Wrong rolearn in aws_auth_configmap_yaml

[Anorlondo448]

Description

"data.maproles[].rolearn" set in aws_auth_configmap_yaml is not “Pod Execution Role ARN”. It is “Fargate Profile ARN”.
The correct policy is not attached to the user mapped in the aws-auth ConfigMap.

terraform-aws-eks/templates/aws_auth_cm.tpl

Lines 30 to 37 in 16f46db

	%{ for role in fargate_profile_arns ~}
	- rolearn: ${role}
	username: system:node:{{SessionName}}
	groups:
	- system:bootstrappers
	- system:nodes
	- system:node-proxier
	%{ endfor ~}

Versions

• Terraform: v1.1.4
• Provider(s):

+ provider registry.terraform.io/hashicorp/aws v3.74.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.4
+ provider registry.terraform.io/hashicorp/tls v3.1.0

Reproduction

• use terraform-aws-modules/eks/aws
• Use only fargate_profile, not nodegroups.
• output module.eks.aws_auth_configmap_yaml

Code Snippet to Reproduce

• output value

Changes to Outputs:
  + aws_auth_configmap_yaml = <<-EOT
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: aws-auth
          namespace: kube-system
        data:
          mapRoles: |
            - rolearn: arn:aws:eks:<region>:<AWS account id>:fargateprofile/<cluster name>/<fargate profile name>/xxxxxxxx
              username: system:node:{{SessionName}}
              groups:
                - system:bootstrappers
                - system:nodes
                - system:node-proxier
    EOT

Expected behavior

"data.maproles[].rolearn" should be set to “Pod Execution Role ARN”.

Actual behavior

set to "Fargate Profile ARN"

Additional context

• The output of aws_auth_configmap_yaml does not have a Pod Execution Role ARN
  

  terraform-aws-eks/outputs.tf

  Lines 164 to 172 in be86c0b

  	output "aws_auth_configmap_yaml" {
  	description = "Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles"
  	value = templatefile("${path.module}/templates/aws_auth_cm.tpl",
  	{
  	eks_managed_role_arns = [for group in module.eks_managed_node_group : group.iam_role_arn]
  	self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform != "windows"]
  	win32_self_managed_role_arns = [for group in module.self_managed_node_group : group.iam_role_arn if group.platform == "windows"]
  	fargate_profile_arns = [for group in module.fargate_profile : group.fargate_profile_arn]
  	}

• templates/aws_auth_cm.tpl should also use the "Pod Execution Role ARN", not "Fargate Profile ARN"
  

  terraform-aws-eks/templates/aws_auth_cm.tpl

  Lines 30 to 32 in 16f46db

  	%{ for role in fargate_profile_arns ~}
  	- rolearn: ${role}
  	username: system:node:{{SessionName}}

• The examples are also Fargate Profile ARN
  

  terraform-aws-eks/examples/complete/main.tf

  Lines 299 to 319 in c45adce

  	# we have to combine the configmap created by the eks module with the externally created node group/profile sub-modules
  	aws_auth_configmap_yaml = <<-EOT
  	${chomp(module.eks.aws_auth_configmap_yaml)}
  	- rolearn: ${module.eks_managed_node_group.iam_role_arn}
  	username: system:node:{{EC2PrivateDNSName}}
  	groups:
  	- system:bootstrappers
  	- system:nodes
  	- rolearn: ${module.self_managed_node_group.iam_role_arn}
  	username: system:node:{{EC2PrivateDNSName}}
  	groups:
  	- system:bootstrappers
  	- system:nodes
  	- rolearn: ${module.fargate_profile.fargate_profile_arn}
  	username: system:node:{{SessionName}}
  	groups:
  	- system:bootstrappers
  	- system:nodes
  	- system:node-proxier
  	EOT
  	}

[bryantbiggs]

I remember having this specified as you have in your PR, but I believe with testing, it was determined that the profile ARN is what is necessary in the config-map.

I don't have time at the moment, but one way to know for certain is to deploy the Fargate profile example https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/fargate_profile and verify what IAM resource is added in the config-map. When using EKS managed node groups or Fargate profiles, AWS updates the config-map with the associated roles. The output attribute provided is intended to mimic that functionality. I remember being shocked that the profile ARN was in the config map and not the IAM role - but its been a bit since then and I could have missed something

[Anorlondo448]

thanks @bryantbiggs !

I actually checked by outputting aws_auth_configmap_yaml, but what was set was the Fargate Profile ARN.

Changes to Outputs:
  + aws_auth_configmap_yaml = <<-EOT
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: aws-auth
          namespace: kube-system
        data:
          mapRoles: |
            - rolearn: arn:aws:eks:<region>:<AWS account id>:fargateprofile/<cluster name>/<fargate profile name>/xxxxxxxx
              username: system:node:{{SessionName}}
              groups:
                - system:bootstrappers
                - system:nodes
                - system:node-proxier
    EOT

The ConfigMap should have the ARN of the IAM role, but you will not get the correct IAM policy even if the Fargate Profile ARN is specified.

[Anorlondo448]

I created a PR that sets the Pod Execution Role Arn, not the Fargate Profile ARN.
#1820

[bryantbiggs]

ah yes, just re-ran this morning and you are correct. your PR looks good as well if you can just run the pre-commit hooks on it

[bryantbiggs]

closed in #1820

[Anorlondo448]

@bryantbiggs
thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.