feat: Allow enable/disable of EKS pod identity for the Karpenter controller (#2902)

* Made EKS pod identities for the controller role toggleable * Switched the variable to the singular form --------- Co-authored-by: Tyler Culp <tyler.culp@polestardefense.com>
2026-01-15 16:23:58 +01:00 · 2024-02-06 09:34:04 -05:00
parent f6992b159c
commit cc6919de81
3 changed files with 21 additions and 10 deletions
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -135,7 +135,8 @@ No modules.
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created | `bool` | `true` | no |
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an IAM instance profile | `bool` | `false` | no |
 | <a name="input_create_node_iam_role"></a> [create\_node\_iam\_role](#input\_create\_node\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
-| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to enable support IAM role for service account | `bool` | `false` | no |
+| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to enable support for IAM role for service accounts | `bool` | `false` | no |
 | <a name="input_enable_pod_identity"></a> [enable\_pod\_identity](#input\_enable\_pod\_identity) | Determines whether to enable support for EKS pod identity | `bool` | `true` | no |
 | <a name="input_enable_spot_termination"></a> [enable\_spot\_termination](#input\_enable\_spot\_termination) | Determines whether to enable native spot termination handling | `bool` | `true` | no |
 | <a name="input_iam_policy_description"></a> [iam\_policy\_description](#input\_iam\_policy\_description) | IAM policy description | `string` | `"Karpenter controller IAM policy"` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | Name of the IAM policy | `string` | `"KarpenterController"` | no |
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -22,15 +22,19 @@ data "aws_iam_policy_document" "controller_assume_role" {
  count = local.create_iam_role ? 1 : 0
  # Pod Identity
-  statement {
+  dynamic "statement" {
-    actions = [
+    for_each = var.enable_pod_identity ? [1] : []
      "sts:AssumeRole",
      "sts:TagSession",
    ]
-    principals {
+    content {
-      type        = "Service"
+      actions = [
-      identifiers = ["pods.eks.amazonaws.com"]
+        "sts:AssumeRole",
        "sts:TagSession",
      ]
      principals {
        type        = "Service"
        identifiers = ["pods.eks.amazonaws.com"]
      }
    }
  }
--- a/modules/karpenter/variables.tf
+++ b/modules/karpenter/variables.tf
@@ -104,12 +104,18 @@ variable "ami_id_ssm_parameter_arns" {
  default     = []
 }
 variable "enable_pod_identity" {
  description = "Determines whether to enable support for EKS pod identity"
  type        = bool
  default     = true
 }
 ################################################################################
 # IAM Role for Service Account (IRSA)
 ################################################################################
 variable "enable_irsa" {
-  description = "Determines whether to enable support IAM role for service account"
+  description = "Determines whether to enable support for IAM role for service accounts"
  type        = bool
  default     = false
 }