fix: Sub-modules output the correct eks worker iam arn when workers utilize custom iam role

[kongdewen]

Description

When sub-module generate outputs, it needs to consider if the worker instance is using custom iam role, if so, it should directly output the variable associated with it. otherwise, it will return empty string cause damage to the cluster if not carefully use these outputs.

Motivation and Context

when we patch the aws_auth config following

terraform-aws-eks/examples/complete/main.tf

Lines 301 to 336 in 9a99689

	# we have to combine the configmap created by the eks module with the externally created node group/profile sub-modules
	aws_auth_configmap_yaml = <<-EOT
	${chomp(module.eks.aws_auth_configmap_yaml)}
	- rolearn: ${module.eks_managed_node_group.iam_role_arn}
	username: system:node:{{EC2PrivateDNSName}}
	groups:
	- system:bootstrappers
	- system:nodes
	- rolearn: ${module.self_managed_node_group.iam_role_arn}
	username: system:node:{{EC2PrivateDNSName}}
	groups:
	- system:bootstrappers
	- system:nodes
	- rolearn: ${module.fargate_profile.fargate_profile_pod_execution_role_arn}
	username: system:node:{{SessionName}}
	groups:
	- system:bootstrappers
	- system:nodes
	- system:node-proxier
	EOT
	}
	resource "null_resource" "patch" {
	triggers = {
	kubeconfig = base64encode(local.kubeconfig)
	cmd_patch = "kubectl patch configmap/aws-auth --patch \"${local.aws_auth_configmap_yaml}\" -n kube-system --kubeconfig <(echo $KUBECONFIG | base64 --decode)"
	}
	provisioner "local-exec" {
	interpreter = ["/bin/bash", "-c"]
	environment = {
	KUBECONFIG = self.triggers.kubeconfig
	}
	command = self.triggers.cmd_patch
	}
	}

.

we found out that rolearn from module.eks.aws_auth_configmap_yaml was empty

 kubectl -n kube-system describe configmap/aws-auth
Name:         aws-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Data
====
mapRoles:
----
- rolearn:
  username: system:node:{{EC2PrivateDNSName}}
  groups:
    - system:bootstrappers
    - system:nodes
- rolearn: {custom_iam}
  username: {custom_iam}
  groups:
    - xxxx:xxxx

Events:  <none>

Breaking Changes

n/a

How Has This Been Tested?

After the update, the issue we saw has been fixed(we only use EKS managed node group). so the self managed nodegroup and fargate portion is unverified yet, but since it's an easy fix, kinda confident it will work.

[bryantbiggs]

the other changes above look ok (need to test still), but I don't think this is correct. I do believe we want to use the role that the instance profile utilizes

[kongdewen]

Thank you @bryantbiggs for the quick follow up. I think iam_instance_profile_arn is the actual the iam instance profile? https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/modules/self-managed-node-group/main.tf#L149-L151

[bryantbiggs]

Instance profile is not what is used for access within the cluster, its just a construct used by the EC2 service in order to assume the role.

This has been like this for quite some time so I am highly confident it is correct as is otherwise we'd have a large number of users complaining that their self-managed node groups fail to join the cluster

[kongdewen]

Thank you @bryantbiggs for the clarification! revert this part of change

[bryantbiggs]

thanks for the PR @kongdewen - good to go @antonbabenko 👍🏽

[antonbabenko]

This PR is included in version 18.10.2 🎉

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.