diff --git a/README.md b/README.md
index 80846bc9f0..62ccb3d2a6 100644
--- a/README.md
+++ b/README.md
@@ -855,6 +855,7 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws
| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled | `bool` | `false` | no |
| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled | `bool` | `true` | no |
| [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [cluster\_iam\_role\_dns\_suffix](#input\_cluster\_iam\_role\_dns\_suffix) | Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China) | `string` | `null` | no |
| [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no |
| [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created | `string` | `null` | no |
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf
index 3ef80700b8..45251fffc8 100644
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -89,7 +89,11 @@ module "eks" {
instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
# We are using the IRSA created below for permissions
- iam_role_attach_cni_policy = false
+ # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
+ # and then turn this off after the cluster/node group is created. Without this initial policy,
+ # the VPC CNI fails to assign IPs and nodes cannot join the cluster
+ # See https://github.com/aws/containers-roadmap/issues/1666 for more context
+ iam_role_attach_cni_policy = true
}
eks_managed_node_groups = {
diff --git a/main.tf b/main.tf
index 853df4ba1e..918f11f788 100644
--- a/main.tf
+++ b/main.tf
@@ -172,6 +172,10 @@ resource "aws_iam_openid_connect_provider" "oidc_provider" {
locals {
iam_role_name = coalesce(var.iam_role_name, "${var.cluster_name}-cluster")
policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+
+ # TODO - hopefully this can be removed once the AWS endpoint is named properly in China
+ # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
+ dns_suffix = coalesce(var.cluster_iam_role_dns_suffix, data.aws_partition.current.dns_suffix)
}
data "aws_iam_policy_document" "assume_role_policy" {
@@ -183,7 +187,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
principals {
type = "Service"
- identifiers = ["eks.${data.aws_partition.current.dns_suffix}"]
+ identifiers = ["eks.${local.dns_suffix}"]
}
}
}
diff --git a/variables.tf b/variables.tf
index 709bc270bd..8c221a3f55 100644
--- a/variables.tf
+++ b/variables.tf
@@ -305,6 +305,14 @@ variable "iam_role_additional_policies" {
default = []
}
+# TODO - hopefully this can be removed once the AWS endpoint is named properly in China
+# https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1904
+variable "cluster_iam_role_dns_suffix" {
+ description = "Base DNS domain name for the current partition (e.g., amazonaws.com in AWS Commercial, amazonaws.com.cn in AWS China)"
+ type = string
+ default = null
+}
+
variable "iam_role_tags" {
description = "A map of additional tags to add to the IAM role created"
type = map(string)