fix: Allow for both amazonaws.com.cn and amazonaws.com conditions in PassRole as required for AWS CN (#3422)

datty · Oliver Smith · web-flow · commit 83b68fda2b0e · 2025-07-17T09:03:09.000-05:00
* Allow for both amazonaws.com.cn and amazonaws.com conditions as required for AWS CN

* Allow for both amazonaws.com.cn and amazonaws.com conditions as required for AWS CN - set in correct policy

---------

Co-authored-by: Oliver Smith &lt;osmith@netvirta.com&gt;
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
@@ -585,7 +585,7 @@ data "aws_iam_policy_document" "v1" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = ["ec2.${local.dns_suffix}"]
+      values   = distinct(["ec2.${local.dns_suffix}", "ec2.amazonaws.com"])
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -585,7 +585,7 @@ data "aws_iam_policy_document" "v1" {`
`585`	`585`	`condition {`
`586`	`586`	`test = "StringEquals"`
`587`	`587`	`variable = "iam:PassedToService"`
`588`		`- values = ["ec2.${local.dns_suffix}"]`
	`588`	`+ values = distinct(["ec2.${local.dns_suffix}", "ec2.amazonaws.com"])`
`589`	`589`	`}`
`590`	`590`	`}`
`591`	`591`