From ba0865706e51d2dc2fc0088d902718a9b16c8f64 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 3 Apr 2025 09:47:12 +0200
Subject: [PATCH] deps: update bazel (plugins) (#3675)

* deps: update bazel (plugins)

Co-Authored-By: Markus Rudy <mr@edgeless.systems>

* deps: tidy all modules

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Markus Rudy <mr@edgeless.systems>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
---
 .../source.bzl                                            | 8 ++++----
 bazel/toolchains/container_images.bzl                     | 2 +-
 bazel/toolchains/oci_deps.bzl                             | 8 ++++----
 terraform/infrastructure/iam/aws/alb_policy.json          | 7 +++++--
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
index 7765fefc0..e2c1e8034 100644
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
@@ -6,10 +6,10 @@ def aws_load_balancer_controller_deps():
     http_archive(
         name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/0cb78cdff9742945c9968ac12c785164a052b52260d19d218bb28a8bec04a2fd",
-            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.11.0.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
+            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz",
         ],
-        strip_prefix = "aws-load-balancer-controller-2.11.0",
+        strip_prefix = "aws-load-balancer-controller-2.12.0",
         build_file_content = """
 filegroup(
     srcs = ["docs/install/iam_policy.json"],
@@ -18,5 +18,5 @@ filegroup(
 )
         """,
         type = "tar.gz",
-        sha256 = "0cb78cdff9742945c9968ac12c785164a052b52260d19d218bb28a8bec04a2fd",
+        sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
     )
diff --git a/bazel/toolchains/container_images.bzl b/bazel/toolchains/container_images.bzl
index f260c6bd5..eedd9279a 100644
--- a/bazel/toolchains/container_images.bzl
+++ b/bazel/toolchains/container_images.bzl
@@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull")
 def containter_image_deps():
     oci_pull(
         name = "distroless_static",
-        digest = "sha256:3f2b64ef97bd285e36132c684e6b2ae8f2723293d09aae046196cca64251acac",
+        digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9",
         image = "gcr.io/distroless/static",
         platforms = [
             "linux/amd64",
diff --git a/bazel/toolchains/oci_deps.bzl b/bazel/toolchains/oci_deps.bzl
index dd1063ddc..f425e9066 100644
--- a/bazel/toolchains/oci_deps.bzl
+++ b/bazel/toolchains/oci_deps.bzl
@@ -7,13 +7,13 @@ def oci_deps():
     # Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed.
     http_archive(
         name = "rules_oci",
-        strip_prefix = "rules_oci-2.2.1",
+        strip_prefix = "rules_oci-2.2.5",
         type = "tar.gz",
         urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/cfea16076ebbec1faea494882ab97d94b1a62d6bcd5aceabad8f95ea0d0a1361",
-            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.1/rules_oci-v2.2.1.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
+            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz",
         ],
-        sha256 = "cfea16076ebbec1faea494882ab97d94b1a62d6bcd5aceabad8f95ea0d0a1361",
+        sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
         patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"],
         patch_args = ["-p1"],
     )
diff --git a/terraform/infrastructure/iam/aws/alb_policy.json b/terraform/infrastructure/iam/aws/alb_policy.json
index 1a5b4d614..fe1976170 100644
--- a/terraform/infrastructure/iam/aws/alb_policy.json
+++ b/terraform/infrastructure/iam/aws/alb_policy.json
@@ -30,6 +30,7 @@
                 "ec2:GetCoipPoolUsage",
                 "ec2:DescribeCoipPools",
                 "ec2:GetSecurityGroupsForVpc",
+                "ec2:DescribeIpamPools",
                 "elasticloadbalancing:DescribeLoadBalancers",
                 "elasticloadbalancing:DescribeLoadBalancerAttributes",
                 "elasticloadbalancing:DescribeListeners",
@@ -193,7 +194,8 @@
                 "elasticloadbalancing:ModifyTargetGroupAttributes",
                 "elasticloadbalancing:DeleteTargetGroup",
                 "elasticloadbalancing:ModifyListenerAttributes",
-                "elasticloadbalancing:ModifyCapacityReservation"
+                "elasticloadbalancing:ModifyCapacityReservation",
+                "elasticloadbalancing:ModifyIpPools"
             ],
             "Resource": "*",
             "Condition": {
@@ -239,7 +241,8 @@
                 "elasticloadbalancing:ModifyListener",
                 "elasticloadbalancing:AddListenerCertificates",
                 "elasticloadbalancing:RemoveListenerCertificates",
-                "elasticloadbalancing:ModifyRule"
+                "elasticloadbalancing:ModifyRule",
+                "elasticloadbalancing:SetRulePriorities"
             ],
             "Resource": "*"
         }