From 83b68fda2b0ea818fc980ab847dd8255a2d18334 Mon Sep 17 00:00:00 2001
From: datty <datty.wtb@gmail.com>
Date: Thu, 17 Jul 2025 15:03:09 +0100
Subject: [PATCH] fix: Allow for both `amazonaws.com.cn` and `amazonaws.com`
 conditions in PassRole as required for AWS CN (#3422)

* Allow for both amazonaws.com.cn and amazonaws.com conditions as required for AWS CN

* Allow for both amazonaws.com.cn and amazonaws.com conditions as required for AWS CN - set in correct policy

---------

Co-authored-by: Oliver Smith <osmith@netvirta.com>
---
 modules/karpenter/policy.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/karpenter/policy.tf b/modules/karpenter/policy.tf
index 26c0b235..b9068d7b 100644
--- a/modules/karpenter/policy.tf
+++ b/modules/karpenter/policy.tf
@@ -585,7 +585,7 @@ data "aws_iam_policy_document" "v1" {
     condition {
       test     = "StringEquals"
       variable = "iam:PassedToService"
-      values   = ["ec2.${local.dns_suffix}"]
+      values   = distinct(["ec2.${local.dns_suffix}", "ec2.amazonaws.com"])
     }
   }