Add Crossplane IAM roles, policies, and instance profiles for worker nodes

Author: fiunchinho

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Add Crossplane IAM Roles, policies and instance profiles for the worker nodes. Instead of having an IAM Role per node pool, now we'll use the same for all node pools. *This change will roll the worker nodes*.
+
 ## [6.3.0] - 2025-10-24
 
 ### Changed

helm/cluster-aws/templates/_aws_cluster.tpl

@@ -258,8 +258,6 @@ spec:
     controlPlaneIAMInstanceProfile: control-plane-{{ include "resource.default.name" $ }}
     name: {{ include "aws-region" . }}-capa-{{ include "resource.default.name" $ }}
     nodesIAMInstanceProfiles:
-    {{- range $name, $value := .Values.global.nodePools | default .Values.cluster.providerIntegration.workers.defaultNodePools }}
-    - nodes-{{ $name }}-{{ include "resource.default.name" $ }}
-    {{- end }}
+    - {{ include "resource.default.name" $ }}-workers
   region: {{ include "aws-region" . }}
 {{ end }}

helm/cluster-aws/templates/_karpenter_machine_pools.tpl

@@ -38,6 +38,7 @@ spec:
         volumeType: gp3
         deleteOnTermination: true
     instanceProfile: nodes-{{ $name }}-{{ include "resource.default.name" $ }}
+    instanceProfile: {{ include "resource.default.name" $ }}-workers
     metadataOptions:
       {{- if eq $.Values.global.connectivity.cilium.ipamMode "eni" }}
       httpPutResponseHopLimit: 2

helm/cluster-aws/templates/_machine_pools.tpl

@@ -50,7 +50,7 @@ spec:
     {{- else }}
     {{- include "imageLookupParameters" $ | nindent 4 }}
     {{- end }}
-    iamInstanceProfile: nodes-{{ $name }}-{{ include "resource.default.name" $ }}
+    iamInstanceProfile: {{ include "resource.default.name" $ }}-workers
     instanceType: {{ $value.instanceType | default "r6i.xlarge" }}
     rootVolume:
       size: {{ $value.rootVolumeSizeGB | default 8 }}

helm/cluster-aws/templates/workers-crossplane-iam-role.yaml

@@ -0,0 +1,119 @@
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "resource.default.name" $ }}-workers
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    assumeRolePolicy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "ec2.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole"
+          }
+        ]
+      }
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicy
+metadata:
+  name: {{ include "resource.default.name" $ }}-workers
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-workers
+    policy: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+        {{- if eq .Values.global.connectivity.cilium.ipamMode "eni" }}
+          {
+            "Action": [
+              "ec2:AssignPrivateIpAddresses",
+              "ec2:AttachNetworkInterface",
+              "ec2:CreateNetworkInterface",
+              "ec2:CreateTags",
+              "ec2:DeleteNetworkInterface",
+              "ec2:DescribeInstances",
+              "ec2:DescribeInstanceTypes",
+              "ec2:DescribeNetworkInterfaces",
+              "ec2:DescribeRouteTables",
+              "ec2:DescribeSecurityGroups",
+              "ec2:DescribeSubnets",
+              "ec2:DescribeTags",
+              "ec2:DescribeVpcs",
+              "ec2:ModifyNetworkInterfaceAttribute",
+              "ec2:UnassignPrivateIpAddresses"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          },
+        {{- end }}
+          {
+            "Action": [
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:BatchGetImage",
+              "ecr:DescribeRepositories",
+              "ecr:GetAuthorizationToken",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:GetRepositoryPolicy",
+              "ecr:ListImages"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+          }
+        ]
+      }
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: InstanceProfile
+metadata:
+  name: {{ include "resource.default.name" $ }}-workers
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    tags:
+      managed-by: "cluster-aws"
+      giantswarm.io/cluster: {{ include "resource.default.name" $ }}
+      giantswarm.io/installation: {{ .Values.global.managementCluster }}
+      {{- if .Values.global.providerSpecific.additionalResourceTags -}}{{- toYaml .Values.global.providerSpecific.additionalResourceTags | nindent 4 }}{{- end}}
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}
+---
+apiVersion: iam.aws.upbound.io/v1beta1
+kind: RolePolicyAttachment
+metadata:
+  name: {{ include "resource.default.name" $ }}-workers
+  labels:
+    {{- include "labels.common" $ | nindent 4 }}
+    app.kubernetes.io/version: {{ .Chart.Version | quote }}
+spec:
+  forProvider:
+    roleRef:
+      name: {{ include "resource.default.name" $ }}-workers
+    instanceProfileRef:
+      name: {{ include "resource.default.name" $ }}-workers
+  providerConfigRef:
+    name: {{ include "resource.default.name" $ }}