fix: Insufficient permissions for karpenter policy when not using kar…

…penter discovery tags on security group (#294) Co-authored-by: Arvid Mildner <arvid.mildner@rikstv.no> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
terraform-aws-modules · Oct 26, 2022 · 5ad496b · 5ad496b
1 parent 99d64b6
commit 5ad496b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -547,7 +547,6 @@ data "aws_iam_policy_document" "karpenter_controller" {
     actions = ["ec2:RunInstances"]
     resources = [
       "arn:${local.partition}:ec2:*:${local.account_id}:launch-template/*",
-      "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*",
     ]
 
     condition {
@@ -563,6 +562,7 @@ data "aws_iam_policy_document" "karpenter_controller" {
       "arn:${local.partition}:ec2:*::image/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:instance/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:spot-instances-request/*",
+      "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:volume/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:network-interface/*",
       "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*",