From 3ad19d7435f34600e4872fd131e155583e498cd9 Mon Sep 17 00:00:00 2001
From: Piotr Roszatycki <piotr.roszatycki@gmail.com>
Date: Mon, 11 Mar 2024 00:16:24 +0100
Subject: [PATCH] fix: Do not attach policy if Karpenter node role is not
 created by module (#2964)

---
 modules/karpenter/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 719ceac..6ce53f9 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -570,7 +570,7 @@ resource "aws_iam_role_policy_attachment" "node" {
     AmazonEC2ContainerRegistryReadOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
     AmazonEKS_CNI_IPv6_Policy          = var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
     AmazonEKS_CNI_Policy               = var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
-  } : k => v if var.create && var.create_iam_role && v != "" }
+  } : k => v if local.create_node_iam_role && v != "" }
 
   policy_arn = each.value
   role       = aws_iam_role.node[0].name