From b17b6d177b8d2f27d5f31a351a6c5780db9d5646 Mon Sep 17 00:00:00 2001 From: Dennis Kern Date: Tue, 20 Aug 2024 11:05:11 +0200 Subject: [PATCH] remove orphan irsa plicy --- .spacelift/config.yml | 2 +- modules/karpenter/main.tf | 121 -------------------------------------- 2 files changed, 1 insertion(+), 122 deletions(-) diff --git a/.spacelift/config.yml b/.spacelift/config.yml index 34748135dc..6170a4a2e2 100644 --- a/.spacelift/config.yml +++ b/.spacelift/config.yml @@ -1,2 +1,2 @@ version: 1 -module_version: 20.14.0 +module_version: 20.14.1 diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf index 4b31eb5da7..8a3c9c1b71 100644 --- a/modules/karpenter/main.tf +++ b/modules/karpenter/main.tf @@ -646,124 +646,3 @@ resource "aws_iam_instance_profile" "this" { tags = merge(var.tags, var.node_iam_role_tags) } - -################################################################################ -# create new Iam policy and attach it to role ffor old Karpenter -# -################################################################################ -locals { - - irsa_name = coalesce(var.iam_role_name, "KarpenterIRSA-${var.cluster_name}") - irsa_policy_name = coalesce(var.iam_policy_name, local.irsa_name) - -} - -data "aws_iam_policy_document" "irsa1" { - count = var.enable_irsa ? 1 : 0 - - statement { - actions = [ - "ec2:CreateLaunchTemplate", - "ec2:CreateFleet", - "ec2:CreateTags", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeImages", - "ec2:DescribeInstances", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeSpotPriceHistory", - "pricing:GetProducts", - ] - - resources = ["*"] - } - - statement { - actions = [ - "ec2:TerminateInstances", - "ec2:DeleteLaunchTemplate", - ] - - resources = ["*"] - - condition { - test = "StringEquals" - variable = "ec2:ResourceTag/karpenter.sh/discovery" - values = ["${var.cluster_name}"] - } - } - - statement { - actions = ["ec2:RunInstances"] - resources = [ - "arn:${local.partition}:ec2:*:${local.account_id}:launch-template/*", - ] - - condition { - test = "StringEquals" - variable = "ec2:ResourceTag/karpenter.sh/discovery" - values = ["${var.cluster_name}"] - } - } - - statement { - actions = ["ec2:RunInstances"] - resources = [ - "arn:${local.partition}:ec2:*::image/*", - "arn:${local.partition}:ec2:*::snapshot/*", - "arn:${local.partition}:ec2:*:${local.account_id}:instance/*", - "arn:${local.partition}:ec2:*:${local.account_id}:spot-instances-request/*", - "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*", - "arn:${local.partition}:ec2:*:${local.account_id}:volume/*", - "arn:${local.partition}:ec2:*:${local.account_id}:network-interface/*", - "arn:${local.partition}:ec2:*:${local.account_id}:subnet/*", - ] - } - - statement { - actions = ["ssm:GetParameter"] - resources = ["arn:aws:ssm:*:*:parameter/aws/service/*"] - } - - statement { - actions = ["eks:DescribeCluster"] - resources = ["arn:${local.partition}:eks:*:${local.account_id}:cluster/${var.cluster_name}"] - } - - statement { - actions = ["iam:PassRole"] - resources = [var.enable_irsa ? aws_iam_role.node[0].arn : var.node_iam_role_arn] - } - - dynamic "statement" { - for_each = local.enable_spot_termination ? [1] : [] - - content { - actions = [ - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:GetQueueAttributes", - "sqs:ReceiveMessage", - ] - resources = [aws_sqs_queue.this[0].arn] - } - } -} - -resource "aws_iam_policy" "irsa1" { - count = var.enable_irsa ? 1 : 0 - - name_prefix = "${local.irsa_policy_name}-" - policy = data.aws_iam_policy_document.irsa1[0].json - - -} -resource "aws_iam_role_policy_attachment" "irsa1" { - count = var.enable_irsa ? 1 : 0 - - role = aws_iam_role.controller[0].name - policy_arn = aws_iam_policy.irsa1[0].arn -} \ No newline at end of file