IAM error when creating ALBs

[brentley]

here is an example error:

mu-55-loadbalancer-acceptance: Elb (AWS::ElasticLoadBalancingV2::LoadBalancer) CREATE_FAILED API: elasticloadbalancingv2:CreateLoadBalancer User: arn:aws:sts::497382815317:assumed-role/mu-55-cloudformation-common-us-east-1/AWSCloudFormation is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::497382815317:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing

After researching and talking with @cplee we figured out that ALB now requires a service linked role also, and Mu only creates a missing service linked role for ECS:

https://github.com/stelligent/mu/blob/develop/templates/assets/common-iam.yml#L337

      - PolicyName: service-linked-roles
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Action:
            - iam:CreateServiceLinkedRole
            - iam:PutRolePolicy
            Resource: arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*

Casey is cutting a new fix release to add ALB service linked role support. As a work-around you can also add this one-liner:

+++ backend-service/common-iam.yml
@@ -15,5 +15,6 @@ Resources:
               - route53:DeleteHostedZone
               - route53:UpdateHostedZoneComment
               - route53:ListQueryLoggingConfigs
+              - iam:CreateServiceLinkedRole
               Resource: '*'
               Effect: Allow