fix: only add ECR Public perms in aws partition (#8709)

fletcherw · web-flow · commit b86e8bdfba6c · 2026-04-09T15:22:55.000-07:00
ECR Public doesn't exist in all partitions, so filter it out when
creating clusters elsewhere.
diff --git a/pkg/cfn/builder/auto_mode.go b/pkg/cfn/builder/auto_mode.go
@@ -42,6 +42,9 @@ func AddAutoModeResources(clusterTemplate *gfn.Template, permissionsBoundary api
 		}
 		clusterTemplate.Resources[resourceName] = resource
 	}
+	for key, condition := range template.Conditions {
+		clusterTemplate.Conditions[key] = condition
+	}
 	for key, output := range template.Outputs {
 		clusterTemplate.Outputs[key] = output
 	}
diff --git a/pkg/cfn/builder/roles/auto-mode-node-role.yaml b/pkg/cfn/builder/roles/auto-mode-node-role.yaml
@@ -1,5 +1,7 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: 'Amazon EKS Karpenter NodeRole'
+Conditions:
+  IsAWSPartition: !Equals [!Ref "AWS::Partition", "aws"]
 Resources:
   AutoModeNodeRole:
     Type: AWS::IAM::Role
@@ -18,7 +20,7 @@ Resources:
               - sts:AssumeRole
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
-        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly"
+        - !If [IsAWSPartition, !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly", !Ref "AWS::NoValue"]
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
 
 Outputs:

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,9 @@ func AddAutoModeResources(clusterTemplate *gfn.Template, permissionsBoundary api`
`42`	`42`	`}`
`43`	`43`	`clusterTemplate.Resources[resourceName] = resource`
`44`	`44`	`}`
	`45`	`+ for key, condition := range template.Conditions {`
	`46`	`+ clusterTemplate.Conditions[key] = condition`
	`47`	`+ }`
`45`	`48`	`for key, output := range template.Outputs {`
`46`	`49`	`clusterTemplate.Outputs[key] = output`
`47`	`50`	`}`