feat: Add Karpenter v1beta1 compatibility (#2800)

* feat: Add Karpenter v1beta1 compatibility * fix: Update to make changes opt-in * fix: Update resource schemas to align with latest Karpenter version - validated and working as intended --------- Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
2026-02-25 03:54:52 +01:00 · 2023-11-01 08:33:07 -07:00
parent 69eb4569b9
commit aec2bab1d8
6 changed files with 85 additions and 58 deletions
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -150,6 +150,7 @@ No modules.
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an IAM instance profile | `bool` | `true` | no |
 | <a name="input_create_irsa"></a> [create\_irsa](#input\_create\_irsa) | Determines whether an IAM role for service accounts is created | `bool` | `true` | no |
+| <a name="input_enable_karpenter_instance_profile_creation"></a> [enable\_karpenter\_instance\_profile\_creation](#input\_enable\_karpenter\_instance\_profile\_creation) | Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1) | `bool` | `false` | no |
 | <a name="input_enable_spot_termination"></a> [enable\_spot\_termination](#input\_enable\_spot\_termination) | Determines whether to enable native spot termination handling | `bool` | `true` | no |
 | <a name="input_iam_role_additional_policies"></a> [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the IAM instance profile. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -160,6 +160,24 @@ data "aws_iam_policy_document" "irsa" {
      resources = [aws_sqs_queue.this[0].arn]
    }
  }
+
+  # TODO - this will be replaced in v20.0 with the scoped policy provided by Karpenter
+  # https://github.com/aws/karpenter/blob/main/website/content/en/docs/upgrading/v1beta1-controller-policy.json
+  dynamic "statement" {
+    for_each = var.enable_karpenter_instance_profile_creation ? [1] : []
+
+    content {
+      actions = [
+        "iam:AddRoleToInstanceProfile",
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:GetInstanceProfile",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:TagInstanceProfile",
+      ]
+      resources = ["*"]
+    }
+  }
 }

 resource "aws_iam_policy" "irsa" {
@@ -368,7 +386,7 @@ locals {
 }

 resource "aws_iam_instance_profile" "this" {
-  count = var.create && var.create_instance_profile ? 1 : 0
+  count = var.create && var.create_instance_profile && !var.enable_karpenter_instance_profile_creation ? 1 : 0

  name        = var.iam_role_use_name_prefix ? null : local.iam_role_name
  name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
--- a/modules/karpenter/variables.tf
+++ b/modules/karpenter/variables.tf
@@ -123,6 +123,12 @@ variable "irsa_assume_role_condition_test" {
  default     = "StringEquals"
 }

+variable "enable_karpenter_instance_profile_creation" {
+  description = "Determines whether Karpenter will be allowed to create the IAM instance profile (v1beta1) or if Terraform will (v1alpha1)"
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # Node Termination Queue
 ################################################################################