Merge pull request #6 from truefoundry/karpenter-controller-additional-policies

dunefro · web-flow · commit c7a71d030e9d · 2024-08-05T12:41:13.000+05:30
Added fix to pass additional policies to karpetner role arn
diff --git a/README.md b/README.md
@@ -6,39 +6,40 @@ Truefoundry AWS Karpenter Module
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.17.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.61.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.17.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.61.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_karpenter_irsa_role"></a> [karpenter\_irsa\_role](#module\_karpenter\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.32.0 |
+| <a name="module_karpenter_irsa_role"></a> [karpenter\_irsa\_role](#module\_karpenter\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.42.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/resources/cloudwatch_event_target) | resource |
-| [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_policy.sqs](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/resources/iam_policy) | resource |
-| [aws_sqs_queue.karpenter](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/resources/sqs_queue) | resource |
-| [aws_sqs_queue_policy.karpenter](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/resources/sqs_queue_policy) | resource |
-| [aws_iam_policy_document.node_termination_queue](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.sqs](https://registry.terraform.io/providers/hashicorp/aws/5.17.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/resources/cloudwatch_event_target) | resource |
+| [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_policy.sqs](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/resources/iam_policy) | resource |
+| [aws_sqs_queue.karpenter](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/resources/sqs_queue) | resource |
+| [aws_sqs_queue_policy.karpenter](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/resources/sqs_queue_policy) | resource |
+| [aws_iam_policy_document.node_termination_queue](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.sqs](https://registry.terraform.io/providers/hashicorp/aws/5.61.0/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_controller_node_iam_role_arns"></a> [additional\_controller\_node\_iam\_role\_arns](#input\_additional\_controller\_node\_iam\_role\_arns) | The additional node iam roles to be used by karpenter | `list(string)` | `[]` | no |
+| <a name="input_additional_controller_role_policies_arn"></a> [additional\_controller\_role\_policies\_arn](#input\_additional\_controller\_role\_policies\_arn) | arn of dditional policies to attach to the karpenter controller role (Example {'x-policy' = arn:aws:iam::123456789012:policy/x-policy}) | `any` | `{}` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Cluster Name to install karpenter | `string` | n/a | yes |
 | <a name="input_controller_node_iam_role_arn"></a> [controller\_node\_iam\_role\_arn](#input\_controller\_node\_iam\_role\_arn) | The node iam role for the initial node group to be used by karpenter | `string` | n/a | yes |
 | <a name="input_controller_nodegroup_name"></a> [controller\_nodegroup\_name](#input\_controller\_nodegroup\_name) | The initial nodegroup name | `string` | n/a | yes |
diff --git a/locals.tf b/locals.tf
@@ -41,4 +41,10 @@ locals {
       }
     }
   }
+  karpenter_controller_role_policy_arns = merge(
+    {
+      "sqs_policy" = aws_iam_policy.sqs.arn
+    },
+    var.additional_controller_role_policies_arn
+  )
 }
diff --git a/main.tf b/main.tf
@@ -2,7 +2,7 @@
 
 module "karpenter_irsa_role" {
   source                             = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version                            = "5.32.0"
+  version                            = "5.42.0"
   role_name                          = "${var.cluster_name}-karpenter"
   attach_karpenter_controller_policy = true
 
@@ -12,9 +12,7 @@ module "karpenter_irsa_role" {
   attach_vpc_cni_policy = true
   vpc_cni_enable_ipv4   = true
 
-  role_policy_arns = {
-    "sqs_policy" = aws_iam_policy.sqs.arn
-  }
+  role_policy_arns = local.karpenter_controller_role_policy_arns
 
   oidc_providers = {
     main = {
diff --git a/variables.tf b/variables.tf
@@ -29,10 +29,17 @@ variable "additional_controller_node_iam_role_arns" {
   default     = []
 }
 
+variable "additional_controller_role_policies_arn" {
+  description = "arn of dditional policies to attach to the karpenter controller role (Example {'x-policy' = arn:aws:iam::123456789012:policy/x-policy})"
+  type        = any
+  default     = {}
+}
+
 variable "controller_nodegroup_name" {
   description = "The initial nodegroup name"
   type        = string
 }
+
 variable "sqs_enable_encryption" {
   description = "Enable Server side encryption for SQS"
   type        = bool
diff --git a/versions.tf b/versions.tf
@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 1.4"
+  required_version = ">= 1.8"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.17.0"
+      version = "5.61.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -41,4 +41,10 @@ locals {`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`	`}`
	`44`	`+ karpenter_controller_role_policy_arns = merge(`
	`45`	`+ {`
	`46`	`+ "sqs_policy" = aws_iam_policy.sqs.arn`
	`47`	`+ },`
	`48`	`+ var.additional_controller_role_policies_arn`
	`49`	`+ )`
`44`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 1.4"`
	`2`	`+ required_version = ">= 1.8"`
`3`	`3`	`required_providers {`
`4`	`4`	`aws = {`
`5`	`5`	`source = "hashicorp/aws"`
`6`		`- version = "5.17.0"`
	`6`	`+ version = "5.61.0"`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`	`}`