If your request is for a new feature, please use the Feature request template.
[X ] ✋ I have searched the open/closed issues and my issue is not listed.
Versions
Module version [Required]: v4.32.1
Reproduction Code [Required]
enable_aws_load_balancer_controller = true
Steps to reproduce the behavior:
Just try to use the aws_load_balancer_controller add-on.
Expected behaviour
AWS Load Balancer and TargetGroups created.
Actual behaviour
{"level":"error","ts":"2023-11-06T04:25:20Z","msg":"Reconciler error","controller":"service","object":{"name":"envoy","namespace":"projectcontour"},"namespace":"projectcontour","name":"envoy","reconcileID":"069d52f0-a951-477a-829e-455a7338080f","error":"AccessDenied: User: arn:aws:sts::174550113169:assumed-role/internal-nonprod-test-aws-load-balancer-controller-sa-irsa/1699244662742057534 is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-southeast-2:174550113169:targetgroup/k8s-projectc-envoy-3c48195c26/* because no identity-based policy allows the elasticloadbalancing:AddTags action\n\tstatus code: 403, request id: 2b8da35c-8533-4bd4-8b8d-073add02dc65"}
askulkarni2
commented
1 year ago
Description
Since an update to AWS Create APIs the AWS load balancer controller can no longer Tag TargetGroups with it's current IAM Role permissions. Can we update: https://github.com/aws-ia/terraform-aws-eks-blueprints/blob/v4.32.1/modules/kubernetes-addons/aws-load-balancer-controller/data.tf
To match the new recommended policy: https://github.com/kubernetes-sigs/aws-load-balancer-controller/pull/3068/files
And be released via a v4 patch?
If your request is for a new feature, please use the
Feature requesttemplate.Versions
Reproduction Code [Required]
enable_aws_load_balancer_controller = true
Steps to reproduce the behavior:
Just try to use the aws_load_balancer_controller add-on.
Expected behaviour
AWS Load Balancer and TargetGroups created.
Actual behaviour
{"level":"error","ts":"2023-11-06T04:25:20Z","msg":"Reconciler error","controller":"service","object":{"name":"envoy","namespace":"projectcontour"},"namespace":"projectcontour","name":"envoy","reconcileID":"069d52f0-a951-477a-829e-455a7338080f","error":"AccessDenied: User: arn:aws:sts::174550113169:assumed-role/internal-nonprod-test-aws-load-balancer-controller-sa-irsa/1699244662742057534 is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-southeast-2:174550113169:targetgroup/k8s-projectc-envoy-3c48195c26/* because no identity-based policy allows the elasticloadbalancing:AddTags action\n\tstatus code: 403, request id: 2b8da35c-8533-4bd4-8b8d-073add02dc65"}
Terminal Output Screenshot(s)
N/A
Additional context
N/A