Resolving oidc.eks.<<region>>.amazonaws.com

[jonmelia]

Description

oidc.eks.<>.amazonaws.com only resolves to a public IP and will not resolve over private link.

Previous issue noted here #3237

Versions

• Module version [Required]: Any

Reproduction Code [Required]

Any deployment using private api

Steps to reproduce the behavior:

Deploy any cluster over privatelink using vpce endpoints and try and resolve the below dns

Expected behavior

oidc.eks.region.amazonaws.com is a public only endpoint and will not resolve over private link.

terraform-aws-eks/main.tf

Line 445 in f43d83b

data "tls_certificate" "this" {

Can the above data lookup be updated to possibly utilise the dualstack url which will resolve over the private dns

Actual behavior

DNS fails to resolve over privatelink for oidc.eks.<>.amazonaws.com, however will resolve for oidc-eks.eu-west-2.api.aws

Terminal Output Screenshot(s)

Additional context

Not entirely sure if this falls under the module responsibility or is just an AWS feature that causes issues

[jonmelia]

Actually I don't think this will solve the problem as even if the url pointed to oidc-eks.region.api.aws and it resolved, it would still not be accessible as enabling privatelink sends traffic over privatelink and wouldn't be able to send to the public ip of the above. This seems to be a blocker for full air gap deployment from public internet