Always grant route53 ListHostedZones permission

Author: justinsb

pkg/model/iam/iam_builder.go

@@ -182,6 +182,8 @@ func (b *IAMPolicyBuilder) BuildAWSIAMPolicy() (*IAMPolicy, error) {
 	if b.HostedZoneID != "" {
 		addRoute53Permissions(p, b.HostedZoneID)
 	}
+	// dns-controller currently assumes it can list the hosted zones, even when using gossip
+	addRoute53ListHostedZonesPermission(p)
 
 	// For S3 IAM permissions, we grant permissions to subtrees.  So find the parents;
 	// we don't need to grant mypath and mypath/child.
@@ -279,7 +281,9 @@ func addRoute53Permissions(p *IAMPolicy, hostedZoneID string) {
 		Action:   stringorslice.Slice([]string{"route53:GetChange"}),
 		Resource: stringorslice.Slice([]string{"arn:aws:route53:::change/*"}),
 	})
+}
 
+func addRoute53ListHostedZonesPermission(p *IAMPolicy) {
 	wildcard := stringorslice.Slice([]string{"*"})
 	p.Statement = append(p.Statement, &IAMStatement{
 		Effect:   IAMStatementEffectAllow,