# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # Role for ServiceAccount to use module "iam_assumable_role_karpenter" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "4.7.0" create_role = true role_name = "karpenter-controller-${var.cluster_name}" provider_url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer oidc_fully_qualified_subjects = ["system:serviceaccount:${var.karpenter_namespace}:karpenter"] } # Based on https://karpenter.sh/docs/getting-started/cloudformation.yaml resource "aws_iam_role_policy" "karpenter_controller" { name = "karpenter-policy-${var.cluster_name}" role = module.iam_assumable_role_karpenter.iam_role_name policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "ec2:CreateLaunchTemplate", "ec2:CreateFleet", "ec2:RunInstances", "ec2:CreateTags", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeAvailabilityZones", "ssm:GetParameter" ] Effect = "Allow" Resource = "*" }, { Action = [ "iam:PassRole", ] Effect = "Allow" Resource = aws_iam_role.karpenter_node.arn } ] }) } resource "aws_iam_role" "karpenter_node" { name = "karpenter-node-${var.cluster_name}" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } }, ] }) managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ] } ## Instance profile for nodes to pull images, networking, SSM, etc resource "aws_iam_instance_profile" "karpenter_node" { name = "karpenter-node-${var.cluster_name}" role = aws_iam_role.karpenter_node.name }