Last active
May 6, 2022 14:29
-
-
Save rmalenko/e1c03bb5a747fd4fdfa86daf20e5fd01 to your computer and use it in GitHub Desktop.
Karpenter Controller Policy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| # Karpenter Controller Policy | |
| ################################################################################ | |
| # curl -fsSL https://karpenter.sh/v0.6.1/getting-started/cloudformation.yaml | |
| data "aws_iam_policy_document" "karpenter_controller" { | |
| count = var.create_role && var.attach_karpenter_controller_policy ? 1 : 0 | |
| statement { | |
| actions = [ | |
| "ec2:CreateLaunchTemplate", | |
| "ec2:CreateFleet", | |
| "ec2:CreateTags", | |
| "ec2:DescribeLaunchTemplates", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeInstanceTypes", | |
| "ec2:DescribeInstanceTypeOfferings", | |
| "ec2:DescribeAvailabilityZones", | |
| ] | |
| resources = ["*"] | |
| } | |
| statement { | |
| actions = [ | |
| "ec2:TerminateInstances", | |
| "ec2:DeleteLaunchTemplate", | |
| ] | |
| resources = ["*"] | |
| condition { | |
| test = "StringEquals" | |
| variable = "ec2:ResourceTag/${var.karpenter_tag_key}" | |
| values = [var.karpenter_controller_cluster_id] | |
| } | |
| } | |
| statement { | |
| actions = ["ec2:RunInstances"] | |
| resources = [ | |
| "arn:${local.partition}:ec2:*:${local.account_id}:launch-template/*", | |
| "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*", | |
| "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*", | |
| "arn:${local.partition}:ec2:*:${local.account_id}:volume/*", | |
| "arn:${local.partition}:ec2:*:${local.account_id}:key-pair/*", | |
| "arn:${local.partition}:ec2:*:${local.account_id}:instance/*", | |
| "arn:${local.partition}:ec2:*:${local.account_id}:subnet/*", | |
| "arn:${local.partition}:ec2:*:${local.account_id}:network-interface/*", | |
| "arn:${local.partition}:ec2:*::image/*" | |
| ] | |
| } | |
| statement { | |
| actions = ["ssm:GetParameter"] | |
| resources = var.karpenter_controller_ssm_parameter_arns | |
| } | |
| statement { | |
| actions = ["iam:PassRole"] | |
| resources = var.karpenter_controller_node_iam_role_arns | |
| } | |
| } | |
| resource "aws_iam_policy" "karpenter_controller" { | |
| count = var.create_role && var.attach_karpenter_controller_policy ? 1 : 0 | |
| name_prefix = "AmazonEKS_Karpenter_Controller_Policy-" | |
| path = var.role_path | |
| description = "Provides permissions to handle node termination events via the Node Termination Handler" | |
| policy = data.aws_iam_policy_document.karpenter_controller[0].json | |
| tags = var.tags | |
| } | |
| resource "aws_iam_role_policy_attachment" "karpenter_controller" { | |
| count = var.create_role && var.attach_karpenter_controller_policy ? 1 : 0 | |
| role = aws_iam_role.this[0].name | |
| policy_arn = aws_iam_policy.karpenter_controller[0].arn | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment