Merge pull request #64 from hotosm/fix/karpenter-autoscaler

dakotabenjamin · web-flow · commit 7bc52bfaab53 · 2026-01-29T16:43:53.000-05:00
Add more missing IAM policy statements
diff --git a/terraform/karpenter.tf b/terraform/karpenter.tf
@@ -43,8 +43,7 @@ data "aws_iam_policy_document" "karpenter_controller" {
       "ec2:CreateLaunchTemplate",
       "ec2:CreateFleet",
       "ec2:DescribeSpotPriceHistory",
-      "pricing:GetProducts",
-      "iam:ListInstanceProfiles"
+      "pricing:GetProducts"
     ]
     resources = ["*"]
   }
@@ -85,6 +84,85 @@ data "aws_iam_policy_document" "karpenter_controller" {
     ]
   }
 
+  statement {
+    sid    = "AllowScopedInstanceProfileCreationActions"
+    effect = "Allow"
+    actions = [
+      "iam:CreateInstanceProfile"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/kubernetes.io/cluster/${aws_eks_cluster.cluster.name}"
+      values   = ["owned"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    sid    = "AllowScopedInstanceProfileTagActions"
+    effect = "Allow"
+    actions = [
+      "iam:TagInstanceProfile"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/kubernetes.io/cluster/${aws_eks_cluster.cluster.name}"
+      values   = ["owned"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/kubernetes.io/cluster/${aws_eks_cluster.cluster.name}"
+      values   = ["owned"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
+      values   = ["*"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    sid    = "AllowScopedInstanceProfileActions"
+    effect = "Allow"
+    actions = [
+      "iam:AddRoleToInstanceProfile",
+      "iam:RemoveRoleFromInstanceProfile",
+      "iam:DeleteInstanceProfile"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/kubernetes.io/cluster/${aws_eks_cluster.cluster.name}"
+      values   = ["owned"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass"
+      values   = ["*"]
+    }
+  }
+
+  statement {
+    sid    = "AllowInstanceProfileReadListActions"
+    effect = "Allow"
+    actions = [
+      "iam:ListInstanceProfiles",
+      "iam:GetInstanceProfile"
+    ]
+    resources = ["*"]
+  }
+
   # SQS permissions for interruption handling (not in the base guide but required when using interruptionQueue)
   statement {
     sid    = "SQSPolling"
