feat: upgrade to 0.36

README.md

@@ -101,10 +101,8 @@ No modules.
 | [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.this_0_29_x](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.this_0_29_x](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_sqs_queue.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_sqs_queue_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource |
@@ -126,7 +124,6 @@ No modules.
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
 | [aws_iam_policy_document.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.this_0_29_x](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -173,7 +170,7 @@ No modules.
 | <a name="input_crds_argo_sync_policy"></a> [crds\_argo\_sync\_policy](#input\_crds\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter | `any` | `{}` | no |
 | <a name="input_crds_helm_atomic"></a> [crds\_helm\_atomic](#input\_crds\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no |
 | <a name="input_crds_helm_chart_name"></a> [crds\_helm\_chart\_name](#input\_crds\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"karpenter-crd"` | no |
-| <a name="input_crds_helm_chart_version"></a> [crds\_helm\_chart\_version](#input\_crds\_helm\_chart\_version) | Version of the Helm chart | `string` | `"v0.33.1"` | no |
+| <a name="input_crds_helm_chart_version"></a> [crds\_helm\_chart\_version](#input\_crds\_helm\_chart\_version) | Version of the Helm chart | `string` | `"0.36.1"` | no |
 | <a name="input_crds_helm_cleanup_on_fail"></a> [crds\_helm\_cleanup\_on\_fail](#input\_crds\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no |
 | <a name="input_crds_helm_dependency_update"></a> [crds\_helm\_dependency\_update](#input\_crds\_helm\_dependency\_update) | Runs helm dependency update before installing the chart | `bool` | `false` | no |
 | <a name="input_crds_helm_description"></a> [crds\_helm\_description](#input\_crds\_helm\_description) | Set helm release description attribute (visible in the history) | `string` | `""` | no |
@@ -198,11 +195,10 @@ No modules.
 | <a name="input_crds_helm_wait_for_jobs"></a> [crds\_helm\_wait\_for\_jobs](#input\_crds\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no |
 | <a name="input_crds_settings"></a> [crds\_settings](#input\_crds\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://github.com/aws/karpenter/tree/main/charts/karpenter-crd | `map(any)` | `{}` | no |
 | <a name="input_crds_values"></a> [crds\_values](#input\_crds\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/aws/karpenter/tree/main/charts/karpenter-crd | `string` | `""` | no |
-| <a name="input_enable_0_29_x_support"></a> [enable\_0\_29\_x\_support](#input\_enable\_0\_29\_x\_support) | Whether to enable 0.29.x support | `bool` | `false` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no |
 | <a name="input_helm_atomic"></a> [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no |
 | <a name="input_helm_chart_name"></a> [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"karpenter"` | no |
-| <a name="input_helm_chart_version"></a> [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `"v0.32.5"` | no |
+| <a name="input_helm_chart_version"></a> [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `"0.36.1"` | no |
 | <a name="input_helm_cleanup_on_fail"></a> [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no |
 | <a name="input_helm_create_namespace"></a> [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist | `bool` | `true` | no |
 | <a name="input_helm_dependency_update"></a> [helm\_dependency\_update](#input\_helm\_dependency\_update) | Runs helm dependency update before installing the chart | `bool` | `false` | no |

iam.tf

@@ -15,18 +15,16 @@ data "aws_iam_policy_document" "this" {
   #checkov:skip=CKV_AWS_356: Describe need to be allowed on all resources
   count = local.irsa_role_create && var.irsa_policy_enabled && !var.irsa_assume_role_enabled ? 1 : 0
 
-  # Aligned with https://github.com/aws/karpenter-provider-aws/blob/v0.32.4/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml
+  # Aligned with https://github.com/aws/karpenter-provider-aws/blob/v0.36.1/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml
   statement {
-    sid    = "AllowScopedEC2InstanceActions"
+    sid    = "AllowScopedEC2InstanceAccessActions"
     effect = "Allow"
 
     resources = [
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}::image/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}::snapshot/*",
-      "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:spot-instances-request/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:security-group/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:subnet/*",
-      "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:launch-template/*",
     ]
 
     actions = [
@@ -35,6 +33,29 @@ data "aws_iam_policy_document" "this" {
     ]
   }
 
+  statement {
+    sid       = "AllowScopedEC2LaunchTemplateAccessActions"
+    effect    = "Allow"
+    resources = ["arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:launch-template/*"]
+
+    actions = [
+      "ec2:RunInstances",
+      "ec2:CreateFleet",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/kubernetes.io/cluster/${var.cluster_name}"
+      values   = ["owned"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:ResourceTag/karpenter.sh/nodepool"
+      values   = ["*"]
+    }
+  }
+
   statement {
     sid    = "AllowScopedEC2InstanceActionsWithTags"
     effect = "Allow"
@@ -45,6 +66,7 @@ data "aws_iam_policy_document" "this" {
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:volume/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:network-interface/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:launch-template/*",
+      "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:spot-instances-request/*",
     ]
 
     actions = [
@@ -74,9 +96,9 @@ data "aws_iam_policy_document" "this" {
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:fleet/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:instance/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:volume/*",
-      "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:spot-instances-request/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:network-interface/*",
       "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:launch-template/*",
+      "arn:${var.aws_partition}:ec2:${data.aws_region.this[0].name}:*:spot-instances-request/*",
     ]
 
     actions = ["ec2:CreateTags"]
@@ -206,7 +228,6 @@ data "aws_iam_policy_document" "this" {
 
     actions = [
       "sqs:DeleteMessage",
-      "sqs:GetQueueAttributes",
       "sqs:GetQueueUrl",
       "sqs:ReceiveMessage",
     ]

values.tf

@@ -1,11 +1,9 @@
 locals {
   values_default = yamlencode({
     settings = {
-      aws = {
-        clusterEndpoint       = one(data.aws_eks_cluster.this[*].endpoint)
-        clusterName           = var.cluster_name
-        interruptionQueueName = one(aws_sqs_queue.this[*].name)
-      }
+      clusterEndpoint   = one(data.aws_eks_cluster.this[*].endpoint)
+      clusterName       = var.cluster_name
+      interruptionQueue = one(aws_sqs_queue.this[*].name)
     }
     serviceAccount = {
       create = var.service_account_create

variables-crds.tf

@@ -8,7 +8,7 @@ variable "crds_helm_chart_name" {
 
 variable "crds_helm_chart_version" {
   type        = string
-  default     = "v0.33.1"
+  default     = "0.36.1"
   description = "Version of the Helm chart"
 }
 

variables.tf

@@ -41,7 +41,7 @@ variable "helm_chart_name" {
 
 variable "helm_chart_version" {
   type        = string
-  default     = "v0.32.5"
+  default     = "0.36.1"
   description = "Version of the Helm chart"
 }