AwsLoadBalancerControllerAddOn: Creating ingress fails due to permission issue for elasticloadbalancing:AddTags on targetgroup

[hendryanw]

Describe the bug

Creating ingress using ALB fails because of permission issues as shown in the following error log:

{
  "level": "error",
  "ts": "2023-06-21T07:38:52Z",
  "msg": "Reconciler error",
  "controller": "ingress",
  "object": {
    "name": "redacted",
    "namespace": "redacted"
  },
  "namespace": "redacted",
  "name": "redacted",
  "reconcileID": "21838bd2-b4b7-40a6-a216-9d061972cbfe",
  "error": "AccessDenied: User: arn:aws:sts::redacted:assumed-role/redacted is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:redacted:redacted:targetgroup/redacted/* because no identity-based policy allows the elasticloadbalancing:AddTags action\n\tstatus code: 403, request id: redacted"
}

This may be related with this issue: kubernetes-sigs/aws-load-balancer-controller#2692

Expected Behavior

Ingress is successfully created without permissions issue as the addOn manage the required permissions.

Current Behavior

The ingress creation fails with the error described above.

Reproduction Steps

The cluster is created with the following blueprints code:

var addOns: Array<blueprints.ClusterAddOn> = [
  new blueprints.addons.AwsLoadBalancerControllerAddOn(),
  new blueprints.addons.VpcCniAddOn(),
  new blueprints.addons.CoreDnsAddOn(),
  new blueprints.addons.KubeProxyAddOn("v1.26.2-eksbuild.1")
]

const clusterProvider = new blueprints.GenericClusterProvider({
  version: eks.KubernetesVersion.V1_26,
  managedNodeGroups: [
    {
      id: 'x86-onde-large-mng',
      nodegroupName: 'x86-onde-large-mng',
      desiredSize: 1,
      minSize: 1,
      maxSize: 10,
      diskSize: 50,
      instanceTypes: [ new ec2.InstanceType("m5.large") ],
      nodeGroupCapacityType: eks.CapacityType.ON_DEMAND
    },
    {
      id: 'arm-onde-large-mng',
      nodegroupName: 'arm-onde-large-mng',
      desiredSize: 1,
      minSize: 1,
      maxSize: 10,
      diskSize: 50,
      instanceTypes: [ new ec2.InstanceType("m6g.large") ],
      nodeGroupCapacityType: eks.CapacityType.ON_DEMAND,
      taints: [ {
        effect: eks.TaintEffect.NO_EXECUTE,
        key: "graviton",
        value: "true"
      } ]
    }
  ]
});

blueprints.EksBlueprint.builder()
  .account(props.env?.account)
  .region(props.env?.region)
  .clusterProvider(clusterProvider)
  .addOns(...addOns)
  .build(scope, `${id}-eksblueprints`);

Then create an ingress resource with standard parameter to expose a service to the internet using ALB.

Possible Solution

Update the file located in /lib/addons/aws-loadbalancer-controller/iam-policy.ts to the latest as in version 2.5.2

Additional Information/Context

No response

CDK CLI Version

2.84.0

EKS Blueprints Version

1.9.1

Node.js Version

18.12.1

Environment details (OS name and version, etc.)

MacOS

Other information

I have tried replacing the policy with the latest one manually and the issue is fixed. Will submit a pull request.

[hendryanw]

Just tested with 1.10.0 release, the issue is fixed.