diff --git a/README.md b/README.md
index 897d445231..8d3d79ad74 100644
--- a/README.md
+++ b/README.md
@@ -430,7 +430,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
| [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
-| [identity\_providers](#input\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | map(object({
client_id = string
groups_claim = optional(string)
groups_prefix = optional(string)
identity_provider_config_name = optional(string) # will fall back to map key
issuer_url = string
required_claims = optional(map(string))
username_claim = optional(string)
username_prefix = optional(string)
})) | `null` | no |
+| [identity\_providers](#input\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | map(object({
client_id = string
groups_claim = optional(string)
groups_prefix = optional(string)
identity_provider_config_name = optional(string) # will fall back to map key
issuer_url = string
required_claims = optional(map(string))
username_claim = optional(string)
username_prefix = optional(string)
tags = optional(map(string), {})
})) | `null` | no |
| [include\_oidc\_root\_ca\_thumbprint](#input\_include\_oidc\_root\_ca\_thumbprint) | Determines whether to include the root CA thumbprint in the OpenID Connect (OIDC) identity provider's server certificate(s) | `bool` | `true` | no |
| [ip\_family](#input\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `"ipv4"` | no |
| [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for [key administrators](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). If no value is provided, the current caller identity is used to ensure at least one key admin is available | `list(string)` | `[]` | no |
diff --git a/examples/eks-managed-node-group/eks-al2023.tf b/examples/eks-managed-node-group/eks-al2023.tf
index 7203c01c81..69897a5a04 100644
--- a/examples/eks-managed-node-group/eks-al2023.tf
+++ b/examples/eks-managed-node-group/eks-al2023.tf
@@ -1,7 +1,6 @@
module "eks_al2023" {
- # source = "terraform-aws-modules/eks/aws"
- # version = "~> 20.0"
- source = "../.."
+ source = "terraform-aws-modules/eks/aws"
+ version = "~> 21.0"
name = "${local.name}-al2023"
kubernetes_version = "1.33"
diff --git a/examples/eks-managed-node-group/eks-bottlerocket.tf b/examples/eks-managed-node-group/eks-bottlerocket.tf
index 2fd3816dbe..a4a9928d0f 100644
--- a/examples/eks-managed-node-group/eks-bottlerocket.tf
+++ b/examples/eks-managed-node-group/eks-bottlerocket.tf
@@ -1,7 +1,6 @@
module "eks_bottlerocket" {
- # source = "terraform-aws-modules/eks/aws"
- # version = "~> 20.0"
- source = "../.."
+ source = "terraform-aws-modules/eks/aws"
+ version = "~> 21.0"
name = "${local.name}-bottlerocket"
kubernetes_version = "1.33"
diff --git a/examples/self-managed-node-group/eks-al2023.tf b/examples/self-managed-node-group/eks-al2023.tf
index e074735ebb..ca17ac67d9 100644
--- a/examples/self-managed-node-group/eks-al2023.tf
+++ b/examples/self-managed-node-group/eks-al2023.tf
@@ -1,7 +1,6 @@
module "eks_al2023" {
- # source = "terraform-aws-modules/eks/aws"
- # version = "~> 20.0"
- source = "../.."
+ source = "terraform-aws-modules/eks/aws"
+ version = "~> 21.0"
name = "${local.name}-al2023"
kubernetes_version = "1.33"
diff --git a/examples/self-managed-node-group/eks-bottlerocket.tf b/examples/self-managed-node-group/eks-bottlerocket.tf
index 6f0a2dc5ef..be9b2450a9 100644
--- a/examples/self-managed-node-group/eks-bottlerocket.tf
+++ b/examples/self-managed-node-group/eks-bottlerocket.tf
@@ -1,7 +1,6 @@
module "eks_bottlerocket" {
- # source = "terraform-aws-modules/eks/aws"
- # version = "~> 20.0"
- source = "../.."
+ source = "terraform-aws-modules/eks/aws"
+ version = "~> 21.0"
name = "${local.name}-bottlerocket"
kubernetes_version = "1.33"
diff --git a/main.tf b/main.tf
index 94989384e2..b8811e0997 100644
--- a/main.tf
+++ b/main.tf
@@ -62,7 +62,7 @@ resource "aws_eks_cluster" "this" {
content {
enabled = compute_config.value.enabled
node_pools = compute_config.value.node_pools
- node_role_arn = compute_config.value.node_pools != null ? try(compute_config.value.node_role_arn, aws_iam_role.eks_auto[0].arn, null) : null
+ node_role_arn = compute_config.value.node_pools != null ? try(aws_iam_role.eks_auto[0].arn, compute_config.value.node_role_arn) : null
}
}
@@ -444,7 +444,7 @@ data "tls_certificate" "this" {
# Not available on outposts
count = local.create_oidc_provider && var.include_oidc_root_ca_thumbprint ? 1 : 0
- url = local.dualstack_oidc_issuer_url
+ url = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "oidc_provider" {
@@ -453,7 +453,7 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
client_id_list = distinct(compact(concat(["sts.amazonaws.com"], var.openid_connect_audiences)))
thumbprint_list = concat(local.oidc_root_ca_thumbprint, var.custom_oidc_thumbprints)
- url = local.dualstack_oidc_issuer_url
+ url = aws_eks_cluster.this[0].identity[0].oidc[0].issuer
tags = merge(
{ Name = "${var.name}-eks-irsa" },
@@ -856,7 +856,7 @@ resource "aws_eks_identity_provider_config" "this" {
client_id = each.value.client_id
groups_claim = each.value.groups_claim
groups_prefix = each.value.groups_prefix
- identity_provider_config_name = try(each.value.identity_provider_config_name, each.key)
+ identity_provider_config_name = coalesce(each.value.identity_provider_config_name, each.key)
issuer_url = each.value.issuer_url
required_claims = each.value.required_claims
username_claim = each.value.username_claim
diff --git a/outputs.tf b/outputs.tf
index 95afd4365b..4663b83639 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,6 +1,5 @@
locals {
- # https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
- dualstack_oidc_issuer_url = try(replace(replace(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "https://oidc.eks.", "https://oidc-eks."), ".amazonaws.com/", ".api.aws/"), null)
+
}
################################################################################
@@ -59,7 +58,8 @@ output "cluster_oidc_issuer_url" {
output "cluster_dualstack_oidc_issuer_url" {
description = "Dual-stack compatible URL on the EKS cluster for the OpenID Connect identity provider"
- value = local.dualstack_oidc_issuer_url
+ # https://github.com/aws/containers-roadmap/issues/2038#issuecomment-2278450601
+ value = try(replace(replace(aws_eks_cluster.this[0].identity[0].oidc[0].issuer, "https://oidc.eks.", "https://oidc-eks."), ".amazonaws.com/", ".api.aws/"), null)
}
output "cluster_version" {
diff --git a/variables.tf b/variables.tf
index 6b3e972a62..d8ade28a4c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -660,6 +660,7 @@ variable "identity_providers" {
required_claims = optional(map(string))
username_claim = optional(string)
username_prefix = optional(string)
+ tags = optional(map(string), {})
}))
default = null
}