[Bug]: aws-load-balancer-controller cannot create tags

[caleb-devops]

Welcome to Amazon EKS Blueprints!

• Yes, I've searched similar issues on GitHub and didn't find any.

Amazon EKS Blueprints Release version

v4.2.1

What is your environment, configuration and the example used?

module "eks_blueprints_kubernetes_addons" {
  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.2.1"

  enable_aws_load_balancer_controller = true
  aws_load_balancer_controller_helm_config = {
    set = [for key, value in data.aws_default_tags.default.tags : {
      name  = "defaultTags.${key}"
      value = value
    }]
  }
}

What did you do and What did you see instead?

The aws-load-balancer-controller fails to create target groups when defaultTags are used. Ingress resources report the following error:

Failed deploy model due to AccessDenied: User: arn:<aws-load-balancer-controller-sa> is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:<REGION>:<ACCOUNT>:listener/app/<LISTENER> because no identity-based policy allows the elasticloadbalancing:AddTags action

Additional Information

It looks like the following policy statement is missing from the aws-load-balancer-controller aws_iam_policy_document:


statement {
  sid    = ""
  effect = "Allow"

  resources = [
    "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener/net/*/*/*",
    "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener/app/*/*/*",
    "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
    "arn:${var.addon_context.aws_partition_id}:elasticloadbalancing:*:*:listener-rule/app/*/*/*",
  ]

  actions = [
    "elasticloadbalancing:AddTags",
    "elasticloadbalancing:RemoveTags",
  ]
}