feat: Add instance profile permissions to Karpenter IRSA policy (#434)

* fix: add instance profile permissions to karpenter policy

fixes #433

Signed-off-by: Abraham Bah <[email protected]>

* fix; use dynamic block instead of repeating StringEquals condition for iam:CreateInstanceProfile statement in karpenter policy

* fixup! remove unnecessary whitespace

Signed-off-by: Abraham Bah <[email protected]>

* fix: Make instance profile creation an opt-in

* fix: Update docs

---------

Signed-off-by: Abraham Bah <[email protected]>
Co-authored-by: Bryant Biggs <[email protected]>

Author: abrabah

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.5
+    rev: v1.83.6
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

modules/iam-role-for-service-accounts-eks/README.md

@@ -208,6 +208,7 @@ No modules.
 | <a name="input_cluster_autoscaler_cluster_names"></a> [cluster\_autoscaler\_cluster\_names](#input\_cluster\_autoscaler\_cluster\_names) | List of cluster names to appropriately scope permissions within the Cluster Autoscaler IAM policy | `list(string)` | `[]` | no |
 | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create a role | `bool` | `true` | no |
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | KMS CMK IDs to allow EBS CSI to manage encrypted volumes | `list(string)` | `[]` | no |
+| <a name="input_enable_karpenter_instance_profile_creation"></a> [enable\_karpenter\_instance\_profile\_creation](#input\_enable\_karpenter\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1/v0.32+) | `bool` | `false` | no |
 | <a name="input_external_dns_hosted_zone_arns"></a> [external\_dns\_hosted\_zone\_arns](#input\_external\_dns\_hosted\_zone\_arns) | Route53 hosted zone ARNs to allow External DNS to manage records | `list(string)` | <pre>[<br>  "arn:aws:route53:::hostedzone/*"<br>]</pre> | no |
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -645,7 +645,6 @@ data "aws_iam_policy_document" "karpenter_controller" {
       "ec2:TerminateInstances",
       "ec2:DeleteLaunchTemplate",
     ]
-
     resources = ["*"]
 
     condition {
@@ -691,6 +690,22 @@ data "aws_iam_policy_document" "karpenter_controller" {
     resources = var.karpenter_controller_node_iam_role_arns
   }
 
+  dynamic "statement" {
+    for_each = var.enable_karpenter_instance_profile_creation ? [1] : []
+
+    content {
+      actions = [
+        "iam:AddRoleToInstanceProfile",
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:GetInstanceProfile",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:TagInstanceProfile",
+      ]
+      resources = ["*"]
+    }
+  }
+
   statement {
     actions   = ["eks:DescribeCluster"]
     resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${local.karpenter_controller_cluster_name}"]

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -252,6 +252,12 @@ variable "karpenter_sqs_queue_arn" {
   default     = null
 }
 
+variable "enable_karpenter_instance_profile_creation" {
+  description = "Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1/v0.32+)"
+  type        = bool
+  default     = false
+}
+
 # AWS Load Balancer Controller
 variable "attach_load_balancer_controller_policy" {
   description = "Determines whether to attach the Load Balancer Controller policy to the role"

wrappers/iam-role-for-service-accounts-eks/main.tf

@@ -28,6 +28,7 @@ module "wrapper" {
   cluster_autoscaler_cluster_names                                = try(each.value.cluster_autoscaler_cluster_names, var.defaults.cluster_autoscaler_cluster_names, [])
   create_role                                                     = try(each.value.create_role, var.defaults.create_role, true)
   ebs_csi_kms_cmk_ids                                             = try(each.value.ebs_csi_kms_cmk_ids, var.defaults.ebs_csi_kms_cmk_ids, [])
+  enable_karpenter_instance_profile_creation                      = try(each.value.enable_karpenter_instance_profile_creation, var.defaults.enable_karpenter_instance_profile_creation, false)
   external_dns_hosted_zone_arns                                   = try(each.value.external_dns_hosted_zone_arns, var.defaults.external_dns_hosted_zone_arns, ["arn:aws:route53:::hostedzone/*"])
   external_secrets_kms_key_arns                                   = try(each.value.external_secrets_kms_key_arns, var.defaults.external_secrets_kms_key_arns, ["arn:aws:kms:*:*:key/*"])
   external_secrets_secrets_manager_arns                           = try(each.value.external_secrets_secrets_manager_arns, var.defaults.external_secrets_secrets_manager_arns, ["arn:aws:secretsmanager:*:*:secret:*"])