Terraform
Node Policies Configure Karpenter node provisioning policies with Terraform.
devzero_node_policy configures Karpenter NodePool and NodeClass resources for node provisioning. devzero_node_policy_target attaches a node policy to one or more clusters.
Node policies manage Karpenter NodePool and NodeClass resources. Ensure Karpenter is installed on your target clusters before attaching node policies.
resource "devzero_node_policy" "minimal" { name = "minimal-policy" node_pool_name = "default-pool" node_class_name = "default-class" } resource "devzero_node_policy" "aws" { name = "aws-production" description = "Production-ready AWS node policy" node_pool_name = "production-pool" node_class_name = "production-class" weight = 15 instance_categories = { match_expressions = [{ key = "instanceCategories" operator = "In" values = [ "c" , "m" , "r" ] }] } instance_generations = { match_expressions = [{ key = "instanceGenerations" operator = "Gt" values = [ "5" ] }] } architectures = { match_expressions = [{ key = "architectures" operator = "In" values = [ "amd64" ] }] } capacity_types = { match_expressions = [{ key = "capacityTypes" operator = "In" values = [ "spot" , "on-demand" ] }] } operating_systems = { match_expressions = [{ key = "operatingSystems" operator = "In" values = [ "linux" ] }] } labels = { "workload-type" = "general" "managed-by" = "karpenter" } limits = { cpu = "1000" memory = "1000Gi" } disruption = { consolidation_policy = "WhenEmptyOrUnderutilized" consolidate_after = "15m" expire_after = "720h" budgets = [ { reasons = [ "Underutilized" , "Empty" ] nodes = "10%" } ] } aws = { role = "KarpenterNodeRole-production" instance_profile = "KarpenterNodeInstanceProfile-production" ami_family = "AL2023" ami_selector_terms = [ { alias = "al2023@latest" } ] subnet_selector_terms = [ { tags = { "karpenter.sh/discovery" = "production-cluster" } } ] security_group_selector_terms = [ { tags = { "karpenter.sh/discovery" = "production-cluster" } } ] block_device_mappings = [ { device_name = "/dev/xvda" ebs = { volume_size = "100Gi" volume_type = "gp3" encrypted = true delete_on_termination = true } } ] metadata_options = { http_endpoint = "enabled" http_protocol_ipv6 = "disabled" http_put_response_hop_limit = 2 http_tokens = "required" } tags = { "Environment" = "production" "ManagedBy" = "Karpenter" } } } resource "devzero_node_policy" "azure" { name = "azure-production" node_pool_name = "production-pool" node_class_name = "production-class" capacity_types = { match_expressions = [{ key = "capacityTypes" operator = "In" values = [ "spot" , "on-demand" ] }] } disruption = { consolidate_after = "5m" consolidation_policy = "WhenEmptyOrUnderutilized" expire_after = "168h" } azure = { vnet_subnet_id = "/subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.Network/virtualNetworks/zzz/subnets/aaa" os_disk_size_gb = 128 image_family = "Ubuntu2204" fips_mode = "Disabled" max_pods = 110 } } Parameter Type Description namestring Human-friendly name for the policy
Parameter Type Description descriptionstring Free-form description weightnumber Priority weight — higher weights are preferred when multiple policies match (default: 10) node_pool_namestring Name for the Karpenter NodePool node_class_namestring Name for the Karpenter NodeClass master_override_role_namestring Master override role name for Karpenter labelsmap(string) Kubernetes labels to apply to provisioned nodes taintslist(object) Kubernetes taints to apply (see Taints ) limitsobject Resource limits for the NodePool (see Limits ) disruptionobject Disruption/consolidation settings (see Disruption ) instance_categoriesselector Instance categories (e.g. c, m, r for AWS; D, E for Azure) instance_familiesselector Instance families (e.g. c5, m5d) instance_generationsselector Instance generations instance_sizesselector Instance sizes (e.g. large, xlarge) instance_cpusselector Instance CPU count (e.g. 4, 8, 16) instance_hypervisorsselector Instance hypervisors architecturesselector CPU architectures (e.g. amd64, arm64) capacity_typesselector Capacity types (e.g. spot, on-demand) operating_systemsselector Operating systems (e.g. linux, windows) zonesselector Availability zones rawlist(object) Raw Karpenter NodePool and NodeClass YAML for advanced use cases (see Raw ) awsobject AWS-specific NodeClass configuration (see AWS Block ) azureobject Azure-specific NodeClass configuration (see Azure Block )
Attribute Type Description idstring Unique identifier of the node policy
All selector fields (instance_categories, architectures, capacity_types, operating_systems, zones, etc.) use the same selector schema:
Parameter Type Description match_expressionslist(object) List of label selector requirements match_labelsmap(string) Map of label key-value pairs to match
