Update IAM policy attachment for node role to use ReadOnly access and add lifecycle block to private subnet resource

karimzakzouk · karimzakzouk · commit 14cb0b844a65 · 2025-08-31T10:01:41.000+03:00
diff --git a/Terraform/modules/eks/main.tf b/Terraform/modules/eks/main.tf
@@ -90,7 +90,7 @@ resource "aws_iam_role" "node" {
 resource "aws_iam_role_policy_attachment" "node_policy" {
   for_each = toset([
     "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly",
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",    
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
   ])
 
diff --git a/Terraform/modules/vpc/main.tf b/Terraform/modules/vpc/main.tf
@@ -22,6 +22,10 @@ resource "aws_subnet" "private" {
     "karpenter.sh/discovery"                    = var.cluster_name
   }
 
+  lifecycle {
+    create_before_destroy = false
+  }
+
   depends_on = [
     aws_vpc.main
   ]

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,10 @@ resource "aws_subnet" "private" {`
`22`	`22`	`"karpenter.sh/discovery" = var.cluster_name`
`23`	`23`	`}`
`24`	`24`
	`25`	`+ lifecycle {`
	`26`	`+ create_before_destroy = false`
	`27`	`+ }`
	`28`	`+`
`25`	`29`	`depends_on = [`
`26`	`30`	`aws_vpc.main`
`27`	`31`	`]`