From cc6919de811f3972815d4ca26e5e0c8f64c2b894 Mon Sep 17 00:00:00 2001
From: tculp <tylercculp@gmail.com>
Date: Tue, 6 Feb 2024 09:34:04 -0500
Subject: [PATCH] feat: Allow enable/disable of EKS pod identity for the
 Karpenter controller (#2902)

* Made EKS pod identities for the controller role toggleable

* Switched the variable to the singular form

---------

Co-authored-by: Tyler Culp <tyler.culp@polestardefense.com>
---
 modules/karpenter/README.md    |  3 ++-
 modules/karpenter/main.tf      | 20 ++++++++++++--------
 modules/karpenter/variables.tf |  8 +++++++-
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
index e308215..00f724a 100644
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -135,7 +135,8 @@ No modules.
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created | `bool` | `true` | no |
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an IAM instance profile | `bool` | `false` | no |
 | <a name="input_create_node_iam_role"></a> [create\_node\_iam\_role](#input\_create\_node\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
-| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to enable support IAM role for service account | `bool` | `false` | no |
+| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Determines whether to enable support for IAM role for service accounts | `bool` | `false` | no |
+| <a name="input_enable_pod_identity"></a> [enable\_pod\_identity](#input\_enable\_pod\_identity) | Determines whether to enable support for EKS pod identity | `bool` | `true` | no |
 | <a name="input_enable_spot_termination"></a> [enable\_spot\_termination](#input\_enable\_spot\_termination) | Determines whether to enable native spot termination handling | `bool` | `true` | no |
 | <a name="input_iam_policy_description"></a> [iam\_policy\_description](#input\_iam\_policy\_description) | IAM policy description | `string` | `"Karpenter controller IAM policy"` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | Name of the IAM policy | `string` | `"KarpenterController"` | no |
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index dfd6042..4fc3ef0 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -22,15 +22,19 @@ data "aws_iam_policy_document" "controller_assume_role" {
   count = local.create_iam_role ? 1 : 0
 
   # Pod Identity
-  statement {
-    actions = [
-      "sts:AssumeRole",
-      "sts:TagSession",
-    ]
+  dynamic "statement" {
+    for_each = var.enable_pod_identity ? [1] : []
 
-    principals {
-      type        = "Service"
-      identifiers = ["pods.eks.amazonaws.com"]
+    content {
+      actions = [
+        "sts:AssumeRole",
+        "sts:TagSession",
+      ]
+
+      principals {
+        type        = "Service"
+        identifiers = ["pods.eks.amazonaws.com"]
+      }
     }
   }
 
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
index 3af82d4..8d6bfe7 100644
--- a/modules/karpenter/variables.tf
+++ b/modules/karpenter/variables.tf
@@ -104,12 +104,18 @@ variable "ami_id_ssm_parameter_arns" {
   default     = []
 }
 
+variable "enable_pod_identity" {
+  description = "Determines whether to enable support for EKS pod identity"
+  type        = bool
+  default     = true
+}
+
 ################################################################################
 # IAM Role for Service Account (IRSA)
 ################################################################################
 
 variable "enable_irsa" {
-  description = "Determines whether to enable support IAM role for service account"
+  description = "Determines whether to enable support for IAM role for service accounts"
   type        = bool
   default     = false
 }