Small update to opentofu for deploy

[spwoodcock]

What type of PR is this? (check all applicable)

• 🍕 Feature
• 🐛 Bug Fix
• 📝 Documentation
• 🧑‍💻 Refactor
• ✅ Test
• 🤖 Build or CI
• ❓ Other (please specify)

Related Issue

Example: Fixes #123

Describe this PR

A brief description of how this solves the issue.

Screenshots

Please provide screenshots of the change.

Alternative Approaches Considered

Did you attempt any other approaches that are not documented in code?

Review Guide

Notes for the reviewer. How to test this change?

Checklist before requesting a review

• 📖 Read the HOT Contributing Guide: https://docs.hotosm.org/become-a-contributor/
• 📖 Read the HOT Code of Conduct: https://docs.hotosm.org/code-of-conduct
• 👷‍♀️ Create small PRs. In most cases, this will be possible.
• ✅ Provide tests for your changes.
• 📝 Use descriptive commit messages.
• 📗 Update any related documentation and include any relevant screenshots.
• 🔠 Does this PR introduce or change any environment variables? If so, make sure to specify this change in the description.

[optional] What gif best describes this PR or how it makes you feel?

[github-actions]

tofu apply -chdir=terraform tfplan

Diff of 24 changes.

~ data.aws_iam_policy_document.assume_role_with_oidc will be read during apply
# (depends on a resource or a module with changes pending)
~ data.aws_iam_policy_document.cluster_autoscaler will be read during apply
# (depends on a resource or a module with changes pending)
~ data.aws_iam_policy_document.karpenter_controller will be read during apply
# (depends on a resource or a module with changes pending)
~ data.aws_iam_policy_document.karpenter_controller_assume_role will be read during apply
# (depends on a resource or a module with changes pending)
~ data.tls_certificate.cluster_oidc_certificate will be read during apply
# (depends on a resource or a module with changes pending)
! aws_eks_access_entry.admin_access[0] will be updated in-place
! aws_eks_access_entry.admin_access[1] will be updated in-place
! aws_eks_access_entry.admin_access[2] will be updated in-place
! aws_eks_addon.ebs_provisioner will be updated in-place
! aws_eks_cluster.cluster will be updated in-place
+ aws_eks_node_group.core_nodes will be created
! aws_iam_instance_profile.karpenter_node will be updated in-place
! aws_iam_openid_connect_provider.cluster_oidc will be updated in-place
! aws_iam_policy.cluster_autoscaler will be updated in-place
! aws_iam_policy.eks_s3_access[0] will be updated in-place
! aws_iam_policy.karpenter_controller will be updated in-place
! aws_iam_role.bucket_access will be updated in-place
! aws_iam_role.cluster_autoscaler will be updated in-place
! aws_iam_role.cluster_control_plane will be updated in-place
! aws_iam_role.ebs_provisioner will be updated in-place
! aws_iam_role.karpenter_controller will be updated in-place
! aws_iam_role.karpenter_node will be updated in-place
! aws_iam_role.nodegroup will be updated in-place
! aws_sqs_queue.karpenter_interruption_queue will be updated in-place

Error: creating EKS Node Group (hotosm-production-cluster:core): operation error EKS: CreateNodegroup, https response error StatusCode: 403, RequestID: 36d342a7-b4eb-493b-801a-09ee8b0ace96, api error AccessDeniedException: User: arn:aws:sts::670261699094:assumed-role/Github-AWS-OIDC/GitHubActions is not authorized to perform: eks:CreateNodegroup on resource: arn:aws:eks:us-east-1:670261699094:cluster/hotosm-production-cluster because no identity-based policy allows the eks:CreateNodegroup action

By @spwoodcock at 2026-03-21T03:52:48Z (view log).

Error: updating tags for IAM (Identity & Access Management) OIDC Provider (arn:aws:iam::670261699094:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/6C1C4902845266176B6D3D16899B4665): tagging resource (arn:aws:iam::670261699094:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/6C1C4902845266176B6D3D16899B4665): operation error IAM: TagOpenIDConnectProvider, https response error StatusCode: 403, RequestID: 8a2222cc-8ebb-4156-9338-c1b587ed6096, api error AccessDenied: User: arn:aws:sts::670261699094:assumed-role/Github-AWS-OIDC/GitHubActions is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::670261699094:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/6C1C4902845266176B6D3D16899B4665 because no identity-based policy allows the iam:TagOpenIDConnectProvider action

  with aws_iam_openid_connect_provider.cluster_oidc,
  on cluster.tf line 66, in resource "aws_iam_openid_connect_provider" "cluster_oidc":
  66: resource "aws_iam_openid_connect_provider" "cluster_oidc" {


Error: updating tags for IAM (Identity & Access Management) Instance Profile (KarpenterNodeRole-hotosm-production-cluster): tagging resource (KarpenterNodeRole-hotosm-production-cluster): operation error IAM: TagInstanceProfile, https response error StatusCode: 403, RequestID: 30f0d5bb-81a4-4909-a78d-664681e34fad, api error AccessDenied: User: arn:aws:sts::670261699094:assumed-role/Github-AWS-OIDC/GitHubActions is not authorized to perform: iam:TagInstanceProfile on resource: instance profile KarpenterNodeRole-hotosm-production-cluster because no identity-based policy allows the iam:TagInstanceProfile action

  with aws_iam_instance_profile.karpenter_node,
  on nodes.tf line 68, in resource "aws_iam_instance_profile" "karpenter_node":
  68: resource "aws_iam_instance_profile" "karpenter_node" {


Error: creating EKS Node Group (hotosm-production-cluster:core): operation error EKS: CreateNodegroup, https response error StatusCode: 403, RequestID: 36d342a7-b4eb-493b-801a-09ee8b0ace96, api error AccessDeniedException: User: arn:aws:sts::670261699094:assumed-role/Github-AWS-OIDC/GitHubActions is not authorized to perform: eks:CreateNodegroup on resource: arn:aws:eks:us-east-1:670261699094:cluster/hotosm-production-cluster because no identity-based policy allows the eks:CreateNodegroup action

  with aws_eks_node_group.core_nodes,
  on nodes.tf line 73, in resource "aws_eks_node_group" "core_nodes":
  73: resource "aws_eks_node_group" "core_nodes" {

cluster]
aws_sqs_queue.karpenter_interruption_queue: Modifications complete after 0s [id=https://sqs.us-east-1.amazonaws.com/670261699094/hotosm-production-cluster]
data.aws_iam_policy_document.karpenter_controller: Reading...
data.aws_iam_policy_document.karpenter_controller: Read complete after 0s [id=939876147]
aws_iam_policy.karpenter_controller: Modifying... [id=arn:aws:iam::670261699094:policy/hotosm-production-KarpenterControllerPolicy]
aws_eks_access_entry.admin_access[2]: Modifications complete after 0s [id=hotosm-production-cluster:arn:aws:iam::670261699094:role/NAXA_cross_account_role]
aws_eks_access_entry.admin_access[1]: Modifications complete after 0s [id=hotosm-production-cluster:arn:aws:iam::670261699094:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_AdministratorAccess_5f15c01bb91071f4]
aws_eks_access_entry.admin_access[0]: Modifications complete after 0s [id=hotosm-production-cluster:arn:aws:iam::670261699094:role/Github-AWS-OIDC]
aws_iam_policy.karpenter_controller: Modifications complete after 0s [id=arn:aws:iam::670261699094:policy/hotosm-production-KarpenterControllerPolicy]