fix: Avoid restricting Karpenter RunInstances subnets by tag key (#247

)
terraform-aws-modules · May 10, 2022 · bbbe0c0 · bbbe0c0
1 parent 775555c
commit bbbe0c0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.68.1
+    rev: v1.71.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -552,7 +552,6 @@ data "aws_iam_policy_document" "karpenter_controller" {
     resources = [
       "arn:${local.partition}:ec2:*:${local.account_id}:launch-template/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*",
-      "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*",
     ]
 
     condition {
@@ -569,6 +568,7 @@ data "aws_iam_policy_document" "karpenter_controller" {
       "arn:${local.partition}:ec2:*:${local.account_id}:instance/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:volume/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:network-interface/*",
+      "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*",
     ]
   }