Skip to content

Commit c174907

Browse files
blanchardmablanchardma
committed
fix: Remove unnecessary IAM permission for cluster autoscaler
1 parent 80c5a46 commit c174907

File tree

2 files changed

+34
-2
lines changed

2 files changed

+34
-2
lines changed

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,13 @@
22

33
All notable changes to this project will be documented in this file.
44

5+
## [5.16.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.15.0...v5.16.0) (2023-03-27)
6+
7+
8+
### Features
9+
10+
* Add `elasticloadbalancing:AddTags` permissions to AWS Load Balancer Controller policy required for version 2.4.7+ ([#358](https://github.com/terraform-aws-modules/terraform-aws-iam/issues/358)) ([e1403c1](https://github.com/terraform-aws-modules/terraform-aws-iam/commit/e1403c15285137147db2698465e794d17059c848))
11+
512
## [5.15.0](https://github.com/terraform-aws-modules/terraform-aws-iam/compare/v5.14.4...v5.15.0) (2023-03-27)
613

714

modules/iam-role-for-service-accounts-eks/policies.tf

Lines changed: 27 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,8 +74,7 @@ data "aws_iam_policy_document" "cluster_autoscaler" {
7474
content {
7575
actions = [
7676
"autoscaling:SetDesiredCapacity",
77-
"autoscaling:TerminateInstanceInAutoScalingGroup",
78-
"autoscaling:UpdateAutoScalingGroup",
77+
"autoscaling:TerminateInstanceInAutoScalingGroup"
7978
]
8079

8180
resources = ["*"]
@@ -875,6 +874,32 @@ data "aws_iam_policy_document" "load_balancer_controller" {
875874
}
876875
}
877876

877+
statement {
878+
actions = [
879+
"elasticloadbalancing:AddTags"
880+
]
881+
resources = [
882+
"arn:${local.partition}:elasticloadbalancing:*:*:targetgroup/*/*",
883+
"arn:${local.partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
884+
"arn:${local.partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*",
885+
]
886+
887+
condition {
888+
test = "StringEquals"
889+
variable = "elasticloadbalancing:CreateAction"
890+
values = [
891+
"CreateTargetGroup",
892+
"CreateLoadBalancer",
893+
]
894+
}
895+
896+
condition {
897+
test = "Null"
898+
variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
899+
values = ["false"]
900+
}
901+
}
902+
878903
statement {
879904
actions = [
880905
"elasticloadbalancing:RegisterTargets",

0 commit comments

Comments
 (0)