Each match_expressions entry requires:
Parameter Type Description keystring Label key operatorstring In, NotIn, Exists, DoesNotExist, Gt, Lt. Gt/Lt apply to numeric selectors such as instance_generations and instance_cpus.valueslist(string) Values for In/NotIn operators; single numeric string for Gt/Lt (e.g. ["5"])
Parameter Type Description keystring Taint key valuestring Taint value effectstring NoSchedule, PreferNoSchedule, or NoExecute
Parameter Type Description cpustring Maximum total CPU across all nodes (e.g. "1000") memorystring Maximum total memory across all nodes (e.g. "1000Gi")
Parameter Type Description consolidation_policystring WhenEmptyOrUnderutilized or WhenEmpty (default: WhenEmptyOrUnderutilized)consolidate_afterstring Duration before consolidating idle nodes (default: "15m") expire_afterstring Maximum node lifetime before replacement (default: "720h") termination_grace_period_secondsnumber Grace period for node termination ttl_seconds_after_emptynumber Seconds to wait before terminating empty nodes budgetslist(object) Disruption budgets (see Disruption Budgets )
Parameter Type Description nodesstring Max nodes that can be disrupted — percentage (e.g. "10%") or absolute count (e.g. "2") reasonslist(string) Reasons that trigger this budget (e.g. "Underutilized", "Empty") schedulestring Cron schedule for when this budget applies durationstring Duration for how long this budget applies (e.g. "1h30m")
Parameter Type Description rolestring IAM role name instance_profilestring IAM instance profile ami_familystring AMI family (e.g. AL2023, Bottlerocket, Ubuntu) ami_selector_termslist(object) AMI selector terms (alias, id, name, owner, tags) subnet_selector_termslist(object) Subnet selection by id or tags security_group_selector_termslist(object) Security group selection by id, name, or tags block_device_mappingslist(object) EBS volume configuration (see Block Device Mappings ) tagsmap(string) AWS tags to apply to instances user_datastring User data script for instance initialization instance_store_policystring Policy for instance store volumes. Valid value: RAID0 detailed_monitoringbool Enable detailed CloudWatch monitoring associate_public_ip_addressbool Associate public IP address with instances metadata_optionsobject EC2 instance metadata service configuration (see Metadata Options )
Secure IMDSv2 defaults are applied automatically.
Parameter Type Description http_endpointstring Enable/disable HTTP metadata endpoint: enabled or disabled (default: enabled) http_protocol_ipv6string Enable/disable IPv6 metadata endpoint: enabled or disabled (default: disabled) http_put_response_hop_limitnumber HTTP PUT response hop limit (default: 2) http_tokensstring Require session tokens (IMDSv2): required or optional (default: required)
Parameter Type Description device_namestring Device name (e.g. /dev/xvda) ebsobject EBS volume configuration
EBS configuration:
Parameter Type Description volume_sizestring Volume size (e.g. "100Gi") volume_typestring Volume type: gp2, gp3, io1, io2, sc1, st1 encryptedbool Encrypt the volume delete_on_terminationbool Delete volume on instance termination iopsnumber IOPS for io1/io2 volumes throughputnumber Throughput in MiB/s for gp3 volumes kms_key_idstring KMS key ID for encryption snapshot_idstring Snapshot ID to create volume from
Parameter Type Description vnet_subnet_idstring VNet subnet resource ID os_disk_size_gbnumber OS disk size in GB image_familystring VM image family: Ubuntu, Ubuntu2204, Ubuntu2404, AzureLinux fips_modestring FIPS 140-2 mode: FIPS or Disabled max_podsnumber Maximum number of pods per node tagsmap(string) Azure tags to apply to resources
Use raw to supply hand-crafted NodePool or NodeClass YAML for advanced Karpenter configurations.
Parameter Type Description nodepool_yamlstring Raw NodePool YAML nodeclass_yamlstring Raw NodeClass YAML
terraform import devzero_node_policy.example < node_policy_i d > devzero_node_policy_target attaches a devzero_node_policy to one or more clusters.
resource "devzero_node_policy_target" "cluster_nodes" { name = "cluster-nodes" description = "Apply standard node policy to production clusters" policy_id = devzero_node_policy . aws . id cluster_ids = [devzero_cluster . production . id] enabled = true } Parameter Type Required Description namestring Yes Human-friendly name for the target policy_idstring Yes ID of the devzero_node_policy to attach cluster_idslist(string) Yes List of cluster IDs to apply the policy to descriptionstring No Free-form description enabledbool No Whether the target is active (default: true)
Attribute Type Description idstring Unique identifier of the node policy target
terraform import devzero_node_policy_target.example < node_policy_target_i d >