From dea6c44b459a546b1386563dfd497bc9d766bfe1 Mon Sep 17 00:00:00 2001
From: joey100 <smartheshuiping@163.com>
Date: Sun, 27 Oct 2024 08:12:25 +0800
Subject: [PATCH] fix: Use dynamic partition data source to determine DNS
 suffix for Karpenter EC2 pass role permission (#3193)

* fix karpenter iam passrole to ec2 api bug, to support aws cn

* fix: Use dyanmic partition value for DNS suffix

---------

Co-authored-by: Shuiping <shuiping@Shuipings-MacBook-Pro.local>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
---
 modules/karpenter/policy.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 456a27f..7fb04e4 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -195,7 +195,7 @@ data "aws_iam_policy_document" "v033" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
+      values   = ["ec2.${local.dns_suffix}"]
     }
   }
 
@@ -584,7 +584,7 @@ data "aws_iam_policy_document" "v1" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = ["ec2.amazonaws.com"]
+      values   = ["ec2.${local.dns_suffix}"]
     }
   }