fix(alb-policy): policy fix (#2459)

Co-authored-by: Edward Malinowski <[email protected]>
uc-cdis · Feb 7, 2024 · 36ea4d5 · 36ea4d5
1 parent 8c00a23
commit 36ea4d5
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/gen3/bin/kube-setup-ingress.sh b/gen3/bin/kube-setup-ingress.sh
@@ -232,6 +232,28 @@ gen3_ingress_setup_role() {
                 }
             }
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "elasticloadbalancing:CreateAction": [
+                        "CreateTargetGroup",
+                        "CreateLoadBalancer"
+                    ]
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": [
@@ -329,4 +351,4 @@ g3kubectl apply -f "${GEN3_HOME}/kube/services/revproxy/revproxy-service.yaml"
 envsubst <$scriptDir/ingress.yaml | g3kubectl apply -f -
 if [ "$deployWaf" = true ]; then
   gen3_ingress_setup_waf
-fi
+fi