From c83698236606e478ee2d0c1bf06dfc20aeb36b56 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 6 Mar 2025 11:27:56 +0100 Subject: [PATCH] terraform: update AWS LB permissions --- docs/docs/reference/migration.md | 10 +++++-- terraform/infrastructure/iam/aws/main.tf | 34 +++++++++++++++--------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/docs/docs/reference/migration.md b/docs/docs/reference/migration.md index 0252c409f4..082e92f5e0 100644 --- a/docs/docs/reference/migration.md +++ b/docs/docs/reference/migration.md @@ -36,7 +36,13 @@ done echo "All specified rules have been deleted." ``` -## Migrations to v2.19.0 +## Migrating from CLI versions before 2.20.1 + +### AWS + +* AWS clusters that utilize `LoadBalancer` resources require additional IAM permissions. Please upgrade your IAM roles using `iam upgrade apply`. This will show necessary changes and apply them, if desired. + +## Migrating from CLI versions before 2.19.0 ### Azure @@ -46,7 +52,7 @@ echo "All specified rules have been deleted." If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them afterward. -## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0) +## Migrating from CLI versions before 2.18.0 * The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed. * To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`. diff --git a/terraform/infrastructure/iam/aws/main.tf b/terraform/infrastructure/iam/aws/main.tf index cc090b3635..001d85a178 100644 --- a/terraform/infrastructure/iam/aws/main.tf +++ b/terraform/infrastructure/iam/aws/main.tf @@ -54,17 +54,14 @@ resource "aws_iam_policy" "control_plane_policy" { { "Effect": "Allow", "Action": [ - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeRules", - "shield:GetSubscriptionState", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DescribeTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateLaunchTemplateVersion", "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateTags", @@ -75,6 +72,8 @@ resource "aws_iam_policy" "control_plane_policy" { "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", @@ -82,7 +81,9 @@ resource "aws_iam_policy" "control_plane_policy" { "ec2:DescribeVolumes", "ec2:DescribeVpcs", "ec2:DetachVolume", + "ec2:GetSecurityGroupsForVpc", "ec2:ModifyInstanceAttribute", + "ec2:ModifyLaunchTemplate", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "elasticloadbalancing:AddTags", @@ -101,33 +102,40 @@ resource "aws_iam_policy" "control_plane_policy" { "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeCapacityReservation", + "elasticloadbalancing:DescribeListenerAttributes", + "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTrustStores", "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:ModifyCapacityReservation", "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyListenerAttributes", "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:ModifyRule", "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", + "elasticloadbalancing:SetRulePriorities", "iam:CreateServiceLinkedRole", "kms:DescribeKey", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", "logs:PutLogEvents", - "tag:GetResources", - "ec2:DescribeLaunchTemplateVersions", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:DescribeInstanceStatus", - "ec2:CreateLaunchTemplateVersion", - "ec2:ModifyLaunchTemplate" + "shield:GetSubscriptionState", + "tag:GetResources" ], "Resource": [ "*"