Skip to content

Commit 9260f74

Browse files
frenchfrywpepperfrenchfrywpepper
committed
Grant elasticloadbalancing:Re|DegisterTargets to the LB controller
These target groups are created for private link and the permission is restricted to only those private link target groups and is only enabled when private link is enabled.
1 parent 0ed2971 commit 9260f74

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

customer-managed/aws/terraform/iam_utility_node_group.tf

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -558,6 +558,37 @@ data "aws_iam_policy_document" "load_balancer_controller_2" {
558558
}
559559
}
560560
}
561+
562+
dynamic "statement" {
563+
for_each = var.enable_private_link ? ["true"] : []
564+
content {
565+
effect = "Allow"
566+
actions = [
567+
"elasticloadbalancing:RegisterTargets",
568+
"elasticloadbalancing:DeregisterTargets",
569+
]
570+
resources = [
571+
"arn:aws:elasticloadbalancing:${var.region}:${local.aws_account_id}:targetgroup/*-rp-*",
572+
"arn:aws:elasticloadbalancing:${var.region}:${local.aws_account_id}:targetgroup/*-kf-*/*",
573+
"arn:aws:elasticloadbalancing:${var.region}:${local.aws_account_id}:targetgroup/*-console/*"
574+
]
575+
condition {
576+
test = "StringEquals"
577+
variable = "aws:ResourceTag/redpanda-private-link"
578+
values = ["true"]
579+
}
580+
dynamic "condition" {
581+
for_each = var.condition_tags
582+
content {
583+
test = "StringEquals"
584+
variable = "aws:ResourceTag/${condition.key}"
585+
values = [
586+
condition.value,
587+
]
588+
}
589+
}
590+
}
591+
}
561592
}
562593

563594
resource "aws_iam_policy" "load_balancer_controller_policy" {

0 commit comments

Comments
 (0)