Skip to content

Commit

Permalink
Separate policy documents as managed policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@coord-e
coord-e committed Oct 29, 2024
1 parent f4200c1 commit 7257bc8
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 11 deletions.
27 changes: 16 additions & 11 deletions modules/karpenter/controller_iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,16 @@ data "aws_iam_policy_document" "karpenter_controller_assume_role_policy" {
}
}

resource "aws_iam_role_policy" "karpenter_controller_v1_beta" {
count = var.v1beta ? 1 : 0
name = "KarpenterController-v1beta"
role = aws_iam_role.karpenter_controller.id
policy = data.aws_iam_policy_document.karpenter_controller_v1_beta.json
resource "aws_iam_role_policy_attachment" "karpenter_controller_v1_beta" {
count = var.v1beta ? 1 : 0
role = aws_iam_role.karpenter_controller.id
policy_arn = aws_iam_policy.karpenter_controller_v1_beta[0].arn
}

moved {
from = aws_iam_role_policy.karpenter_controller_v1_beta
to = aws_iam_role_policy.karpenter_controller_v1_beta[0]
resource "aws_iam_policy" "karpenter_controller_v1_beta" {
count = var.v1beta ? 1 : 0
name = "${var.cluster_config.iam_policy_name_prefix}KarpenterController-v1beta-${var.cluster_config.name}"
policy = data.aws_iam_policy_document.karpenter_controller_v1_beta.json
}

data "aws_iam_policy_document" "karpenter_controller_v1_beta" {
Expand Down Expand Up @@ -390,10 +390,15 @@ data "aws_iam_policy_document" "karpenter_controller_v1_beta" {
}
}

resource "aws_iam_role_policy" "karpenter_controller_v1" {
resource "aws_iam_role_policy_attachment" "karpenter_controller_v1" {
count = var.v1 ? 1 : 0
role = aws_iam_role.karpenter_controller.id
policy_arn = aws_iam_policy.karpenter_controller_v1[0].arn
}

resource "aws_iam_policy" "karpenter_controller_v1" {
count = var.v1 ? 1 : 0
name = "KarpenterController-v1"
role = aws_iam_role.karpenter_controller.id
name = "${var.cluster_config.iam_policy_name_prefix}KarpenterController-v1-${var.cluster_config.name}"
policy = data.aws_iam_policy_document.karpenter_controller_v1.json
}

Expand Down
1 change: 1 addition & 0 deletions modules/karpenter/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ variable "cluster_config" {
arn = string
private_subnet_ids = map(string)
iam_role_name_prefix = string
iam_policy_name_prefix = string
fargate_execution_role_arn = string
})
}
Expand Down
1 change: 1 addition & 0 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ locals {
node_security_group = aws_eks_cluster.control_plane.vpc_config.0.cluster_security_group_id
tags = var.tags
iam_role_name_prefix = var.iam_role_name_prefix
iam_policy_name_prefix = var.iam_policy_name_prefix
fargate_execution_role_arn = aws_iam_role.fargate.arn
}
}
Expand Down
5 changes: 5 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ variable "iam_role_name_prefix" {
description = "An optional prefix to any IAM Roles created by this module"
}

variable "iam_policy_name_prefix" {
default = ""
description = "An optional prefix to any IAM Policies created by this module"
}

variable "cluster_role_arn" {
type = string
description = "The ARN of IAM role to be used by the cluster, if not specified a role will be created"
Expand Down

0 comments on commit 7257bc8

Please sign in to comment.