From 5ad496bebb49c4a0f3d07b52074a8adfa1134218 Mon Sep 17 00:00:00 2001
From: Arvid Mildner <mildner.arvid@gmail.com>
Date: Wed, 26 Oct 2022 19:14:27 +0200
Subject: [PATCH] fix: Insufficient permissions for karpenter policy when not
 using karpenter discovery tags on security group (#294)

Co-authored-by: Arvid Mildner <arvid.mildner@rikstv.no>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
---
 modules/iam-role-for-service-accounts-eks/policies.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/iam-role-for-service-accounts-eks/policies.tf b/modules/iam-role-for-service-accounts-eks/policies.tf
index 92c5fd8a..72b12e93 100644
--- a/modules/iam-role-for-service-accounts-eks/policies.tf
+++ b/modules/iam-role-for-service-accounts-eks/policies.tf
@@ -547,7 +547,6 @@ data "aws_iam_policy_document" "karpenter_controller" {
     actions = ["ec2:RunInstances"]
     resources = [
       "arn:${local.partition}:ec2:*:${local.account_id}:launch-template/*",
-      "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*",
     ]
 
     condition {
@@ -563,6 +562,7 @@ data "aws_iam_policy_document" "karpenter_controller" {
       "arn:${local.partition}:ec2:*::image/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:instance/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:spot-instances-request/*",
+      "arn:${local.partition}:ec2:*:${local.account_id}:security-group/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:volume/*",
       "arn:${local.partition}:ec2:*:${local.account_id}:network-interface/*",
       "arn:${local.partition}:ec2:*:${coalesce(var.karpenter_subnet_account_id, local.account_id)}:subnet/*",