Strip Path from iam_role_arn for Managed Node Groups

[levinedan]

Is your request related to a problem? Please describe.

Upon creation of a new managed node group within EKS, the ‘aws-auth’ config-map is updated with the Node IAM role that is specified in the Node Group Configuration. This results in “Unauthorized” errors when the Kubelet is attempting to register itself with the cluster if the Node IAM role uses any sort of path structure. Paths are "unsupported" by the aws-auth config map, but providing the iam role without the "pathing" will enable nodes to register with the cluster. Several enterprises rely on IAM pathing to implement ABAC and other controls and should be an accepted use within the Terraform module accompanying the AWS services.

Describe the solution you'd like.

In the past this repository supported this functionality. With the ability to configure the aws-auth config map in recent releases, we now have the ability to reintroduce this functionality to enable terraform-aws-eks users that already have enterprise requirements. We could implement the solution by preforming a simple replace on the path when creating the rolearn in the configmap ie in this code we do something to the effect of:

rolearn = replace(rolearn, '//.*//', '/')

Stripping everything in-between the role and final subpath.

Describe alternatives you've considered.

Alternatively we have been manually editing the config map after creation to use the "stripped" iam role arn. This is by no means realistic to perform when automating deployments for EKS across an enterprise.

Steps to Reproduce:

1. Create IAM node role with structure arn:aws:iam::#######:role/ABAC-PATH/rolename
2. Create EKS cluster (config shouldn’t matter)
3. Create Launch Template (config shouldn’t matter)
4. Provision Managed Node Group while specifying ARN above
5. Log on to resulting instance from Managed Node Group
6. Observe logs for Kubelet:
   journalctl -u kubelet
7. Edit the aws-auth config map and strip “ABAC-PATH/” from .data.mapRoles.groups.rolearn:
   kubectl edit cm -n kube-system aws-auth
8. Restart Kubelet on the node and observe it register to the cluster
9. Provision another Managed Node Group using the same IAM node role as above
10. Observe the config map update again with the incorrect value:
    kubectl get cm -n kube-system aws-auth -oyaml

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.