bug: The kubernetes service account is not annotated with the IAM role

[DimArmen]

Summary

Using the below TF code the generated kubernetes service account for external-dns is not annotated with the IAM role. The same values in an output prints correctly, but the sa is annotated with an empty string instead of the iam role arn.

Issue Type

Bug Report

Terraform Version

➜  common git:(SDP-6527f) ✗ terraform version 
Terraform v1.4.6
on darwin_arm64
+ provider registry.terraform.io/cloudposse/utils v1.9.0
+ provider registry.terraform.io/cyrilgdn/postgresql v1.20.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/goharbor/harbor v3.9.4
+ provider registry.terraform.io/hashicorp/aws v4.67.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/helm v2.10.1
+ provider registry.terraform.io/hashicorp/http v3.4.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.21.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Steps to Reproduce

module "external_dns_eks" {
  source  = "lablabs/eks-external-dns/aws"
  version = "1.2.0"
  providers = {
    kubernetes = kubernetes.platform
    helm       = helm.platform
  }
  irsa_policy_enabled              = true
  irsa_role_create                 = false
  irsa_assume_role_enabled         = true
  irsa_assume_role_arn             = "arn:aws:iam::${var.allowed_account_ids[0]}:role/AmazonEKSExternalDns-${var.region}"
  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
  cluster_identity_oidc_issuer_arn = data.aws_iam_openid_connect_provider.eks_cluster.arn

  # for doc see: https://artifacthub.io/packages/helm/bitnami/external-dns
  values = yamlencode({
    "txtOwnerId" : "${local.eks_cluster_name}"
    "domainFilters" : [
      "${var.platform_domain}"
    ]
    "policy" : "sync"
    "aws.zoneType" : "public"
  })
}

Expected Results

KUBERNETES SA:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
namespace: kube-system
labels:
app.kubernetes.io/instance: external-dns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-dns
helm.sh/chart: external-dns-6.5.6
annotations:
eks.amazonaws.com/role-arn: 'THE ROLE ARN HERE'
meta.helm.sh/release-name: external-dns
meta.helm.sh/release-namespace: kube-system

Actual Results

KUBERNETES SA: 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  namespace: kube-system
  labels:
    app.kubernetes.io/instance: external-dns
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: external-dns
    helm.sh/chart: external-dns-6.5.6
  annotations:
    eks.amazonaws.com/role-arn: '' <--------- EMPTY_STRING 
    meta.helm.sh/release-name: external-dns
    meta.helm.sh/release-namespace: kube-system

[tomas-balaz]

hi @DimArmen

you can choose from two options if you want to use your existing role:

1. you can pass the role ARN to the values directly

  values = yamlencode({
    "serviceAccount" : {
      "create" : true
      "name" : <service_account_name>
      "annotations" : {
        "eks.amazonaws.com/role-arn" : <ROLE-ARN>
      }
    }
  })
}

2. you can assume your role with the role created by this module (easier way)

• just change irsa_role_create to true in your snippet and your role will be assumed (this also works cross-account if you need)