update(aws-load-balancer-controller): update iam policy

Signed-off-by: Aldo Lacuku <[email protected]>
falcosecurity · Jul 17, 2024 · 4bb73c3 · 4bb73c3
1 parent 0d37160
commit 4bb73c3
Showing 1 changed file with 23 additions and 25 deletions.
diff --git a/config/clusters/iam.tf b/config/clusters/iam.tf
@@ -785,6 +785,7 @@ data "aws_iam_policy_document" "loadbalancer_controller" {
       "elasticloadbalancing:DescribeTargetGroupAttributes",
       "elasticloadbalancing:DescribeTargetHealth",
       "elasticloadbalancing:DescribeTags",
+      "elasticloadbalancing:DescribeTrustStores",
     ]
   }
 
@@ -915,7 +916,6 @@ data "aws_iam_policy_document" "loadbalancer_controller" {
   }
 
   statement {
-    sid    = ""
     effect = "Allow"
 
     resources = [
@@ -943,7 +943,6 @@ data "aws_iam_policy_document" "loadbalancer_controller" {
   }
 
   statement {
-    sid    = ""
     effect = "Allow"
 
     resources = [
@@ -960,7 +959,28 @@ data "aws_iam_policy_document" "loadbalancer_controller" {
   }
 
   statement {
-    sid    = ""
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "elasticloadbalancing:ModifyLoadBalancerAttributes",
+      "elasticloadbalancing:SetIpAddressType",
+      "elasticloadbalancing:SetSecurityGroups",
+      "elasticloadbalancing:SetSubnets",
+      "elasticloadbalancing:DeleteLoadBalancer",
+      "elasticloadbalancing:ModifyTargetGroup",
+      "elasticloadbalancing:ModifyTargetGroupAttributes",
+      "elasticloadbalancing:DeleteTargetGroup",
+    ]
+
+    condition {
+      test     = "Null"
+      variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
+      values   = ["false"]
+    }
+  }
+
+  statement {
     effect = "Allow"
 
     resources = [
@@ -988,28 +1008,6 @@ data "aws_iam_policy_document" "loadbalancer_controller" {
     }
   }
 
-  statement {
-    effect    = "Allow"
-    resources = ["*"]
-
-    actions = [
-      "elasticloadbalancing:ModifyLoadBalancerAttributes",
-      "elasticloadbalancing:SetIpAddressType",
-      "elasticloadbalancing:SetSecurityGroups",
-      "elasticloadbalancing:SetSubnets",
-      "elasticloadbalancing:DeleteLoadBalancer",
-      "elasticloadbalancing:ModifyTargetGroup",
-      "elasticloadbalancing:ModifyTargetGroupAttributes",
-      "elasticloadbalancing:DeleteTargetGroup",
-    ]
-
-    condition {
-      test     = "Null"
-      variable = "aws:ResourceTag/elbv2.k8s.aws/cluster"
-      values   = ["false"]
-    }
-  }
-
   statement {
     effect    = "Allow"
     resources = ["arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"]