terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Reduce IAM Policy Size

Open Giaco9NN opened this issue 1 year ago β€’ 1 comments

Is your request related to a problem? Please describe.

During the upgrade from v0.37.x to v.1.0.0, the IAM permissions required by karpenter changed, so the policy changed. By adding the parameter enable_v1_permissions = true, deploying the module throws the following error:

β”‚ Error: updating IAM Policy (arn:aws-us-gov:iam::043318617890:policy/KarpenterController-20240212160616829700000005): operation error IAM: CreatePolicyVersion, https response error StatusCode: 409, RequestID: 5488c390-778f-4495-b6e0-1145b1564ca4, LimitExceeded: Cannot exceed quota for PolicySize: 6144

I'm deploying the module in the us-gov-east-1 region, and the cluster name is "gov-east-1-data-engineering-cluster-1-31" (which can't be changed). I'm attaching the generated policy, which is 6269 characters long.

terraform-aws-eks-3181.txt

Describe the solution you'd like.

I think there are a few alternatives without compromising the permissions We could reduce the sides. In total, they are 482 characters. Another option would be to split the policies into a couple of managed policies. The last option I can think of is to give the user the possibility to customise the policy by exposing the document as output and deciding whether to create it. In this way, the user can instrument the module to not create the managed policy but to customize the document and create the policy themselves.

In my opinion, considering it is not possible to customize the policy, we could just reduce the SIDS. I would like to help with the implementation of the solution you pick :)

Describe alternatives you've considered.

In my environments, I set the parameter enable_v1_permissions = false and created the policy by reducing SIDS sizes.

Additional context

Here is how I'm using the module:

module "karpenter" {
  source                          = "terraform-aws-modules/eks/aws//modules/karpenter"
  version                         = "20.26.0"
  cluster_name                    = module.eks.cluster_name
  enable_pod_identity             = false
  enable_irsa                     = true
  create_iam_role                 = true
  iam_role_name                   = "KarpenterController"
  iam_role_use_name_prefix        = false
  irsa_oidc_provider_arn          = module.eks.oidc_provider_arn
  ami_id_ssm_parameter_arns       = ["arn:*:ssm:*:*:parameter/aws/service/*"]
  irsa_namespace_service_accounts = ["kube-system:karpenter"]
  create_instance_profile         = false
  create_node_iam_role            = false
  create_access_entry             = false
  node_iam_role_arn               = local.workers_node_group_role_arn
  enable_v1_permissions           = false
  enable_spot_termination         = true
  tags                            = var.tags
}

Giaco9NN avatar Oct 18 '24 05:10 Giaco9NN

these match the upstream policy

bryantbiggs avatar Oct 18 '24 22:10 bryantbiggs

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Nov 18 '24 00:11 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Nov 29 '24 00:11 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Dec 29 '24 02:12 github-actions[bot]