iam-role-for-service-accounts-eks module incorrect policies for load_balancer_controller #190
Description
Description
Hi, I started using the iam-role-for-service-accounts-eks module to create a role for aws-lb-controller deployment. Ingress deployment works fine but when trying to modify an existing ingress the controller throws the below permission errors:
{"level":"error","ts":1645201526.94589,"logger":"controller-runtime.manager.controller.ingress","msg":"Reconciler error","name":"example-internal","namespace":"","error":"AccessDenied: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/example/111111111111111111 is not authorized to perform: elasticloadbalancing:ModifyListener on resource: arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:listener/app/example/example because no identity-based policy allows the elasticloadbalancing:ModifyListener action\n\tstatus code: 403, request id: xxxxxx-xxxxxxx-xxxxx"}
The policies mentioned in the controller's official documentation seem to be slightly different compared to the ones deployed by the module: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/694a0b14184e388806f9f34be0dd9075aa8fb0a7/docs/install/iam_policy.json
Versions
- Terraform: 1.1.2
- Provider(s):
- aws: 3.74.2
- Module: iam-role-for-service-accounts-eks
Reproduction
Steps to reproduce the behavior:
- Deploy the IAM role using the module and assign it to the service account in the cluster
- Deploy a new ingress resource and wait for provisioning to finish
- Update existing ingress resource (e.g. path)
- Watch aws-load-balancer-controller logs for the error
Expected behavior
Controller should update ALB rules without any errors.
Actual behavior
Controller throws permission error (see above)
Thanks!