ack apigateway role_policies default

[oscarboher]

Description

Trying to customize apigatewayv2 helm installation and irsa role creation with minimal configuration fails on the IRSA role_policies as the lookup default value does not match the key type.

role_policies = lookup(var.apigatewayv2, "role_policies", {
    AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
    AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
  })

The default is an object {} while the map element role_policies is not defined afaik.

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

Versions

• Module version: 2.2.0

• Terraform version: 1.6.6

• Provider version(s):

• provider registry.terraform.io/gavinbunney/kubectl v1.14.0
• provider registry.terraform.io/hashicorp/aws v5.8.0
• provider registry.terraform.io/hashicorp/helm v2.13.1
• provider registry.terraform.io/hashicorp/kubernetes v2.29.0
• provider registry.terraform.io/hashicorp/random v3.4.3
• provider registry.terraform.io/hashicorp/time v0.11.1
• provider registry.terraform.io/viktorradnai/bcrypt v0.1.2

Reproduction Code [Required]

main.tf:

module "eks_ack_addons" {
  count              = var.enable_eks_ack_addons ? 1 : 0
  source             = "aws-ia/eks-ack-addons/aws"
  version            = "2.2.0"

  # Cluster Info
  cluster_name       = var.eks_cluster_name
  cluster_endpoint = data.aws_eks_cluster.cluster.endpoint
  oidc_provider_arn = var.eks_oidc_provider_arn

  # ECR Credentials
  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password


  enable_apigatewayv2 = var.enable_ack_api_gatewayv2_controller

  apigatewayv2 = var.apigatewayv2

  tags = var.tags
}

apigatewayv2 variable:

apigatewayv2 = {
    chart_version = "1.1.0"
    skip_crds = false
  }

Steps to reproduce the behavior:

terraform plan (with valid variables for eks cluster required vars)

Expected behavior

Helm chart is installed using chart_version, and IRSA role is created with default policies

Actual behavior

Terraform plan fails as the lookup for role policies for apigatewayv2 default return does not match the role_policies key type

Terminal Output Screenshot(s)

╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/eks_ack_addons/main.tf line 118, in module "apigatewayv2":
│  118:   role_policies = lookup(var.apigatewayv2, "role_policies", {
│  119:     AmazonAPIGatewayInvokeFullAccess = "${local.iam_role_policy_prefix}/AmazonAPIGatewayInvokeFullAccess"
│  120:     AmazonAPIGatewayAdministrator    = "${local.iam_role_policy_prefix}/AmazonAPIGatewayAdministrator"
│  121:   })
│     ├────────────────
│     │ while calling lookup(inputMap, key, default...)
│     │ local.iam_role_policy_prefix is "arn:aws:iam::aws:policy"
│ 
│ Invalid value for "default" parameter: the default value must have the same
│ type as the map elements.

Additional context

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[candonov]

Hi @oscarboher, I cannot reproduce this, using the example works as expected.

One thing I noticed is that the apigatewayv2 controller latest version is 1.0.15 (container matches the helm chart version) and you are passing chart_version = "1.1.0" which does not exist.

[candonov]

@oscarboher, if you are still experiencing this, please re-open and provide more detail how to reproduce.