fix: Correct Karpenter EC2 service principal DNS suffix in non-commercial regions (#3157)

bryantbiggs · web-flow · commit 47ab3eb884ab · 2024-09-16T10:36:15.000-05:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.95.0
+    rev: v1.96.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
@@ -4,6 +4,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   account_id = data.aws_caller_identity.current.account_id
+  dns_suffix = data.aws_partition.current.dns_suffix
   partition  = data.aws_partition.current.partition
   region     = data.aws_region.current.name
 }
@@ -286,7 +287,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
+      identifiers = ["ec2.${local.dns_suffix}"]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ data "aws_caller_identity" "current" {}`
`4`	`4`
`5`	`5`	`locals {`
`6`	`6`	`account_id = data.aws_caller_identity.current.account_id`
	`7`	`+ dns_suffix = data.aws_partition.current.dns_suffix`
`7`	`8`	`partition = data.aws_partition.current.partition`
`8`	`9`	`region = data.aws_region.current.name`
`9`	`10`	`}`
`@@ -286,7 +287,7 @@ data "aws_iam_policy_document" "node_assume_role" {`
`286`	`287`
`287`	`288`	`principals {`
`288`	`289`	`type = "Service"`
`289`		`- identifiers = ["ec2.amazonaws.com"]`
	`290`	`+ identifiers = ["ec2.${local.dns_suffix}"]`
`290`	`291`	`}`
`291`	`292`	`}`
`292`	`293`	`}`