From bd3fe10f190f182dd8d2c08f5a4f986deed0646e Mon Sep 17 00:00:00 2001
From: Fred Myerscough <myerscf@amazon.co.uk>
Date: Tue, 7 Oct 2025 11:23:57 +0100
Subject: [PATCH 1/5] fix: removed use of dns_suffix

use the service prinipal name in policies

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>
---
 modules/karpenter/main.tf   | 7 +++++--
 modules/karpenter/policy.tf | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 227a2f6aac..83b21805e3 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -12,7 +12,6 @@ data "aws_caller_identity" "current" {
 
 locals {
   account_id = try(data.aws_caller_identity.current[0].account_id, "")
-  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
   partition  = try(data.aws_partition.current[0].partition, "")
   region     = try(data.aws_region.current[0].region, "")
 }
@@ -25,6 +24,10 @@ locals {
   create_iam_role = var.create && var.create_iam_role
 }
 
+data "aws_service_principal" "ec2" {
+  service_name = "ec2"
+}
+
 data "aws_iam_policy_document" "controller_assume_role" {
   count = local.create_iam_role ? 1 : 0
 
@@ -271,7 +274,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["ec2.${local.dns_suffix}"]
+      identifiers = [aws_service_principal.ec2.name]
     }
   }
 }
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 1b3df556ea..53d52f787a 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = distinct(["ec2.${local.dns_suffix}", "ec2.amazonaws.com"])
+      values   = [aws_service_principal.ec2.name]
     }
   }
 

From 10ae57a15f43fb55a35b741b4bf27642e7adf831 Mon Sep 17 00:00:00 2001
From: Fred Myerscough <myerscf@amazon.co.uk>
Date: Tue, 7 Oct 2025 11:40:48 +0100
Subject: [PATCH 2/5] fix: added missing data. accessor

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>
---
 modules/karpenter/main.tf   | 2 +-
 modules/karpenter/policy.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 83b21805e3..4dfea5a854 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -274,7 +274,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = [aws_service_principal.ec2.name]
+      identifiers = [data.aws_service_principal.ec2.name]
     }
   }
 }
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 53d52f787a..3f2b2f38ec 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = [aws_service_principal.ec2.name]
+      values   = [data.aws_service_principal.ec2.name]
     }
   }
 

From 57323d382a611515bd6d693cfc1937ed3019ad68 Mon Sep 17 00:00:00 2001
From: Fred Myerscough <myerscf@amazon.co.uk>
Date: Tue, 7 Oct 2025 16:16:24 +0100
Subject: [PATCH 3/5] refactor: updates to address pr comments

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>
---
 modules/karpenter/main.tf   | 13 ++++++++-----
 modules/karpenter/policy.tf |  2 +-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 4dfea5a854..25aa6b2da9 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -10,8 +10,15 @@ data "aws_caller_identity" "current" {
   count = var.create ? 1 : 0
 }
 
+data "aws_service_principal" "ec2" {
+  count = var.create ? 1 : 0
+  service_name = "ec2"
+}
+
 locals {
   account_id = try(data.aws_caller_identity.current[0].account_id, "")
+  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
+  ec2_service_principal_name = try(data.aws_service_principal.ec2[0].name, "")
   partition  = try(data.aws_partition.current[0].partition, "")
   region     = try(data.aws_region.current[0].region, "")
 }
@@ -24,10 +31,6 @@ locals {
   create_iam_role = var.create && var.create_iam_role
 }
 
-data "aws_service_principal" "ec2" {
-  service_name = "ec2"
-}
-
 data "aws_iam_policy_document" "controller_assume_role" {
   count = local.create_iam_role ? 1 : 0
 
@@ -274,7 +277,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = [data.aws_service_principal.ec2.name]
+      identifiers = [local.ec2_service_principal_name]
     }
   }
 }
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 3f2b2f38ec..5a22af8d72 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = [data.aws_service_principal.ec2.name]
+      values   = [local.ec2_service_principal_name]
     }
   }
 

From 3df53ace765dc3ecbdd7323c9ab8318ca2d57b23 Mon Sep 17 00:00:00 2001
From: Fred Myerscough <myerscf@amazon.co.uk>
Date: Tue, 7 Oct 2025 16:17:53 +0100
Subject: [PATCH 4/5] refactor: updates to address pr comments

Signed-off-by: Fred Myerscough <myerscf@amazon.co.uk>
---
 modules/karpenter/policy.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 5a22af8d72..1509e89a63 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = [local.ec2_service_principal_name]
+      values   = distinct([local.ec2_service_principal_name, "ec2.amazonaws.com"])
     }
   }
 

From 2e555b0f6d53a9dca2e07c8ffbd0ba890aa4fcdc Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Mon, 20 Oct 2025 15:29:33 -0500
Subject: [PATCH 5/5] fix: Remove unused local var, run pre-commit

---
 modules/karpenter/README.md |  1 +
 modules/karpenter/main.tf   | 14 ++++++++------
 modules/karpenter/policy.tf |  2 +-
 outputs.tf                  |  4 ----
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/modules/karpenter/README.md b/modules/karpenter/README.md
index e31bb3073d..ad8dfcd979 100644
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -123,6 +123,7 @@ No modules.
 | [aws_iam_policy_document.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
diff --git a/modules/karpenter/main.tf b/modules/karpenter/main.tf
index 0b1dc7525b..4d3cc08ed1 100644
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -3,24 +3,26 @@ data "aws_region" "current" {
 
   region = var.region
 }
+
 data "aws_partition" "current" {
   count = var.create ? 1 : 0
 }
+
 data "aws_caller_identity" "current" {
   count = var.create ? 1 : 0
 }
 
 data "aws_service_principal" "ec2" {
   count = var.create ? 1 : 0
+
   service_name = "ec2"
 }
 
 locals {
-  account_id = try(data.aws_caller_identity.current[0].account_id, "")
-  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "")
-  ec2_service_principal_name = try(data.aws_service_principal.ec2[0].name, "")
-  partition  = try(data.aws_partition.current[0].partition, "")
-  region     = try(data.aws_region.current[0].region, "")
+  account_id  = try(data.aws_caller_identity.current[0].account_id, "")
+  ec2_sp_name = try(data.aws_service_principal.ec2[0].name, "")
+  partition   = try(data.aws_partition.current[0].partition, "")
+  region      = try(data.aws_region.current[0].region, "")
 }
 
 ################################################################################
@@ -319,7 +321,7 @@ data "aws_iam_policy_document" "node_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = [local.ec2_service_principal_name]
+      identifiers = [local.ec2_sp_name]
     }
   }
 }
diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 1509e89a63..34937f36eb 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -234,7 +234,7 @@ data "aws_iam_policy_document" "controller" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = distinct([local.ec2_service_principal_name, "ec2.amazonaws.com"])
+      values   = distinct([local.ec2_sp_name, "ec2.amazonaws.com"])
     }
   }
 
diff --git a/outputs.tf b/outputs.tf
index 4663b83639..ce5756cef5 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,7 +1,3 @@
-locals {
-
-}
-
 ################################################################################
 # Cluster
 ################################################################################