From 5ba1ed33d62cb7f8b634d9b849519d5730731cc8 Mon Sep 17 00:00:00 2001
From: Antoine Labarussias <antoine.labarussias@winamax.fr>
Date: Wed, 6 May 2026 23:41:02 +0200
Subject: [PATCH] fix: Update karpenter zonal-shift policy (#3693)

fix: update karpenter zonal-shift policy
---
 modules/karpenter/policy.tf | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 6fc8421..e3a10e5 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -217,8 +217,13 @@ data "aws_iam_policy_document" "controller" {
 
   statement {
     sid       = "AllowZonalShiftReadActions"
-    resources = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${var.cluster_name}"]
+    resources = ["*"]
     actions   = ["arc-zonal-shift:GetManagedResource"]
+    condition {
+      test     = "StringEquals"
+      variable = "arc-zonal-shift:ResourceIdentifier"
+      values   = ["arn:${local.partition}:eks:${local.region}:${local.account_id}:cluster/${var.cluster_name}"]
+    }
   }
 
   dynamic "statement" {