feat: Use aws_service_principal data source for deriving IAM servic…

…e prinicpals (#3539) * fix: removed use of dns_suffix use the service prinipal name in policies Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk> * fix: added missing data. accessor Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk> * refactor: updates to address pr comments Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk> * refactor: updates to address pr comments Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk> * fix: Remove unused local var, run pre-commit --------- Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
SCT-Engineering · Oct 20, 2025 · 0b0ca66 · 0b0ca66
1 parent 4c77bbc
commit 0b0ca66
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 10 deletions.
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
@@ -123,6 +123,7 @@ No modules.
 | [aws_iam_policy_document.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
@@ -3,18 +3,26 @@ data "aws_region" "current" {
 
   region = var.region
 }
+
 data "aws_partition" "current" {
   count = var.create ? 1 : 0
 }
+
 data "aws_caller_identity" "current" {
   count = var.create ? 1 : 0
 }
 
+data "aws_service_principal" "ec2" {
+  count = var.create ? 1 : 0
+
+  service_name = "ec2"
+}
+
 locals {
-  account_id = try(data.aws_caller_identity.current[0].account_id, "")
-  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
-  partition  = try(data.aws_partition.current[0].partition, "")
-  region     = try(data.aws_region.current[0].region, "")
+  account_id  = try(data.aws_caller_identity.current[0].account_id, "")
+  ec2_sp_name = try(data.aws_service_principal.ec2[0].name, "")
+  partition   = try(data.aws_partition.current[0].partition, "")
+  region      = try(data.aws_region.current[0].region, "")
 }
 
 ################################################################################
@@ -313,7 +321,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["ec2.${local.dns_suffix}"]
+      identifiers = [local.ec2_sp_name]
     }
   }
 }

diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = distinct(["ec2.${local.dns_suffix}", "ec2.amazonaws.com"])
+      values   = distinct([local.ec2_sp_name, "ec2.amazonaws.com"])
     }
   }
 

diff --git a/outputs.tf b/outputs.tf
@@ -1,7 +1,3 @@
-locals {
-
-}
-
 ################################################################################
 # Cluster
 ################################################################################