diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b5adebd..15d3d3e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,7 +23,7 @@ repos:
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.4.0
+ rev: v4.5.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf
index 068ba6c..b925de7 100644
--- a/examples/karpenter/main.tf
+++ b/examples/karpenter/main.tf
@@ -160,7 +160,13 @@ module "karpenter" {
cluster_name = module.eks.cluster_name
irsa_oidc_provider_arn = module.eks.oidc_provider_arn
- policies = {
+ # Used to attach additional IAM policies to the Karpenter controller IRSA role
+ # policies = {
+ # "xxx" = "yyy"
+ # }
+
+ # Used to attach additional IAM policies to the Karpenter node IAM role
+ iam_role_additional_policies = {
AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
@@ -176,7 +182,7 @@ resource "helm_release" "karpenter" {
repository_username = data.aws_ecrpublic_authorization_token.token.user_name
repository_password = data.aws_ecrpublic_authorization_token.token.password
chart = "karpenter"
- version = "v0.21.1"
+ version = "v0.29.0"
set {
name = "settings.aws.clusterName"
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
index f7b57c0..4a7f9c7 100644
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -42,6 +42,11 @@ module "karpenter" {
irsa_oidc_provider_arn = module.eks.oidc_provider_arn
irsa_namespace_service_accounts = ["karpenter:karpenter"]
+ # Attach additional IAM policies to the Karpenter node IAM role
+ iam_role_additional_policies = {
+ AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ }
+
tags = {
Environment = "dev"
Terraform = "true"
@@ -146,7 +151,7 @@ No modules.
| [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an IAM instance profile | `bool` | `true` | no |
| [create\_irsa](#input\_create\_irsa) | Determines whether an IAM role for service accounts is created | `bool` | `true` | no |
| [enable\_spot\_termination](#input\_enable\_spot\_termination) | Determines whether to enable native spot termination handling | `bool` | `true` | no |
-| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `list(string)` | `[]` | no |
+| [iam\_role\_additional\_policies](#input\_iam\_role\_additional\_policies) | Additional policies to be added to the IAM role | `map(string)` | `{}` | no |
| [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN for the IAM instance profile. Required if `create_iam_role` is set to `false` | `string` | `null` | no |
| [iam\_role\_attach\_cni\_policy](#input\_iam\_role\_attach\_cni\_policy) | Whether to attach the `AmazonEKS_CNI_Policy`/`AmazonEKS_CNI_IPv6_Policy` IAM policy to the IAM IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster | `bool` | `true` | no |
| [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 19399ce..223c400 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -224,7 +224,6 @@ data "aws_iam_policy_document" "queue" {
"sqs.${local.dns_suffix}",
]
}
-
}
}
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
index 95a5a1d..c025237 100644
--- a/modules/karpenter/variables.tf
+++ b/modules/karpenter/variables.tf
@@ -223,8 +223,8 @@ variable "iam_role_attach_cni_policy" {
variable "iam_role_additional_policies" {
description = "Additional policies to be added to the IAM role"
- type = list(string)
- default = []
+ type = map(string)
+ default = {}
}
variable "iam_role_tags" {