feat: Added additional conditions into Cluster- and Node IAM Role Assumption Policy

README.md

@@ -289,6 +289,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | Map of Fargate Profile definitions to create | `any` | `{}` | no |
 | <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the cluster. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
+| <a name="input_iam_role_conditions"></a> [iam\_role\_conditions](#input\_iam\_role\_conditions) | Additional conditions of the IAM role assume policy | <pre>list(object({<br/>    test     = string<br/>    variable = string<br/>    values   = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Cluster IAM role path | `string` | `null` | no |

main.tf

@@ -404,6 +404,15 @@ data "aws_iam_policy_document" "assume_role_policy" {
         ]
       }
     }
+
+    dynamic "condition" {
+      for_each = var.iam_role_conditions
+      content {
+        test     = condition.value.test
+        variable = condition.value.variable
+        values   = condition.value.values
+      }
+    }
   }
 }
 

modules/karpenter/README.md

@@ -149,6 +149,7 @@ No modules.
 | <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | Path of the IAM policy | `string` | `"/"` | no |
 | <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | `any` | `[]` | no |
 | <a name="input_iam_policy_use_name_prefix"></a> [iam\_policy\_use\_name\_prefix](#input\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_iam_role_conditions"></a> [iam\_role\_conditions](#input\_iam\_role\_conditions) | Additional conditions of the IAM role assume policy | <pre>list(object({<br/>    test     = string<br/>    variable = string<br/>    values   = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | IAM role description | `string` | `"Karpenter controller IAM role"` | no |
 | <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | Maximum API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"KarpenterController"` | no |

modules/karpenter/main.tf

@@ -289,6 +289,15 @@ data "aws_iam_policy_document" "node_assume_role" {
       type        = "Service"
       identifiers = ["ec2.${local.dns_suffix}"]
     }
+
+    dynamic "condition" {
+      for_each = var.iam_role_conditions
+      content {
+        test     = condition.value.test
+        variable = condition.value.variable
+        values   = condition.value.values
+      }
+    }
   }
 }
 

modules/karpenter/variables.tf

@@ -62,6 +62,16 @@ variable "iam_role_permissions_boundary_arn" {
   default     = null
 }
 
+variable "iam_role_conditions" {
+  description = "Additional conditions of the IAM role assume policy"
+  type = list(object({
+    test     = string
+    variable = string
+    values   = list(string)
+  }))
+  default = []
+}
+
 variable "iam_role_tags" {
   description = "A map of additional tags to add the the IAM role"
   type        = map(any)

variables.tf

@@ -474,6 +474,16 @@ variable "iam_role_permissions_boundary" {
   default     = null
 }
 
+variable "iam_role_conditions" {
+  description = "Additional conditions of the IAM role assume policy"
+  type = list(object({
+    test     = string
+    variable = string
+    values   = list(string)
+  }))
+  default = []
+}
+
 variable "iam_role_additional_policies" {
   description = "Additional policies to be added to the IAM role"
   type        = map(string)