fix: Add support for overriding DNS suffix for cluster IAM role servi…

…ce principal endpoint (#1905)
terraform-aws-modules · Mar 2, 2022 · 9af0c24 · 9af0c24
1 parent 9a99689
commit 9af0c24
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -855,6 +855,7 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_cluster_iam_role_dns_suffix"></a> [cluster\_iam\_role\_dns\_suffix](#input\_cluster\_iam\_role\_dns\_suffix) | Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China) | `string` | `null` | no |
 | <a name="input_cluster_identity_providers"></a> [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no |
 | <a name="input_cluster_ip_family"></a> [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `null` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |

diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf
@@ -89,7 +89,11 @@ module "eks" {
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     # We are using the IRSA created below for permissions
-    iam_role_attach_cni_policy = false
+    # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
+    # and then turn this off after the cluster/node group is created. Without this initial policy,
+    # the VPC CNI fails to assign IPs and nodes cannot join the cluster
+    # See https://github.com/aws/containers-roadmap/issues/1666 for more context
+    iam_role_attach_cni_policy = true
   }
 
   eks_managed_node_groups = {

diff --git a/main.tf b/main.tf
@@ -172,6 +172,10 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
 locals {
   iam_role_name     = coalesce(var.iam_role_name, "${var.cluster_name}-cluster")
   policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+
+  # TODO - hopefully this can be removed once the AWS endpoint is named properly in China
+  # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
+  dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix)
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
@@ -183,7 +187,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 
     principals {
       type        = "Service"
-      identifiers = ["eks.${data.aws_partition.current.dns_suffix}"]
+      identifiers = ["eks.${local.dns_suffix}"]
     }
   }
 }

diff --git a/variables.tf b/variables.tf
@@ -305,6 +305,14 @@ variable "iam_role_additional_policies" {
   default     = []
 }
 
+# TODO - hopefully this can be removed once the AWS endpoint is named properly in China
+# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
+variable "cluster_iam_role_dns_suffix" {
+  description = "Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China)"
+  type        = string
+  default     = null
+}
+
 variable "iam_role_tags" {
   description = "A map of additional tags to add to the IAM role created"
   type        = map(string)