From e35c327815c87f9dbd1ac70523f9e2b8a46fa7c9 Mon Sep 17 00:00:00 2001 From: Dewen Kong Date: Tue, 1 Mar 2022 22:00:25 -0500 Subject: [PATCH 1/3] output the correct iam arn when workers adopt custom iam role --- modules/eks-managed-node-group/outputs.tf | 2 +- modules/fargate-profile/outputs.tf | 2 +- modules/self-managed-node-group/outputs.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/eks-managed-node-group/outputs.tf b/modules/eks-managed-node-group/outputs.tf index 476abc8420..334b060ad4 100644 --- a/modules/eks-managed-node-group/outputs.tf +++ b/modules/eks-managed-node-group/outputs.tf @@ -66,7 +66,7 @@ output "iam_role_name" { output "iam_role_arn" { description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = try(aws_iam_role.this[0].arn, "") + value = try(aws_iam_role.this[0].arn, var.iam_role_arn) } output "iam_role_unique_id" { diff --git a/modules/fargate-profile/outputs.tf b/modules/fargate-profile/outputs.tf index 0bf2edd180..c8b663e80e 100644 --- a/modules/fargate-profile/outputs.tf +++ b/modules/fargate-profile/outputs.tf @@ -9,7 +9,7 @@ output "iam_role_name" { output "iam_role_arn" { description = "The Amazon Resource Name (ARN) specifying the IAM role" - value = try(aws_iam_role.this[0].arn, "") + value = try(aws_iam_role.this[0].arn, var.iam_role_arn) } output "iam_role_unique_id" { diff --git a/modules/self-managed-node-group/outputs.tf b/modules/self-managed-node-group/outputs.tf index 983c92a80c..eaa0c398c8 100644 --- a/modules/self-managed-node-group/outputs.tf +++ b/modules/self-managed-node-group/outputs.tf @@ -124,7 +124,7 @@ output "iam_role_unique_id" { output "iam_instance_profile_arn" { description = "ARN assigned by AWS to the instance profile" - value = try(aws_iam_instance_profile.this[0].arn, "") + value = try(aws_iam_instance_profile.this[0].arn, var.iam_instance_profile_arn) } output "iam_instance_profile_id" { From 2677772f6891c7c9ff9235c500b58d4ab74535a9 Mon Sep 17 00:00:00 2001 From: Dewen Kong Date: Tue, 1 Mar 2022 22:25:21 -0500 Subject: [PATCH 2/3] update --- outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/outputs.tf b/outputs.tf index e6867b5ce0..f17c393cc5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -171,8 +171,8 @@ output "aws_auth_configmap_yaml" { value = templatefile("${path.module}/templates/aws_auth_cm.tpl", { eks_managed_role_arns = [for group in module.eks_managed_node_group : group.iam_role_arn] - self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform != "windows"] - win32_self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform == "windows"] + self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_instance_profile_arn if group.platform != "windows"] + win32_self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_instance_profile_arn if group.platform == "windows"] fargate_profile_pod_execution_role_arns = [for group in module.fargate_profile : group.fargate_profile_pod_execution_role_arn] } ) From 0d004046817a1d0b88f6cf00efed458e0133f723 Mon Sep 17 00:00:00 2001 From: Dewen Kong Date: Wed, 2 Mar 2022 11:53:20 -0500 Subject: [PATCH 3/3] revert the aws_auth_configmap_yaml update based on feedback Instance profile is not what is used for access within the cluster, its just a construct used by the EC2 service in order to assume the role. --- outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/outputs.tf b/outputs.tf index f17c393cc5..e6867b5ce0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -171,8 +171,8 @@ output "aws_auth_configmap_yaml" { value = templatefile("${path.module}/templates/aws_auth_cm.tpl", { eks_managed_role_arns = [for group in module.eks_managed_node_group : group.iam_role_arn] - self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_instance_profile_arn if group.platform != "windows"] - win32_self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_instance_profile_arn if group.platform == "windows"] + self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform != "windows"] + win32_self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform == "windows"] fargate_profile_pod_execution_role_arns = [for group in module.fargate_profile : group.fargate_profile_pod_execution_role_arn] } )