Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add optional list of policy ARNs for attachment to Karpenter IRSA #2537

Merged
merged 2 commits into from
Mar 28, 2023
Merged

feat: Add optional list of policy ARNs for attachment to Karpenter IRSA #2537

merged 2 commits into from
Mar 28, 2023

Conversation

Constantin07
Copy link
Contributor

@Constantin07 Constantin07 commented Mar 27, 2023
edited by bryantbiggs

Description

This PR addresses the issue (feature request) reported in #2535

Motivation and Context

It adds possibility to attach a custom IAM policy ARN (with access to CMK KMS) to Karpenter IRSA.
At the moment this is not possible. The only way is to add a KMS usage policy to the KMS resource which is inconvenient in our case because it's managed by other team.
We would like to attach a custom IAM policy to the principal, i.e. Karpenter IRSA.

Resolves #2535
Resolves #2540

Breaking Changes

No.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
    Note: I cannot add an existing managed IAM policy ARN for CMK KMS because Amazon doesn't provide one I could simply reference in examples.
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

Ran the terraform plan referencing my fork branch with one CMK KMS policy ARN:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.karpenter.aws_iam_role_policy_attachment.irsa_additional["0"] will be created
  + resource "aws_iam_role_policy_attachment" "irsa_additional" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::**************:policy/project-eu-west-1-dev1-core-kms-eks-ebs-user"
      + role       = "project-dev1-karpenter-irsa"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

@Constantin07 Constantin07 changed the title Add optional list of policy ARNs for attachment to Karpenter IRSA feat: Add optional list of policy ARNs for attachment to Karpenter IRSA Mar 27, 2023
@Constantin07
Copy link
Contributor Author

Hi @bryantbiggs not sure you are the right person to ask for but could you please review this PR please ?

bryantbiggs
bryantbiggs approved these changes Mar 28, 2023
View reviewed changes
Copy link
Member

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the addition!

@bryantbiggs bryantbiggs merged commit bd387d6 into terraform-aws-modules:master Mar 28, 2023
antonbabenko pushed a commit that referenced this pull request Mar 28, 2023
@semantic-release-bot
chore(release): version 19.11.0 [skip ci]
2cf6a5b 
## [19.11.0](v19.10.3...v19.11.0) (2023-03-28)

### Features

* Add optional list of policy ARNs for attachment to Karpenter IRSA ([#2537](#2537)) ([bd387d6](bd387d6))
@antonbabenko
Copy link
Member

This PR is included in version 19.11.0 🎉

@joshuabaird
Copy link

joshuabaird commented Mar 28, 2023
edited

Thanks for the fix! I was just about to start working on this!

joshuabaird
joshuabaird reviewed Mar 28, 2023
View reviewed changes
examples/karpenter/main.tf
}
},
)
fargate_profiles = {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bryantbiggs Is it no longer a recommendation to create one Fargate profile per AZ as noted here?

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 28, 2023
@Constantin07 Constantin07 deleted the karpenter_support_policy_arns branch April 28, 2023 06:33
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@joshuabaird joshuabaird joshuabaird left review comments

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@Constantin07 @antonbabenko @joshuabaird @bryantbiggs