terraform: update AWS LB permissions (#3681)

* bazel: add download rules for AWS LB policy

* docs: add migration notice

* terraform: re-download lb policy

Author: msanft

3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel

@@ -0,0 +1,13 @@
+load("//bazel/sh:def.bzl", "sh_template")
+
+sh_template(
+    name = "pull_files",
+    data = [
+        "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy",
+    ],
+    substitutions = {
+        "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)",
+    },
+    template = "pull_files.sh",
+    visibility = ["//visibility:public"],
+)

3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../../../bazel/sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+controller_policy_source="@@POLICY_SRC@@"
+
+###### script body ######
+
+controller_policy_real_source=$(realpath "${controller_policy_source}")
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath
+
+targetDir="terraform/infrastructure/iam/aws/alb_policy.json"
+
+cp "${controller_policy_real_source}" "${targetDir}"

3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl

@@ -0,0 +1,22 @@
+"""A module defining the source of the AWS load balancer controller."""
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def aws_load_balancer_controller_deps():
+    http_archive(
+        name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/0cb78cdff9742945c9968ac12c785164a052b52260d19d218bb28a8bec04a2fd",
+            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.11.0.tar.gz",
+        ],
+        strip_prefix = "aws-load-balancer-controller-2.11.0",
+        build_file_content = """
+filegroup(
+    srcs = ["docs/install/iam_policy.json"],
+    name = "lb_policy",
+    visibility = ["//visibility:public"],
+)
+        """,
+        type = "tar.gz",
+        sha256 = "0cb78cdff9742945c9968ac12c785164a052b52260d19d218bb28a8bec04a2fd",
+    )

WORKSPACE.bzlmod

@@ -234,6 +234,10 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl"
 
 node_maintainance_operator_deps()
 
+load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps")
+
+aws_load_balancer_controller_deps()
+
 # CI deps
 load("//bazel/toolchains:ci_deps.bzl", "ci_deps")
 

bazel/ci/BUILD.bazel

@@ -558,6 +558,7 @@ multirun(
     commands = [
         ":terraform_gen",
         "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files",
+        "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files",
         ":go_generate",
         ":proto_generate",
     ],

docs/docs/reference/migration.md

@@ -36,7 +36,13 @@ done
 echo "All specified rules have been deleted."
 ```
 
-## Migrations to v2.19.0
+## Migrating from CLI versions before 2.21.1
+
+### AWS
+
+* AWS clusters that use `LoadBalancer` resources require more IAM permissions. Please upgrade your IAM roles using `constellation iam upgrade apply`. This will show necessary changes and apply them, if desired.
+
+## Migrating from CLI versions before 2.19.0
 
 ### Azure
 
@@ -46,7 +52,7 @@ echo "All specified rules have been deleted."
  If your Constellation has services of type `LoadBalancer`, please remove them before the upgrade and re-apply them
  afterward.
 
-## Migrating from Azure's service principal authentication to managed identity authentication (during the upgrade to Constellation v2.8.0)
+## Migrating from CLI versions before 2.18.0
 
 * The `provider.azure.appClientID` and `provider.azure.appClientSecret` fields are no longer supported and should be removed.
 * To keep using an existing UAMI, add the `Owner` permission with the scope of your `resourceGroup`.

terraform/infrastructure/iam/aws/alb_policy.json

@@ -29,6 +29,7 @@
                 "ec2:DescribeTags",
                 "ec2:GetCoipPoolUsage",
                 "ec2:DescribeCoipPools",
+                "ec2:GetSecurityGroupsForVpc",
                 "elasticloadbalancing:DescribeLoadBalancers",
                 "elasticloadbalancing:DescribeLoadBalancerAttributes",
                 "elasticloadbalancing:DescribeListeners",
@@ -39,7 +40,9 @@
                 "elasticloadbalancing:DescribeTargetGroupAttributes",
                 "elasticloadbalancing:DescribeTargetHealth",
                 "elasticloadbalancing:DescribeTags",
-                "elasticloadbalancing:DescribeTrustStores"
+                "elasticloadbalancing:DescribeTrustStores",
+                "elasticloadbalancing:DescribeListenerAttributes",
+                "elasticloadbalancing:DescribeCapacityReservation"
             ],
             "Resource": "*"
         },
@@ -188,7 +191,9 @@
                 "elasticloadbalancing:DeleteLoadBalancer",
                 "elasticloadbalancing:ModifyTargetGroup",
                 "elasticloadbalancing:ModifyTargetGroupAttributes",
-                "elasticloadbalancing:DeleteTargetGroup"
+                "elasticloadbalancing:DeleteTargetGroup",
+                "elasticloadbalancing:ModifyListenerAttributes",
+                "elasticloadbalancing:ModifyCapacityReservation"
             ],
             "Resource": "*",
             "Condition": {