unable to attach access policies to access entries of type EC2

[theincognitogeek]

Description

I am trying to creating a automode enabled EKS cluster with custom nodepools and nodeclasses and while trying to provide access entry to the role AmazonEKSAutoNodePolicy, I tried to attachthe accesspolicy AmazonEKSAutoNodePolicy
If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]: ~> 20.0
Terraform version: 1.9.8
Provider version(s): ~> 5.0

Reproduction Code [Required]

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.0"
  cluster_name    = var.cluster_name
  cluster_version = var.cluster_version
  vpc_id          = var.vpc_id
  subnet_ids = var.subnet_ids
  cluster_endpoint_private_access = var.cluster_endpoint_private_access
  cluster_endpoint_public_access  = var.cluster_endpoint_public_access
  create_cloudwatch_log_group     = var.create_cloudwatch_log_group
  cluster_enabled_log_types              = var.cluster_enabled_log_types
  cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
  cluster_compute_config = {
    enabled = true
  }
  cluster_addons = {
    coredns = {}
    kube-proxy = {}
    vpc-cni = {}
    eks-pod-identity-agent = {}
  }
  create_node_security_group    = false
  create_cluster_security_group = false
  authentication_mode                      = var.authentication_mode
  enable_cluster_creator_admin_permissions = false
  access_entries = {
    cluster_node_access_entry = {
      principal_arn = "arn:aws:iam::${aws_account_id}:role/AmazonEKSAutoNodeRole"
      type          = "EC2"

      policy_associations = {
        cluster_admin_access_policy = {
          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAutoNodePolicy"
          access_scope = {
            type = "cluster"
          }
        }
      }
    }

  }

  tags = var.tags
}

Steps to reproduce the behavior:

Expected behavior

I expect that a new access entry with the role AmazonEKSAutoNodeRole of type EC2 is created and the cluster policy AmazonEKSAutoNodePolicy is attached to it.

Actual behavior

I am observing the below error while associating the access policy to the role.

│   on .terraform/modules/eks/main.tf line 284, in resource "aws_eks_access_policy_association" "this":
│  284:     type       = each.value.association_access_scope_type
│     ├────────────────
│     │ each.value is object with 3 attributes
│ 
│ This object does not have an attribute named
│ "association_access_scope_type".
╵
╷
│ Error: Unsupported attribute
│ 
│   on .terraform/modules/eks/main.tf line 289, in resource "aws_eks_access_policy_association" "this":
│  289:   policy_arn    = each.value.association_policy_arn
│     ├────────────────
│     │ each.value is object with 3 attributes
│ 
│ This object does not have an attribute named "association_policy_arn".
╵

[vibhamsharma]

I tried by removing EC2 from below line main.tf in my local cache of module and it worked fine. Now waiting for it to get updated in module. Seems it was not creating policy association if type is other than Standard.

Before:

    } : k => v if !contains(["EC2", "EC2_LINUX", "EC2_WINDOWS", "FARGATE_LINUX", "HYBRID_LINUX"], lookup(entry_val, "type", "STANDARD")) },

After:
} : k => v if !contains(["EC2_LINUX", "EC2_WINDOWS", "FARGATE_LINUX", "HYBRID_LINUX"], lookup(entry_val, "type", "STANDARD")) },

[bryantbiggs]

resolved in #3281

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.