feat: Add Karpenter new NTH IAM policies (aws-ia#1145)

Co-authored-by: andrewhibbert <a.hibbert@elsevier.com> Co-authored-by: Apoorva Kulkarni <kuapoorv@amazon.com> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com> Resolves undefined
allamand · Jan 10, 2023 · 91fd936 · 91fd936
1 parent db3e6c2
commit 91fd936
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 7 deletions.
diff --git a/modules/kubernetes-addons/README.md b/modules/kubernetes-addons/README.md
@@ -270,6 +270,7 @@
 | <a name="input_karpenter_helm_config"></a> [karpenter\_helm\_config](#input\_karpenter\_helm\_config) | Karpenter autoscaler add-on config | `any` | `{}` | no |
 | <a name="input_karpenter_irsa_policies"></a> [karpenter\_irsa\_policies](#input\_karpenter\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
 | <a name="input_karpenter_node_iam_instance_profile"></a> [karpenter\_node\_iam\_instance\_profile](#input\_karpenter\_node\_iam\_instance\_profile) | Karpenter Node IAM Instance profile id | `string` | `""` | no |
+| <a name="input_karpenter_sqs_queue_arn"></a> [karpenter\_sqs\_queue\_arn](#input\_karpenter\_sqs\_queue\_arn) | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | `string` | `""` | no |
 | <a name="input_keda_helm_config"></a> [keda\_helm\_config](#input\_keda\_helm\_config) | KEDA Event-based autoscaler add-on config | `any` | `{}` | no |
 | <a name="input_keda_irsa_policies"></a> [keda\_irsa\_policies](#input\_keda\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
 | <a name="input_kube_prometheus_stack_helm_config"></a> [kube\_prometheus\_stack\_helm\_config](#input\_kube\_prometheus\_stack\_helm\_config) | Community kube-prometheus-stack Helm Chart config | `any` | `{}` | no |

diff --git a/modules/kubernetes-addons/karpenter/README.md b/modules/kubernetes-addons/karpenter/README.md
@@ -40,6 +40,7 @@ For more details checkout [Karpenter](https://karpenter.sh/docs/getting-started/
 | <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
 | <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
 | <a name="input_node_iam_instance_profile"></a> [node\_iam\_instance\_profile](#input\_node\_iam\_instance\_profile) | Karpenter Node IAM Instance profile id | `string` | `""` | no |
+| <a name="input_sqs_queue_arn"></a> [sqs\_queue\_arn](#input\_sqs\_queue\_arn) | (Optional) ARN of SQS used by Karpenter when native node termination handling is enabled | `string` | `""` | no |
 
 ## Outputs
 

diff --git a/modules/kubernetes-addons/karpenter/data.tf b/modules/kubernetes-addons/karpenter/data.tf
@@ -37,4 +37,18 @@ data "aws_iam_policy_document" "karpenter" {
       values   = ["*karpenter*"]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.sqs_queue_arn != "" ? [1] : []
+
+    content {
+      actions = [
+        "sqs:DeleteMessage",
+        "sqs:GetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:ReceiveMessage",
+      ]
+      resources = [var.sqs_queue_arn]
+    }
+  }
 }
diff --git a/modules/kubernetes-addons/karpenter/locals.tf b/modules/kubernetes-addons/karpenter/locals.tf
@@ -17,14 +17,16 @@ locals {
       name       = local.name
       chart      = local.name
       repository = "oci://public.ecr.aws/karpenter"
-      version    = "v0.18.1"
+      version    = "v0.19.3"
       namespace  = local.name
       values = [
         <<-EOT
-          clusterName: ${var.addon_context.eks_cluster_id}
-          clusterEndpoint: ${var.addon_context.aws_eks_cluster_endpoint}
-          aws:
-            defaultInstanceProfile: ${var.node_iam_instance_profile}
+          settings:
+            aws:
+              clusterName: ${var.addon_context.eks_cluster_id}
+              clusterEndpoint: ${var.addon_context.aws_eks_cluster_endpoint}
+              defaultInstanceProfile: ${var.node_iam_instance_profile}
+              interruptionQueueName: ${var.sqs_queue_arn}
         EOT
       ]
       description = "karpenter Helm Chart for Node Autoscaling"

diff --git a/modules/kubernetes-addons/karpenter/variables.tf b/modules/kubernetes-addons/karpenter/variables.tf
@@ -18,8 +18,14 @@ variable "manage_via_gitops" {
 
 variable "node_iam_instance_profile" {
   description = "Karpenter Node IAM Instance profile id"
+  type        = string
   default     = ""
+}
+
+variable "sqs_queue_arn" {
+  description = "(Optional) ARN of SQS used by Karpenter when native node termination handling is enabled"
   type        = string
+  default     = ""
 }
 
 variable "addon_context" {

diff --git a/modules/kubernetes-addons/main.tf b/modules/kubernetes-addons/main.tf
@@ -313,11 +313,14 @@ module "ingress_nginx" {
 }
 
 module "karpenter" {
-  count                     = var.enable_karpenter ? 1 : 0
-  source                    = "./karpenter"
+  source = "./karpenter"
+
+  count = var.enable_karpenter ? 1 : 0
+
   helm_config               = var.karpenter_helm_config
   irsa_policies             = var.karpenter_irsa_policies
   node_iam_instance_profile = var.karpenter_node_iam_instance_profile
+  sqs_queue_arn             = var.karpenter_sqs_queue_arn
   manage_via_gitops         = var.argocd_manage_add_ons
   addon_context             = local.addon_context
 }

diff --git a/modules/kubernetes-addons/variables.tf b/modules/kubernetes-addons/variables.tf
@@ -867,6 +867,12 @@ variable "karpenter_node_iam_instance_profile" {
   default     = ""
 }
 
+variable "karpenter_sqs_queue_arn" {
+  description = "(Optional) ARN of SQS used by Karpenter when native node termination handling is enabled"
+  type        = string
+  default     = ""
+}
+
 #-----------KEDA ADDON-------------
 variable "enable_keda" {
   description = "Enable KEDA Event-based autoscaler add-on"