feat: Allow using inline policy for Karpenter controller role to mitigate policy size LimitExceeded error (#3563)

alexissellier · bryantbiggs · web-flow · commit 0659a8d1cca0 · 2025-10-27T16:49:30.000-05:00
* feat: Allow using inline policy for controller role (#3512) Signed-off-by: Alexis Sellier <3765063+alexissellier@users.noreply.github.com> * run linter Signed-off-by: Alexis Sellier <3765063+alexissellier@users.noreply.github.com> * Update modules/karpenter/main.tf Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com> * Update modules/karpenter/variables.tf Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com> * Update modules/karpenter/variables.tf Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com> * change variable name Signed-off-by: Alexis Sellier <3765063+alexissellier@users.noreply.github.com> * rename variable Signed-off-by: Alexis Sellier <3765063+alexissellier@users.noreply.github.com> --------- Signed-off-by: Alexis Sellier <3765063+alexissellier@users.noreply.github.com> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
@@ -110,6 +110,7 @@ No modules.
 | [aws_iam_policy.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.controller_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -139,6 +140,7 @@ No modules.
 | <a name="input_create_instance_profile"></a> [create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an IAM instance profile | `bool` | `false` | no |
 | <a name="input_create_node_iam_role"></a> [create\_node\_iam\_role](#input\_create\_node\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
 | <a name="input_create_pod_identity_association"></a> [create\_pod\_identity\_association](#input\_create\_pod\_identity\_association) | Determines whether to create pod identity association | `bool` | `true` | no |
+| <a name="input_enable_inline_policy"></a> [enable\_inline\_policy](#input\_enable\_inline\_policy) | Determines whether the controller policy is created as a standard IAM policy or inline IAM policy. This can be enabled when the error `LimitExceeded: Cannot exceed quota for PolicySize: 6144` is received since standard IAM policies have a limit of 6,144 characters versus an inline role policy's limit of 10,240 ([Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html)) | `bool` | `false` | no |
 | <a name="input_enable_spot_termination"></a> [enable\_spot\_termination](#input\_enable\_spot\_termination) | Determines whether to enable native spot termination handling | `bool` | `true` | no |
 | <a name="input_iam_policy_description"></a> [iam\_policy\_description](#input\_iam\_policy\_description) | IAM policy description | `string` | `"Karpenter controller IAM policy"` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | Name of the IAM policy | `string` | `"KarpenterController"` | no |
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
@@ -70,8 +70,17 @@ resource "aws_iam_role" "controller" {
   tags = merge(var.tags, var.iam_role_tags)
 }
 
+resource "aws_iam_role_policy" "controller" {
+  count = local.create_iam_role && var.enable_inline_policy ? 1 : 0
+
+  name        = var.iam_policy_use_name_prefix ? null : var.iam_policy_name
+  name_prefix = var.iam_policy_use_name_prefix ? "${var.iam_policy_name}-" : null
+  role        = aws_iam_role.controller[0].name
+  policy      = data.aws_iam_policy_document.controller[0].json
+}
+
 resource "aws_iam_policy" "controller" {
-  count = local.create_iam_role ? 1 : 0
+  count = local.create_iam_role && !var.enable_inline_policy ? 1 : 0
 
   name        = var.iam_policy_use_name_prefix ? null : var.iam_policy_name
   name_prefix = var.iam_policy_use_name_prefix ? "${var.iam_policy_name}-" : null
@@ -83,7 +92,7 @@ resource "aws_iam_policy" "controller" {
 }
 
 resource "aws_iam_role_policy_attachment" "controller" {
-  count = local.create_iam_role ? 1 : 0
+  count = local.create_iam_role && !var.enable_inline_policy ? 1 : 0
 
   role       = aws_iam_role.controller[0].name
   policy_arn = aws_iam_policy.controller[0].arn
diff --git a/modules/karpenter/variables.tf b/modules/karpenter/variables.tf
@@ -32,6 +32,12 @@ variable "create_iam_role" {
   default     = true
 }
 
+variable "enable_inline_policy" {
+  description = "Determines whether the controller policy is created as a standard IAM policy or inline IAM policy. This can be enabled when the error `LimitExceeded: Cannot exceed quota for PolicySize: 6144` is received since standard IAM policies have a limit of 6,144 characters versus an inline role policy's limit of 10,240 ([Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html))"
+  type        = bool
+  default     = false
+}
+
 variable "iam_role_name" {
   description = "Name of the IAM role"
   type        = string
