fix: Add support for overriding DNS suffix for cluster IAM role service principal endpoint (#1905)

bryantbiggs · web-flow · commit 9af0c2495a1f · 2022-03-02T18:26:20.000+01:00
diff --git a/README.md b/README.md
@@ -855,6 +855,7 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_cluster_iam_role_dns_suffix"></a> [cluster\_iam\_role\_dns\_suffix](#input\_cluster\_iam\_role\_dns\_suffix) | Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China) | `string` | `null` | no |
 | <a name="input_cluster_identity_providers"></a> [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no |
 | <a name="input_cluster_ip_family"></a> [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `null` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf
@@ -89,7 +89,11 @@ module "eks" {
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     # We are using the IRSA created below for permissions
-    iam_role_attach_cni_policy = false
+    # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
+    # and then turn this off after the cluster/node group is created. Without this initial policy,
+    # the VPC CNI fails to assign IPs and nodes cannot join the cluster
+    # See https://github.com/aws/containers-roadmap/issues/1666 for more context
+    iam_role_attach_cni_policy = true
   }
 
   eks_managed_node_groups = {
diff --git a/main.tf b/main.tf
@@ -172,6 +172,10 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
 locals {
   iam_role_name     = coalesce(var.iam_role_name, "${var.cluster_name}-cluster")
   policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+
+  # TODO - hopefully this can be removed once the AWS endpoint is named properly in China
+  # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
+  dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix)
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
@@ -183,7 +187,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 
     principals {
       type        = "Service"
-      identifiers = ["eks.${data.aws_partition.current.dns_suffix}"]
+      identifiers = ["eks.${local.dns_suffix}"]
     }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -305,6 +305,14 @@ variable "iam_role_additional_policies" {
   default     = []
 }
 
+# TODO - hopefully this can be removed once the AWS endpoint is named properly in China
+# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
+variable "cluster_iam_role_dns_suffix" {
+  description = "Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China)"
+  type        = string
+  default     = null
+}
+
 variable "iam_role_tags" {
   description = "A map of additional tags to add to the IAM role created"
   type        = map(string)

Original file line number	Diff line number	Diff line change
`@@ -172,6 +172,10 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {`
`172`	`172`	`locals {`
`173`	`173`	`iam_role_name = coalesce(var.iam_role_name, "${var.cluster_name}-cluster")`
`174`	`174`	`policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"`
	`175`	`+`
	`176`	`+ # TODO - hopefully this can be removed once the AWS endpoint is named properly in China`
	`177`	`+ # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904`
	`178`	`+ dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix)`
`175`	`179`	`}`
`176`	`180`
`177`	`181`	`data "aws_iam_policy_document" "assume_role_policy" {`
`@@ -183,7 +187,7 @@ data "aws_iam_policy_document" "assume_role_policy" {`
`183`	`187`
`184`	`188`	`principals {`
`185`	`189`	`type = "Service"`
`186`		`- identifiers = ["eks.${data.aws_partition.current.dns_suffix}"]`
	`190`	`+ identifiers = ["eks.${local.dns_suffix}"]`
`187`	`191`	`}`
`188`	`192`	`}`
`189`	`193`	`}`