terraform: update AWS LB permissions

edgelesssys · Mar 6, 2025 · c836982 · c836982
1 parent 810a6ec
commit c836982
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 15 deletions.
diff --git a/docs/docs/reference/migration.md b/docs/docs/reference/migration.md
@@ -36,7 +36,13 @@ done
 echo "All specified rules have been deleted."
 ```
 
-## Migrations to v2.19.0
+## Migrating from CLI versions before 2.20.1
+
+### AWS
+
+* AWS clusters that utilize `LoadBalancer` resources require additional IAM permissions. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired.
+
+## Migrating from CLI versions before 2.19.0
 
 ### Azure
 
@@ -46,7 +52,7 @@ echo "All specified rules have been deleted."
  If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them
  afterward.
 
-## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0)
+## Migrating from CLI versions before 2.18.0
 
 * The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed.
 * To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`.

diff --git a/terraform/infrastructure/iam/aws/main.tf b/terraform/infrastructure/iam/aws/main.tf
@@ -54,17 +54,14 @@ resource "aws_iam_policy" "control_plane_policy" {
     {
       "Effect": "Allow",
       "Action": [
-        "elasticloadbalancing:DescribeTargetGroupAttributes",
-        "elasticloadbalancing:DescribeRules",
-        "shield:GetSubscriptionState",
-        "elasticloadbalancing:DescribeListeners",
-        "elasticloadbalancing:ModifyTargetGroupAttributes",
-        "elasticloadbalancing:DescribeTags",
         "autoscaling:DescribeAutoScalingGroups",
         "autoscaling:DescribeLaunchConfigurations",
         "autoscaling:DescribeTags",
+        "autoscaling:SetDesiredCapacity",
+        "autoscaling:TerminateInstanceInAutoScalingGroup",
         "ec2:AttachVolume",
         "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CreateLaunchTemplateVersion",
         "ec2:CreateRoute",
         "ec2:CreateSecurityGroup",
         "ec2:CreateTags",
@@ -75,14 +72,18 @@ resource "aws_iam_policy" "control_plane_policy" {
         "ec2:DescribeAvailabilityZones",
         "ec2:DescribeImages",
         "ec2:DescribeInstances",
+        "ec2:DescribeInstanceStatus",
+        "ec2:DescribeLaunchTemplateVersions",
         "ec2:DescribeRegions",
         "ec2:DescribeRouteTables",
         "ec2:DescribeSecurityGroups",
         "ec2:DescribeSubnets",
         "ec2:DescribeVolumes",
         "ec2:DescribeVpcs",
         "ec2:DetachVolume",
+        "ec2:GetSecurityGroupsForVpc",
         "ec2:ModifyInstanceAttribute",
+        "ec2:ModifyLaunchTemplate",
         "ec2:ModifyVolume",
         "ec2:RevokeSecurityGroupIngress",
         "elasticloadbalancing:AddTags",
@@ -101,33 +102,40 @@ resource "aws_iam_policy" "control_plane_policy" {
         "elasticloadbalancing:DeleteTargetGroup",
         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
         "elasticloadbalancing:DeregisterTargets",
+        "elasticloadbalancing:DescribeCapacityReservation",
+        "elasticloadbalancing:DescribeListenerAttributes",
+        "elasticloadbalancing:DescribeListeners",
         "elasticloadbalancing:DescribeListeners",
         "elasticloadbalancing:DescribeLoadBalancerAttributes",
         "elasticloadbalancing:DescribeLoadBalancerPolicies",
         "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeRules",
+        "elasticloadbalancing:DescribeTags",
+        "elasticloadbalancing:DescribeTargetGroupAttributes",
         "elasticloadbalancing:DescribeTargetGroups",
         "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:DescribeTrustStores",
         "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+        "elasticloadbalancing:ModifyCapacityReservation",
         "elasticloadbalancing:ModifyListener",
+        "elasticloadbalancing:ModifyListenerAttributes",
         "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:ModifyRule",
         "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:ModifyTargetGroupAttributes",
         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
         "elasticloadbalancing:RegisterTargets",
         "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
         "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+        "elasticloadbalancing:SetRulePriorities",
         "iam:CreateServiceLinkedRole",
         "kms:DescribeKey",
         "logs:CreateLogStream",
         "logs:DescribeLogGroups",
         "logs:ListTagsLogGroup",
         "logs:PutLogEvents",
-        "tag:GetResources",
-        "ec2:DescribeLaunchTemplateVersions",
-        "autoscaling:SetDesiredCapacity",
-        "autoscaling:TerminateInstanceInAutoScalingGroup",
-        "ec2:DescribeInstanceStatus",
-        "ec2:CreateLaunchTemplateVersion",
-        "ec2:ModifyLaunchTemplate"
+        "shield:GetSubscriptionState",
+        "tag:GetResources"
       ],
       "Resource": [
         "*"