fix: Set IRSA service account in EKS Fargate pattern

[devholic]

Description

Motivation and Context

Current EKS Fargate pattern doesn't explicitly set the IRSA service account. However, it assumes the namespace and service account name are both karpenter when not provided. This causes failure if the user deploys to different namespace or use different helm release name.

This commit resolves this by explicitly setting irsa_namespace_service_accounts with the namespace and service account name variable to ensure correct IRSA configuration.

• https://github.com/terraform-aws-modules/terraform-aws-eks/blob/c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/modules/karpenter/variables.tf#L142-L146
• https://github.com/aws/karpenter-provider-aws/blob/002856721e612ded9f3f09821ed9ec2823d8af06/charts/karpenter/values.yaml#L18-L20

How was this change tested?

• Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
• Yes, I have updated the docs for this feature
• Yes, I ran pre-commit run -a with this PR

Additional Notes

# Deploy to `karpenter-system` instead of `karpenter`
❯ kgp -n karpenter-system
NAME                         READY   STATUS             RESTARTS      AGE
karpenter-6fc4494b4b-9pz8w   0/1     CrashLoopBackOff   3 (14s ago)   113s
karpenter-6fc4494b4b-rd67j   0/1     CrashLoopBackOff   3 (25s ago)   113s

❯ k logs -f karpenter-6fc4494b4b-9pz8w
{"level":"ERROR","time":"2025-03-06T07:52:37.593Z","logger":"controller","message":"ec2 api connectivity check failed","commit":"b897114","error":"WebIdentityErr: failed to retrieve credentials\ncaused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: <redacted>"}




# Apply patch
❯ terraform apply -auto-approve
...
# module.karpenter.aws_iam_role.controller[0] will be updated in-place
  ~ resource "aws_iam_role" "controller" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action    = [
                            "sts:TagSession",
                            "sts:AssumeRole",
                        ]
                        Effect    = "Allow"
                        Principal = {
                            Service = "pods.eks.amazonaws.com"
                        }
                    },
                  ~ {
                      ~ Condition = {
                          ~ StringEquals = {
                              ~ "oidc.eks.us-west-2.amazonaws.com/id/<redacted>:sub" = "system:serviceaccount:karpenter:karpenter" -> "system:serviceaccount:karpenter-system:karpenter"
                                # (1 unchanged attribute hidden)
                            }
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
...

❯ kgp -n karpenter-system
NAME                         READY   STATUS    RESTARTS   AGE
karpenter-7f7cf4554c-2hc7r   1/1     Running   0          81s
karpenter-7f7cf4554c-vr5mz   1/1     Running   0          81s