Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion modules/karpenter/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ No modules.
| <a name="input_iam_policy_description"></a> [iam\_policy\_description](#input\_iam\_policy\_description) | IAM policy description | `string` | `"Karpenter controller IAM policy"` | no |
| <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | Name of the IAM policy | `string` | `"KarpenterController"` | no |
| <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | Path of the IAM policy | `string` | `"/"` | no |
| <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | <pre>list(object({<br/> sid = optional(string)<br/> actions = optional(list(string))<br/> not_actions = optional(list(string))<br/> effect = optional(string)<br/> resources = optional(list(string))<br/> not_resources = optional(list(string))<br/> principals = optional(list(object({<br/> type = string<br/> identifiers = list(string)<br/> })))<br/> not_principals = optional(list(object({<br/> type = string<br/> identifiers = list(string)<br/> })))<br/> condition = optional(list(object({<br/> test = string<br/> values = list(string)<br/> variable = string<br/> })))<br/> }))</pre> | `null` | no |
| <a name="input_iam_policy_statements"></a> [iam\_policy\_statements](#input\_iam\_policy\_statements) | A list of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) - used for adding specific IAM permissions as needed | <pre>list(object({<br> sid = optional(string)<br> actions = optional(list(string))<br> not_actions = optional(list(string))<br> effect = optional(string)<br> resources = optional(list(string))<br> not_resources = optional(list(string))<br> principals = optional(list(object({<br> type = string<br> identifiers = list(string)<br> })))<br> not_principals = optional(list(object({<br> type = string<br> identifiers = list(string)<br> })))<br> condition = optional(list(object({<br> test = string<br> values = list(string)<br> variable = string<br> })))<br> }))</pre> | `null` | no |
| <a name="input_iam_policy_use_name_prefix"></a> [iam\_policy\_use\_name\_prefix](#input\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`iam_policy_name`) is used as a prefix | `bool` | `true` | no |
| <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | IAM role description | `string` | `"Karpenter controller IAM role"` | no |
| <a name="input_iam_role_max_session_duration"></a> [iam\_role\_max\_session\_duration](#input\_iam\_role\_max\_session\_duration) | Maximum API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
Expand All @@ -169,6 +169,7 @@ No modules.
| <a name="input_queue_kms_master_key_id"></a> [queue\_kms\_master\_key\_id](#input\_queue\_kms\_master\_key\_id) | The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK | `string` | `null` | no |
| <a name="input_queue_managed_sse_enabled"></a> [queue\_managed\_sse\_enabled](#input\_queue\_managed\_sse\_enabled) | Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys | `bool` | `true` | no |
| <a name="input_queue_name"></a> [queue\_name](#input\_queue\_name) | Name of the SQS queue | `string` | `null` | no |
| <a name="input_queue_policy_additional_statements"></a> [queue\_policy\_additional\_statements](#input\_queue\_policy\_additional\_statements) | Additional policy statements to add to the SQS queue policy | <pre>list(object({<br> sid = optional(string)<br> actions = optional(list(string))<br> not_actions = optional(list(string))<br> effect = optional(string)<br> resources = optional(list(string))<br> not_resources = optional(list(string))<br> principals = optional(list(object({<br> type = string<br> identifiers = list(string)<br> })))<br> not_principals = optional(list(object({<br> type = string<br> identifiers = list(string)<br> })))<br> condition = optional(list(object({<br> test = string<br> values = list(string)<br> variable = string<br> })))<br> }))</pre> | `null` | no |
| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
| <a name="input_rule_name_prefix"></a> [rule\_name\_prefix](#input\_rule\_name\_prefix) | Prefix used for all event bridge rules | `string` | `"Karpenter"` | no |
| <a name="input_service_account"></a> [service\_account](#input\_service\_account) | Service account to associate with the Karpenter Pod Identity | `string` | `"karpenter"` | no |
Expand Down
40 changes: 40 additions & 0 deletions modules/karpenter/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,46 @@ data "aws_iam_policy_document" "queue" {
]
}
}

dynamic "statement" {
for_each = var.queue_policy_additional_statements != null ? var.queue_policy_additional_statements : []
content {
sid = statement.value.sid
actions = statement.value.actions
not_actions = statement.value.not_actions
effect = statement.value.effect
resources = statement.value.resources
not_resources = statement.value.not_resources

dynamic "principals" {
for_each = statement.value.principals != null ? statement.value.principals : []

content {
type = principals.value.type
identifiers = principals.value.identifiers
}
}

dynamic "not_principals" {
for_each = statement.value.not_principals != null ? statement.value.not_principals : []

content {
type = not_principals.value.type
identifiers = not_principals.value.identifiers
}
}

dynamic "condition" {
for_each = statement.value.condition != null ? statement.value.condition : []

content {
test = condition.value.test
values = condition.value.values
variable = condition.value.variable
}
}
}
}
}

resource "aws_sqs_queue_policy" "this" {
Expand Down
26 changes: 26 additions & 0 deletions modules/karpenter/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,32 @@ variable "queue_kms_data_key_reuse_period_seconds" {
default = null
}

variable "queue_policy_additional_statements" {
description = "Additional policy statements to add to the SQS queue policy"
type = list(object({
sid = optional(string)
actions = optional(list(string))
not_actions = optional(list(string))
effect = optional(string)
resources = optional(list(string))
not_resources = optional(list(string))
principals = optional(list(object({
type = string
identifiers = list(string)
})))
not_principals = optional(list(object({
type = string
identifiers = list(string)
})))
condition = optional(list(object({
test = string
values = list(string)
variable = string
})))
}))
default = null
}

################################################################################
# Node IAM Role
################################################################################
Expand Down
Loading