feat: Extend more control over Karpenter permissions for 0.32+ changes (#315)

bryantbiggs · web-flow · commit c9690d68aabb · 2023-11-15T11:34:53.000-05:00
diff --git a/main.tf b/main.tf
@@ -2837,8 +2837,8 @@ data "aws_iam_policy_document" "karpenter" {
 
     condition {
       test     = "StringLike"
-      variable = "ec2:ResourceTag/Name"
-      values   = ["*karpenter*", "*compute.internal"]
+      variable = "ec2:ResourceTag/${try(var.karpenter.irsa_tag_key, "Name")}"
+      values   = try(var.karpenter.irsa_tag_values, ["*karpenter*", "*compute.internal", "*ec2.internal"])
     }
   }
 
@@ -2976,7 +2976,7 @@ resource "aws_iam_role_policy_attachment" "additional" {
 }
 
 resource "aws_iam_instance_profile" "karpenter" {
-  count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) && !var.karpenter_enable_instance_profile_creation ? 1 : 0
+  count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) ? 1 : 0
 
   name        = try(var.karpenter_node.iam_role_use_name_prefix, true) ? null : local.karpenter_node_iam_role_name
   name_prefix = try(var.karpenter_node.iam_role_use_name_prefix, true) ? "${local.karpenter_node_iam_role_name}-" : null

Original file line number	Diff line number	Diff line change
`@@ -2837,8 +2837,8 @@ data "aws_iam_policy_document" "karpenter" {`
`2837`	`2837`
`2838`	`2838`	`condition {`
`2839`	`2839`	`test = "StringLike"`
`2840`		`- variable = "ec2:ResourceTag/Name"`
`2841`		`- values = ["karpenter", "*compute.internal"]`
	`2840`	`+ variable = "ec2:ResourceTag/${try(var.karpenter.irsa_tag_key, "Name")}"`
	`2841`	`+ values = try(var.karpenter.irsa_tag_values, ["karpenter", "compute.internal", "ec2.internal"])`
`2842`	`2842`	`}`
`2843`	`2843`	`}`
`2844`	`2844`
`@@ -2976,7 +2976,7 @@ resource "aws_iam_role_policy_attachment" "additional" {`
`2976`	`2976`	`}`
`2977`	`2977`
`2978`	`2978`	`resource "aws_iam_instance_profile" "karpenter" {`
`2979`		`- count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) && !var.karpenter_enable_instance_profile_creation ? 1 : 0`
	`2979`	`+ count = var.enable_karpenter && try(var.karpenter_node.create_instance_profile, true) ? 1 : 0`
`2980`	`2980`
`2981`	`2981`	`name = try(var.karpenter_node.iam_role_use_name_prefix, true) ? null : local.karpenter_node_iam_role_name`
`2982`	`2982`	`name_prefix = try(var.karpenter_node.iam_role_use_name_prefix, true) ? "${local.karpenter_node_iam_role_name}-" : null`