fix: Use dynamic partition data source to determine DNS suffix for Karpenter EC2 pass role permission (#3193)

joey100 · Shuiping · bryantbiggs · web-flow · commit dea6c44b459a · 2024-10-26T19:12:25.000-05:00
* fix karpenter iam passrole to ec2 api bug, to support aws cn

* fix: Use dyanmic partition value for DNS suffix

---------

Co-authored-by: Shuiping &lt;shuiping@Shuipings-MacBook-Pro.local&gt;
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
@@ -195,7 +195,7 @@ data "aws_iam_policy_document" "v033" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
+      values   = ["ec2.${local.dns_suffix}"]
     }
   }
 
@@ -584,7 +584,7 @@ data "aws_iam_policy_document" "v1" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
+      values   = ["ec2.${local.dns_suffix}"]
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,7 @@ data "aws_iam_policy_document" "v033" {`
`195`	`195`	`condition {`
`196`	`196`	`test = "StringEquals"`
`197`	`197`	`variable = "iam:PassedToService"`
`198`		`- values = ["ec2.amazonaws.com"]`
	`198`	`+ values = ["ec2.${local.dns_suffix}"]`
`199`	`199`	`}`
`200`	`200`	`}`
`201`	`201`
`@@ -584,7 +584,7 @@ data "aws_iam_policy_document" "v1" {`
`584`	`584`	`condition {`
`585`	`585`	`test = "StringEquals"`
`586`	`586`	`variable = "iam:PassedToService"`
`587`		`- values = ["ec2.amazonaws.com"]`
	`587`	`+ values = ["ec2.${local.dns_suffix}"]`
`588`	`588`	`}`
`589`	`589`	`}`
`590`	`590`