feat: Update IAM policy for AWS Gateway Controller (#563)

Co-authored-by: Peng Hiang LOW <[email protected]>
Co-authored-by: Bryant Biggs <[email protected]>

Author: 3 people

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -5,16 +5,49 @@
 data "aws_iam_policy_document" "aws_gateway_controller" {
   count = var.create_role && var.attach_aws_gateway_controller_policy ? 1 : 0
 
-  # https://github.com/aws/aws-application-networking-k8s/blob/v0.0.11/examples/recommended-inline-policy.json
+  # https://github.com/aws/aws-application-networking-k8s/blob/v1.1.0/files/controller-installation/recommended-inline-policy.json
   statement {
     actions = [
       "vpc-lattice:*",
-      "iam:CreateServiceLinkedRole",
       "ec2:DescribeVpcs",
       "ec2:DescribeSubnets",
+      "ec2:DescribeTags",
+      "ec2:DescribeSecurityGroups",
+      "logs:CreateLogDelivery",
+      "logs:GetLogDelivery",
+      "logs:DescribeLogGroups",
+      "logs:PutResourcePolicy",
+      "logs:DescribeResourcePolicies",
+      "logs:UpdateLogDelivery",
+      "logs:DeleteLogDelivery",
+      "logs:ListLogDeliveries",
+      "tag:GetResources",
+      "firehose:TagDeliveryStream",
+      "s3:GetBucketPolicy",
+      "s3:PutBucketPolicy",
     ]
     resources = ["*"]
   }
+
+  statement {
+    actions   = ["iam:CreateServiceLinkedRole"]
+    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/vpc-lattice.${local.dns_suffix}/AWSServiceRoleForVpcLattice"]
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values   = ["vpc-lattice.${local.dns_suffix}"]
+    }
+  }
+
+  statement {
+    actions   = ["iam:CreateServiceLinkedRole"]
+    resources = ["arn:${local.partition}:iam::*:role/aws-service-role/delivery.logs.${local.dns_suffix}/AWSServiceRoleForLogDelivery"]
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values   = ["delivery.logs.${local.dns_suffix}"]
+    }
+  }
 }
 
 resource "aws_iam_policy" "aws_gateway_controller" {