbalancing:ModifyLoadBalancerAttributes",
672675
"elasticloadbalancing:SetIpAddressType",
673676
"elasticloadbalancing:SetSecurityGroups",
674677
"elasticloadbalancing:SetSubnets",
675678
"elasticloadbalancing:DeleteLoadBalancer",
676679
"elasticloadbalancing:ModifyTargetGroup",
677680
"elasticloadbalancing:ModifyTargetGroupAttributes",
678-
"elasticloadbalancing:DeleteTargetGroup"
681+
"elasticloadbalancing:DeleteTargetGroup",
682+
"elasticloadbalancing:ModifyListenerAttributes",
683+
"elasticloadbalancing:ModifyCapacityReservation",
684+
"elasticloadbalancing:ModifyIpPools"
679685
],
680686
"Condition": {
681687
"Null": {
@@ -729,7 +735,8 @@ const expectedAWSLoadBalancerControllerPolicyDocument = `{
729735
"elasticloadbalancing:ModifyListener",
730736
"elasticloadbalancing:AddListenerCertificates",
731737
"elasticloadbalancing:RemoveListenerCertificates",
732-
"elasticloadbalancing:ModifyRule"
738+
"elasticloadbalancing:ModifyRule",
739+
"elasticloadbalancing:SetRulePriorities"
733740
],
734741
"Effect": "Allow",
735742
"Resource": "*"

pkg/cfn/builder/statement.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,17 +39,21 @@ func loadBalancerControllerStatements() []cft.MapOfInterfaces {
3939
"ec2:DescribeTags",
4040
"ec2:GetCoipPoolUsage",
4141
"ec2:DescribeCoipPools",
42+
"ec2:GetSecurityGroupsForVpc",
43+
"ec2:DescribeIpamPools",
4244
"elasticloadbalancing:DescribeLoadBalancers",
4345
"elasticloadbalancing:DescribeLoadBalancerAttributes",
4446
"elasticloadbalancing:DescribeListeners",
45-
"elasticloadbalancing:DescribeListenerAttributes",
4647
"elasticloadbalancing:DescribeListenerCertificates",
4748
"elasticloadbalancing:DescribeSSLPolicies",
4849
"elasticloadbalancing:DescribeRules",
4950
"elasticloadbalancing:DescribeTargetGroups",
5051
"elasticloadbalancing:DescribeTargetGroupAttributes",
5152
"elasticloadbalancing:DescribeTargetHealth",
5253
"elasticloadbalancing:DescribeTags",
54+
"elasticloadbalancing:DescribeTrustStores",
55+
"elasticloadbalancing:DescribeListenerAttributes",
56+
"elasticloadbalancing:DescribeCapacityReservation",
5357
},
5458
"Resource": resourceAll,
5559
},
@@ -191,7 +195,6 @@ func loadBalancerControllerStatements() []cft.MapOfInterfaces {
191195
{
192196
"Effect": effectAllow,
193197
"Action": []string{
194-
"elasticloadbalancing:ModifyListenerAttributes",
195198
"elasticloadbalancing:ModifyLoadBalancerAttributes",
196199
"elasticloadbalancing:SetIpAddressType",
197200
"elasticloadbalancing:SetSecurityGroups",
@@ -200,6 +203,9 @@ func loadBalancerControllerStatements() []cft.MapOfInterfaces {
200203
"elasticloadbalancing:ModifyTargetGroup",
201204
"elasticloadbalancing:ModifyTargetGroupAttributes",
202205
"elasticloadbalancing:DeleteTargetGroup",
206+
"elasticloadbalancing:ModifyListenerAttributes",
207+
"elasticloadbalancing:ModifyCapacityReservation",
208+
"elasticloadbalancing:ModifyIpPools",
203209
},
204210
"Resource": resourceAll,
205211
"Condition": map[string]interface{}{
@@ -246,6 +252,7 @@ func loadBalancerControllerStatements() []cft.MapOfInterfaces {
246252
"elasticloadbalancing:AddListenerCertificates",
247253
"elasticloadbalancing:RemoveListenerCertificates",
248254
"elasticloadbalancing:ModifyRule",
255+
"elasticloadbalancing:SetRulePriorities",
249256
},
250257
"Resource": resourceAll,
251258
},

0 commit comments

Comments
 (0)