fix: Correct access policy logic to support not providing a policy to associate (#3464)

bryantbiggs · web-flow · commit 39be61d70232 · 2025-08-02T07:55:57.000-05:00
diff --git a/README.md b/README.md
@@ -381,7 +381,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | <pre>map(object({<br/>    # Access entry<br/>    kubernetes_groups = optional(list(string))<br/>    principal_arn     = string<br/>    type              = optional(string, "STANDARD")<br/>    user_name         = optional(string)<br/>    tags              = optional(map(string), {})<br/>    # Access policy association<br/>    policy_associations = optional(map(object({<br/>      policy_arn = string<br/>      access_scope = object({<br/>        namespaces = optional(list(string))<br/>        type       = string<br/>      })<br/>    })))<br/>  }))</pre> | `{}` | no |
+| <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | <pre>map(object({<br/>    # Access entry<br/>    kubernetes_groups = optional(list(string))<br/>    principal_arn     = string<br/>    type              = optional(string, "STANDARD")<br/>    user_name         = optional(string)<br/>    tags              = optional(map(string), {})<br/>    # Access policy association<br/>    policy_associations = optional(map(object({<br/>      policy_arn = string<br/>      access_scope = object({<br/>        namespaces = optional(list(string))<br/>        type       = string<br/>      })<br/>    })), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | List of additional, externally created security group IDs to attach to the cluster control plane | `list(string)` | `[]` | no |
 | <a name="input_addons"></a> [addons](#input\_addons) | Map of cluster addon configurations to enable for the cluster. Addon name can be the map keys or set with `name` | <pre>map(object({<br/>    name                 = optional(string) # will fall back to map key<br/>    before_compute       = optional(bool, false)<br/>    most_recent          = optional(bool, true)<br/>    addon_version        = optional(string)<br/>    configuration_values = optional(string)<br/>    pod_identity_association = optional(list(object({<br/>      role_arn        = string<br/>      service_account = string<br/>    })))<br/>    preserve                    = optional(bool, true)<br/>    resolve_conflicts_on_create = optional(string, "NONE")<br/>    resolve_conflicts_on_update = optional(string, "OVERWRITE")<br/>    service_account_role_arn    = optional(string)<br/>    timeouts = optional(object({<br/>      create = optional(string)<br/>      update = optional(string)<br/>      delete = optional(string)<br/>    }))<br/>    tags = optional(map(string), {})<br/>  }))</pre> | `null` | no |
 | <a name="input_addons_timeouts"></a> [addons\_timeouts](#input\_addons\_timeouts) | Create, update, and delete timeout configurations for the cluster addons | <pre>object({<br/>    create = optional(string)<br/>    update = optional(string)<br/>    delete = optional(string)<br/>  })</pre> | `null` | no |
diff --git a/main.tf b/main.tf
@@ -269,7 +269,7 @@ locals {
   # associations within a single entry
   flattened_access_entries = flatten([
     for entry_key, entry_val in local.merged_access_entries : [
-      for pol_key, pol_val in try(entry_val.policy_associations, {}) :
+      for pol_key, pol_val in entry_val.policy_associations :
       merge(
         {
           principal_arn = entry_val.principal_arn
diff --git a/tests/eks-managed-node-group/main.tf b/tests/eks-managed-node-group/main.tf
@@ -408,6 +408,12 @@ module "eks" {
         }
       }
     }
+
+    no-policy = {
+      kubernetes_groups = ["something"]
+      principal_arn     = data.aws_caller_identity.current.arn
+      user_name         = "someone"
+    }
   }
 
   tags = local.tags
diff --git a/variables.tf b/variables.tf
@@ -218,7 +218,7 @@ variable "access_entries" {
         namespaces = optional(list(string))
         type       = string
       })
-    })))
+    })), {})
   }))
   default = {}
 }

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ locals {`
`269`	`269`	`# associations within a single entry`
`270`	`270`	`flattened_access_entries = flatten([`
`271`	`271`	`for entry_key, entry_val in local.merged_access_entries : [`
`272`		`- for pol_key, pol_val in try(entry_val.policy_associations, {}) :`
	`272`	`+ for pol_key, pol_val in entry_val.policy_associations :`
`273`	`273`	`merge(`
`274`	`274`	`{`
`275`	`275`	`principal_arn = entry_val.principal_arn`
Original file line number	Diff line number	Diff line change
`@@ -408,6 +408,12 @@ module "eks" {`
`408`	`408`	`}`
`409`	`409`	`}`
`410`	`410`	`}`
	`411`	`+`
	`412`	`+ no-policy = {`
	`413`	`+ kubernetes_groups = ["something"]`
	`414`	`+ principal_arn = data.aws_caller_identity.current.arn`
	`415`	`+ user_name = "someone"`
	`416`	`+ }`
`411`	`417`	`}`
`412`	`418`
`413`	`419`	`tags = local.tags`
Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ variable "access_entries" {`
`218`	`218`	`namespaces = optional(list(string))`
`219`	`219`	`type = string`
`220`	`220`	`})`
`221`		`- })))`
	`221`	`+ })), {})`
`222`	`222`	`}))`
`223`	`223`	`default = {}`
`224`	`224`	`}`