fix: Use dynamic partition data source to determine DNS suffix for Karpenter EC2 pass role permission (#3193)

* fix karpenter iam passrole to ec2 api bug, to support aws cn * fix: Use dyanmic partition value for DNS suffix --------- Co-authored-by: Shuiping <shuiping@Shuipings-MacBook-Pro.local> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
2026-01-11 22:41:43 +01:00 · 2024-10-27 08:12:25 +08:00
parent 4abc779c0e
commit dea6c44b45
1 changed files with 2 additions and 2 deletions
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -195,7 +195,7 @@ data "aws_iam_policy_document" "v033" {
    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
+      values   = ["ec2.${local.dns_suffix}"]
    }
  }

@@ -584,7 +584,7 @@ data "aws_iam_policy_document" "v1" {
    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
+      values   = ["ec2.${local.dns_suffix}"]
    }
  }