fix: Permit RunInstances permission for Karpenter when request contains karpenter.sh/discovery tag key (#209)

bryantbiggs · web-flow · commit 18081d142a88 · 2022-03-23T23:11:56.000+01:00
diff --git a/examples/iam-role-for-service-accounts-eks/main.tf b/examples/iam-role-for-service-accounts-eks/main.tf
@@ -153,7 +153,7 @@ module "karpenter_controller_irsa_role" {
   role_name                          = "karpenter_controller"
   attach_karpenter_controller_policy = true
 
-  karpenter_controller_cluster_ids        = [module.eks.cluster_id]
+  karpenter_controller_cluster_id         = module.eks.cluster_id
   karpenter_controller_node_iam_role_arns = [module.eks.eks_managed_node_groups["default"].iam_role_arn]
 
   oidc_providers = {
diff --git a/modules/iam-role-for-service-accounts-eks/README.md b/modules/iam-role-for-service-accounts-eks/README.md
@@ -124,6 +124,7 @@ No modules.
 | [aws_iam_role_policy_attachment.node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -151,7 +152,7 @@ No modules.
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
 | <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow external DNS to manage records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
 | <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `true` | no |
-| <a name="input_karpenter_controller_cluster_ids"></a> [karpenter\_controller\_cluster\_ids](#input\_karpenter\_controller\_cluster\_ids) | List of cluster IDs to appropriately scope EC2 permissions within the Karpenter Controller policy | `list(string)` | `[]` | no |
+| <a name="input_karpenter_controller_cluster_id"></a> [karpenter\_controller\_cluster\_id](#input\_karpenter\_controller\_cluster\_id) | Cluster ID where the Karpenter controller is provisioned/managing | `string` | `"*"` | no |
 | <a name="input_karpenter_controller_node_iam_role_arns"></a> [karpenter\_controller\_node\_iam\_role\_arns](#input\_karpenter\_controller\_node\_iam\_role\_arns) | List of node IAM role ARNs Karpenter can use to launch nodes | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_karpenter_controller_ssm_parameter_arns"></a> [karpenter\_controller\_ssm\_parameter\_arns](#input\_karpenter\_controller\_ssm\_parameter\_arns) | List of SSM Parameter ARNs that contain AMI IDs launched by Karpenter | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/aws/service/*"<br>]</pre> | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `null` | no |
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -1,6 +1,8 @@
 data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
 
 locals {
+  account_id = data.aws_caller_identity.current.account_id
   partition  = data.aws_partition.current.partition
   dns_suffix = data.aws_partition.current.dns_suffix
 }
@@ -442,25 +444,46 @@ data "aws_iam_policy_document" "karpenter_controller" {
     resources = ["*"]
   }
 
-  dynamic "statement" {
-    for_each = toset(var.karpenter_controller_cluster_ids)
-    content {
-      actions = [
-        "ec2:RunInstances",
-        "ec2:TerminateInstances",
-        "ec2:DeleteLaunchTemplate",
-      ]
+  statement {
+    actions = [
+      "ec2:TerminateInstances",
+      "ec2:DeleteLaunchTemplate",
+    ]
 
-      resources = ["*"]
+    resources = ["*"]
 
-      condition {
-        test     = "StringEquals"
-        variable = "ec2:ResourceTag/karpenter.sh/discovery"
-        values   = [statement.value]
-      }
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:ResourceTag/karpenter.sh/discovery"
+      values   = [var.karpenter_controller_cluster_id]
     }
   }
 
+  statement {
+    actions = ["ec2:RunInstances"]
+    resources = [
+      "arn:aws:ec2:*:${local.account_id}:launch-template/*",
+      "arn:aws:ec2:*:${local.account_id}:security-group/*",
+      "arn:aws:ec2:*:${local.account_id}:subnet/*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:ResourceTag/karpenter.sh/discovery"
+      values   = [var.karpenter_controller_cluster_id]
+    }
+  }
+
+  statement {
+    actions = ["ec2:RunInstances"]
+    resources = [
+      "arn:aws:ec2:*::image/*",
+      "arn:aws:ec2:*:${local.account_id}:instance/*",
+      "arn:aws:ec2:*:${local.account_id}:volume/*",
+      "arn:aws:ec2:*:${local.account_id}:network-interface/*",
+    ]
+  }
+
   statement {
     actions   = ["ssm:GetParameter"]
     resources = var.karpenter_controller_ssm_parameter_arns
diff --git a/modules/iam-role-for-service-accounts-eks/variables.tf b/modules/iam-role-for-service-accounts-eks/variables.tf
@@ -152,10 +152,10 @@ variable "attach_karpenter_controller_policy" {
   default     = false
 }
 
-variable "karpenter_controller_cluster_ids" {
-  description = "List of cluster IDs to appropriately scope EC2 permissions within the Karpenter Controller policy"
-  type        = list(string)
-  default     = []
+variable "karpenter_controller_cluster_id" {
+  description = "Cluster ID where the Karpenter controller is provisioned/managing"
+  type        = string
+  default     = "*"
 }
 
 variable "karpenter_controller_ssm_parameter_arns" {

Original file line number	Diff line number	Diff line change
`@@ -152,10 +152,10 @@ variable "attach_karpenter_controller_policy" {`
`152`	`152`	`default = false`
`153`	`153`	`}`
`154`	`154`
`155`		`-variable "karpenter_controller_cluster_ids" {`
`156`		`- description = "List of cluster IDs to appropriately scope EC2 permissions within the Karpenter Controller policy"`
`157`		`- type = list(string)`
`158`		`- default = []`
	`155`	`+variable "karpenter_controller_cluster_id" {`
	`156`	`+ description = "Cluster ID where the Karpenter controller is provisioned/managing"`
	`157`	`+ type = string`
	`158`	`+ default = "*"`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`variable "karpenter_controller_ssm_parameter_arns" {`