Skip to content

fix: Split the single monolithic Karpenter controller IAM policy #3644

Open
pincher95 wants to merge 2 commits intoterraform-aws-modules:masterfrom
pincher95:master
Open

fix: Split the single monolithic Karpenter controller IAM policy #3644
pincher95 wants to merge 2 commits intoterraform-aws-modules:masterfrom
pincher95:master

Conversation

@pincher95
Copy link

@pincher95 pincher95 commented Feb 13, 2026
edited
Loading

fix(policy.tf): split controller policies to avoid exceeding the 6,144 character IAM policy size limit

Description

Split the single monolithic Karpenter controller IAM policy into 5 focused sub-policies to avoid exceeding the AWS IAM managed policy size limit of 6,144 characters. This follows the upstream fix in karpenter-provider-aws#8690.

The single KarpenterController policy is now split into:

  • NodeLifecycle — EC2 instance/fleet lifecycle operations (RunInstances, CreateFleet, CreateLaunchTemplate, CreateTags, TerminateInstances, DeleteLaunchTemplate)
  • IAMIntegration — IAM operations (PassRole, CreateInstanceProfile, TagInstanceProfile, AddRoleToInstanceProfile, RemoveRoleFromInstanceProfile, DeleteInstanceProfile)
  • EKSIntegration — EKS operations (DescribeCluster)
  • ResourceDiscovery — Read-only discovery (EC2 Describe*, SSM GetParameter, pricing:GetProducts, IAM GetInstanceProfile/ListInstanceProfiles)
  • Interruption — SQS queue actions (conditional on spot termination)
  • Custom iam_policy_statements are placed in a separate Additional policy when provided.

Motivation and Context

Fixes
#3637
#3512
The single KarpenterController IAM policy document exceeds the AWS IAM managed policy size limit of 6,144 characters.
This causes LimitExceeded: Cannot exceed quota for PolicySize: 6144 errors during terraform apply.

Breaking Changes

Yes — the controller IAM policy resources change from count-based indexing to for_each with string keys:

  • aws_iam_policy.controller[0] → aws_iam_policy.controller["NodeLifecycle"]
  • aws_iam_role_policy.controller[0] → aws_iam_role_policy.controller["NodeLifecycle"]
  • aws_iam_role_policy_attachment.controller[0] → aws_iam_role_policy_attachment.controller["NodeLifecycle"]

moved blocks are included in migrations.tf to automatically migrate the existing single policy to the NodeLifecycle key. The remaining 4 sub-policies (IAMIntegration, EKSIntegration, ResourceDiscovery, Interruption) will be created as new resources.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@pincher95
fix(policy.tf): split controller policies to avoid exceeding the 6,14…
4191e9b 
…4 character IAM policy size limit
@pincher95
docs(README.md): update list of AWS Terraform resources used by Karpe…
2b4a29d 
…nter module to reflect additional IAM policy documents

Signed-off-by: pincher95 <yuri.tsuprun@logz.io>
@pincher95 pincher95 changed the title Split the single monolithic Karpenter controller IAM policy Feb 13, 2026
@pincher95 pincher95 changed the title Split the single monolithic Karpenter controller IAM policy fix: Split the single monolithic Karpenter controller IAM policy Feb 13, 2026
@bryantbiggs
Copy link
Member

bryantbiggs commented Feb 28, 2026

you should use enable_inline_policy if you are hitting the limit today - we won't be making this change until the next breaking change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

breaking change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pincher95 @bryantbiggs