feat: Use aws_service_principal data source for deriving IAM service prinicpals (#3539)

* fix: removed use of dns_suffix

use the service prinipal name in policies

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>

* fix: added missing data. accessor

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>

* refactor: updates to address pr comments

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>

* refactor: updates to address pr comments

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>

* fix: Remove unused local var, run pre-commit

---------

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>

Author: myerscf

modules/karpenter/README.md

@@ -123,6 +123,7 @@ No modules.
 | [aws_iam_policy_document.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 

modules/karpenter/main.tf

@@ -3,18 +3,26 @@ data "aws_region" "current" {
 
   region = var.region
 }
+
 data "aws_partition" "current" {
   count = var.create ? 1 : 0
 }
+
 data "aws_caller_identity" "current" {
   count = var.create ? 1 : 0
 }
 
+data "aws_service_principal" "ec2" {
+  count = var.create ? 1 : 0
+
+  service_name = "ec2"
+}
+
 locals {
-  account_id = try(data.aws_caller_identity.current[0].account_id, "")
-  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
-  partition  = try(data.aws_partition.current[0].partition, "")
-  region     = try(data.aws_region.current[0].region, "")
+  account_id  = try(data.aws_caller_identity.current[0].account_id, "")
+  ec2_sp_name = try(data.aws_service_principal.ec2[0].name, "")
+  partition   = try(data.aws_partition.current[0].partition, "")
+  region      = try(data.aws_region.current[0].region, "")
 }
 
 ################################################################################
@@ -313,7 +321,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["ec2.${local.dns_suffix}"]
+      identifiers = [local.ec2_sp_name]
     }
   }
 }

modules/karpenter/policy.tf

@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = distinct(["ec2.${local.dns_suffix}", "ec2.amazonaws.com"])
+      values   = distinct([local.ec2_sp_name, "ec2.amazonaws.com"])
     }
   }
 

outputs.tf

@@ -1,7 +1,3 @@
-locals {
-
-}
-
 ################################################################################
 # Cluster
 ################################################################################