fix: Correct logic to try to use module created IAM role before falli… (#3433)

Author: bryantbiggs

README.md

@@ -430,7 +430,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
-| <a name="input_identity_providers"></a> [identity\_providers](#input\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | <pre>map(object({<br/>    client_id                     = string<br/>    groups_claim                  = optional(string)<br/>    groups_prefix                 = optional(string)<br/>    identity_provider_config_name = optional(string) # will fall back to map key<br/>    issuer_url                    = string<br/>    required_claims               = optional(map(string))<br/>    username_claim                = optional(string)<br/>    username_prefix               = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_identity_providers"></a> [identity\_providers](#input\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | <pre>map(object({<br/>    client_id                     = string<br/>    groups_claim                  = optional(string)<br/>    groups_prefix                 = optional(string)<br/>    identity_provider_config_name = optional(string) # will fall back to map key<br/>    issuer_url                    = string<br/>    required_claims               = optional(map(string))<br/>    username_claim                = optional(string)<br/>    username_prefix               = optional(string)<br/>    tags                          = optional(map(string), {})<br/>  }))</pre> | `null` | no |
 | <a name="input_include_oidc_root_ca_thumbprint"></a> [include\_oidc\_root\_ca\_thumbprint](#input\_include\_oidc\_root\_ca\_thumbprint) | Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s) | `bool` | `true` | no |
 | <a name="input_ip_family"></a> [ip\_family](#input\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `"ipv4"` | no |
 | <a name="input_kms_key_administrators"></a> [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available | `list(string)` | `[]` | no |

examples/eks-managed-node-group/eks-al2023.tf

@@ -1,7 +1,6 @@
 module "eks_al2023" {
-  # source  = "terraform-aws-modules/eks/aws"
-  # version = "~> 20.0"
-  source = "../.."
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 21.0"
 
   name               = "${local.name}-al2023"
   kubernetes_version = "1.33"

examples/eks-managed-node-group/eks-bottlerocket.tf

@@ -1,7 +1,6 @@
 module "eks_bottlerocket" {
-  # source  = "terraform-aws-modules/eks/aws"
-  # version = "~> 20.0"
-  source = "../.."
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 21.0"
 
   name               = "${local.name}-bottlerocket"
   kubernetes_version = "1.33"

examples/self-managed-node-group/eks-al2023.tf

@@ -1,7 +1,6 @@
 module "eks_al2023" {
-  # source  = "terraform-aws-modules/eks/aws"
-  # version = "~> 20.0"
-  source = "../.."
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 21.0"
 
   name               = "${local.name}-al2023"
   kubernetes_version = "1.33"

examples/self-managed-node-group/eks-bottlerocket.tf

@@ -1,7 +1,6 @@
 module "eks_bottlerocket" {
-  # source  = "terraform-aws-modules/eks/aws"
-  # version = "~> 20.0"
-  source = "../.."
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 21.0"
 
   name               = "${local.name}-bottlerocket"
   kubernetes_version = "1.33"

main.tf

@@ -62,7 +62,7 @@ resource "aws_eks_cluster" "this" {
     content {
       enabled       = compute_config.value.enabled
       node_pools    = compute_config.value.node_pools
-      node_role_arn = compute_config.value.node_pools != null ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
+      node_role_arn = compute_config.value.node_pools != null ? try(aws_iam_role.eks_auto[0].arn, compute_config.value.node_role_arn) : null
     }
   }
 
@@ -444,7 +444,7 @@ data "tls_certificate" "this" {
   # Not available on outposts
   count = local.create_oidc_provider && var.include_oidc_root_ca_thumbprint ? 1 : 0
 
-  url = local.dualstack_oidc_issuer_url
+  url = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
 }
 
 resource "aws_iam_openid_connect_provider" "oidc_provider" {
@@ -453,7 +453,7 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
 
   client_id_list  = distinct(compact(concat(["sts.amazonaws.com"], var.openid_connect_audiences)))
   thumbprint_list = concat(local.oidc_root_ca_thumbprint, var.custom_oidc_thumbprints)
-  url             = local.dualstack_oidc_issuer_url
+  url             = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
 
   tags = merge(
     { Name = "${var.name}-eks-irsa" },
@@ -856,7 +856,7 @@ resource "aws_eks_identity_provider_config" "this" {
     client_id                     = each.value.client_id
     groups_claim                  = each.value.groups_claim
     groups_prefix                 = each.value.groups_prefix
-    identity_provider_config_name = try(each.value.identity_provider_config_name, each.key)
+    identity_provider_config_name = coalesce(each.value.identity_provider_config_name, each.key)
     issuer_url                    = each.value.issuer_url
     required_claims               = each.value.required_claims
     username_claim                = each.value.username_claim

outputs.tf

@@ -1,6 +1,5 @@
 locals {
-  # https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
-  dualstack_oidc_issuer_url = try(replace(replace(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "https://oidc.eks.", "https://oidc-eks."), ".amazonaws.com/", ".api.aws/"), null)
+
 }
 
 ################################################################################
@@ -59,7 +58,8 @@ output "cluster_oidc_issuer_url" {
 
 output "cluster_dualstack_oidc_issuer_url" {
   description = "Dual-stack compatible URL on the EKS cluster for the OpenID Connect identity provider"
-  value       = local.dualstack_oidc_issuer_url
+  # https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
+  value = try(replace(replace(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "https://oidc.eks.", "https://oidc-eks."), ".amazonaws.com/", ".api.aws/"), null)
 }
 
 output "cluster_version" {

variables.tf

@@ -660,6 +660,7 @@ variable "identity_providers" {
     required_claims               = optional(map(string))
     username_claim                = optional(string)
     username_prefix               = optional(string)
+    tags                          = optional(map(string), {})
   }))
   default = null
 }