#terraform-aws-modules (2024-07)

terraform Terraform Modules

Discussions related to https://github.com/terraform-aws-modules

Archive: https://archive.sweetops.com/terraform-aws-modules/

2024-07-01

Marat Bakeev avatar
Marat Bakeev

Hey everyone, we’ve hit a weird issue while updating eks/karpenter component from 1.416 to 1.468 ( ). It seems, the new version of the component wants to create an IAM policy for both legacy v1alpha and new v1 entities.

And the resulting policy is larger than the limit… And there’s no way to disable old policy (except by creating an overrides file, which we did).
Error: creating IAM Policy (nsp-core-apse2-auto-karpenter-karpenter@kube-system): operation error IAM: CreatePolicy, https response error StatusCode: 409, RequestID: 714c38d8-30e6-4019-8ffc-071c236443a6, LimitExceeded: Cannot exceed quota for PolicySize: 6144

1
Marat Bakeev avatar
Marat Bakeev
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Jeremy G (Cloud Posse)

1
1
Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

@Marat Bakeev Sorry, that’s a known issue that we have fixed but have not yet cleaned up for publication. I had hoped to have it published by now, but more urgent issues required my attention.

For now, you can modify main.tf , commenting out the local.controller_policy_v1alpha_json from the iam_source_policy_documents list. Or you can wait for the fix, which should be published in the next day or two.

As mentioned in the comments, the reason we include the v1alpha policy is so that, when upgrading from v1alpha to v1beta, the controller can clean up v1alpha resources. It is not relevant if you are not upgrading, and I think the old policy was insufficient anyway, so it should not be a big deal to comment it out. If you are upgrading, then just check the Karpenter controller logs for errors trying to delete things like instance profiles and delete them manually.

  iam_source_policy_documents = [local.controller_policy_v1alpha_json, local.controller_policy_json]
1
Marat Bakeev avatar
Marat Bakeev

Got it, no worries. Thanks

Jeremy G (Cloud Posse) avatar
Jeremy G (Cloud Posse)

@Marat Bakeev This has been fixed in Components v1.470.0.

1

2024-07-03

2024-07-08

2024-07-22

    keyboard_arrow_up