fix: Avoid restricting Karpenter RunInstances subnets by tag key (#247)

bryantbiggs · web-flow · commit bbbe0c01c936 · 2022-05-10T18:32:15.000+02:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.68.1
+    rev: v1.71.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -552,7 +552,6 @@ data "aws_iam_policy_document" "karpenter_controller" {
     resources = [
       "arn:${local.partition}:ec2:*:${local.account_id}:launch-template/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*",
-      "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*",
     ]
 
     condition {
@@ -569,6 +568,7 @@ data "aws_iam_policy_document" "karpenter_controller" {
       "arn:${local.partition}:ec2:*:${local.account_id}:instance/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:volume/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:network-interface/*",
+      "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*",
     ]
   }
 

Original file line number	Diff line number	Diff line change
`@@ -552,7 +552,6 @@ data "aws_iam_policy_document" "karpenter_controller" {`
`552`	`552`	`resources = [`
`553`	`553`	`"arn:${local.partition}:ec2::${local.account_id}:launch-template/",`
`554`	`554`	`"arn:${local.partition}:ec2::${local.account_id}:security-group/",`
`555`		`- "arn:${local.partition}:ec2::${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/",`
`556`	`555`	`]`
`557`	`556`
`558`	`557`	`condition {`
`@@ -569,6 +568,7 @@ data "aws_iam_policy_document" "karpenter_controller" {`
`569`	`568`	`"arn:${local.partition}:ec2::${local.account_id}:instance/",`
`570`	`569`	`"arn:${local.partition}:ec2::${local.account_id}:volume/",`
`571`	`570`	`"arn:${local.partition}:ec2::${local.account_id}:network-interface/",`
	`571`	`+ "arn:${local.partition}:ec2::${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/",`
`572`	`572`	`]`
`573`	`573`	`}`
`574`	`574`