improvement: IAM permissions for ELB svc-linked role creation by EKS

AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB creation on AWS with K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
ivan-sukhomlyn · May 31, 2020 · aaeb79c · aaeb79c
1 parent 3fefc2a
commit aaeb79c
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/cluster.tf b/cluster.tf
@@ -130,3 +130,25 @@ resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" {
  policy_arn = "${local.policy_arn_prefix}/AmazonEKSServicePolicy"
  role = local.cluster_iam_role_name
 }
+
+/*
+ Adding a policy to cluster IAM role that allow permissions
+ required to create AWSServiceRoleForElasticLoadBalancing service linked role that required by K8S for ELB creation.
+*/
+
+data "aws_iam_policy_document" "cluster_elb_sl_role_creation" {
+ count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+ statement {
+ effect = "Allow"
+ actions = ["ec2:DescribeAccountAttributes"]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_role_policy" "cluster_elb_sl_role_creation" {
+ count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+ name_prefix = "${var.cluster_name}-elb-sl-role-creation"
+ role = local.cluster_iam_role_name
+ policy = data.aws_iam_policy_document.cluster_elb_sl_role_creation.json
+}