diff --git a/README.md b/README.md index e173ae8..24df9a2 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ module "load_balancer_controller" { | helm\_chart\_name | AWS Load Balancer Controller Helm chart name. | `string` | `"aws-load-balancer-controller"` | no | | helm\_chart\_release\_name | AWS Load Balancer Controller Helm chart release name. | `string` | `"aws-load-balancer-controller"` | no | | helm\_chart\_repo | AWS Load Balancer Controller Helm repository name. | `string` | `"https://aws.github.io/eks-charts"` | no | -| helm\_chart\_version | AWS Load Balancer Controller Helm chart version. | `string` | `"1.4.4"` | no | +| helm\_chart\_version | AWS Load Balancer Controller Helm chart version. | `string` | `"1.10.1"` | no | | mod\_dependency | Dependence variable binds all AWS resources allocated by this module, dependent modules reference this variable. | `any` | `null` | no | | namespace | AWS Load Balancer Controller Helm chart namespace which the service will be created. | `string` | `"kube-system"` | no | | permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no | diff --git a/_variables.tf b/_variables.tf index e3db4af..637d154 100644 --- a/_variables.tf +++ b/_variables.tf @@ -39,7 +39,7 @@ variable "helm_chart_repo" { variable "helm_chart_version" { type = string - default = "1.4.4" + default = "1.10.1" description = "AWS Load Balancer Controller Helm chart version." } @@ -105,4 +105,4 @@ variable "tags" { type = map(string) default = null description = "Optional Parameter to add tags to the lb IAM role" -} \ No newline at end of file +} diff --git a/iam.tf b/iam.tf index 7986234..3a4e540 100644 --- a/iam.tf +++ b/iam.tf @@ -42,6 +42,7 @@ data "aws_iam_policy_document" "lb_controller" { "ec2:DescribeTags", "ec2:GetCoipPoolUsage", "ec2:DescribeCoipPools", + "ec2:GetSecurityGroupsForVpc", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", @@ -51,7 +52,9 @@ data "aws_iam_policy_document" "lb_controller" { "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTrustStores", + "elasticloadbalancing:DescribeListenerAttributes" ] resources = [ "*", @@ -272,6 +275,29 @@ data "aws_iam_policy_document" "lb_controller" { effect = "Allow" } + statement { + actions = [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:ModifyListenerAttributes" + ] + resources = ["*"] + condition { + test = "Null" + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + + values = [ + "false" + ] + } + } + statement { actions = [ "elasticloadbalancing:AddTags" @@ -305,34 +331,6 @@ data "aws_iam_policy_document" "lb_controller" { effect = "Allow" } - statement { - actions = [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ] - - resources = [ - "*" - ] - - condition { - test = "Null" - variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" - - values = [ - "false" - ] - } - - effect = "Allow" - } - statement { actions = [ "elasticloadbalancing:RegisterTargets",