EKS IAM Roles Service Accounts - Karpenter Missing policy actions

[tip-dteller]

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]: 5.22.0
• Terraform version: 1.5.1

• Provider version(s): 5.x

Reproduction Code [Required]

terraform apply

Steps to reproduce the behavior:

No

Yes

Deploying the EKS IAM Service Accounts module with Karpenter attachment

Expected behavior

Module does everything correctly but the Karpenter policy is missing 3 actions.

Actual behavior

Karpenter fails to perform operation.

Deploying the EKS Iam roles for service accounts -> attach Karpenter policy
everything gets created in AWS as it should.
however the policy is missing 3 actions.

Terminal Output Screenshot(s)

These are the missing policies
"ssm:GetParameter", "ec2:RunInstances", "ec2:DeleteLaunchTemplate",

according to Karpenter documentation that can be found here
https://karpenter.sh/v0.28/getting-started/migrating-from-cas/#create-iam-roles

Additional context

[bryantbiggs]

those permissions are available

• terraform-aws-iam/modules/iam-role-for-service-accounts-eks/policies.tf

  Line 662 in c1e20a2

  actions = ["ssm:GetParameter"]

• terraform-aws-iam/modules/iam-role-for-service-accounts-eks/policies.tf

  Line 649 in c1e20a2

  actions = ["ec2:RunInstances"]

• terraform-aws-iam/modules/iam-role-for-service-accounts-eks/policies.tf

  Line 623 in c1e20a2

  "ec2:DeleteLaunchTemplate",

[tip-dteller]

sorry for the issue - we will continue to check why those 3 are not applied

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.