OIDC provider URL not resolving in 0.16.3

I’m upgrading from cdktf 0.12.3 to 0.16.3 and I’m having issues with AWS OIDC URLs. Here’s the code

    const oidcProvider = new aws.iam.IamOpenidConnectProvider(
      this,
      "oidc_provider",
      {
        clientIdList: ["sts.amazonaws.com"],
        thumbprintList: [
          dataTlsCertificateCertificate.certificates.get(0).sha1Fingerprint,
        ],
        url,
        dependsOn: [dataTlsCertificateCertificate],
      }
    );

    const dataAwsIamPolicyDocumentElbAssumeRolePolicy =
      new aws.iam.DataAwsIamPolicyDocument(this, "elb_assume_role_policy", {
        statement: [
          {
            actions: ["sts:AssumeRoleWithWebIdentity"],
            condition: [
              {
                test: "StringEquals",
                values: [
                  "system:serviceaccount:kube-system:aws-load-balancer-controller",
                ],
                variable: `\${replace("${oidcProvider.url}", "https://", "")}:sub`,
              },
            ],
            effect: "Allow",
            principals: [
              {
                identifiers: [
                  `arn:aws:iam::${dataCallerIdentity.id}:oidc-provider/\${replace("${oidcProvider.url}", "https://", "")}`,
                ],
                type: "Federated",
              },
            ],
          },
        ],
        dependsOn: [dataCallerIdentity],
      });

Note that I try to replace the https:// OIDC url prefix with an empty string using replace. This worked well with 0.12.3. When I run a diff using 0.16.3 I see the following output

goldsky-infra-prod    # aws_iam_role.eks_lb_controller (eks_lb_controller) will be updated in-place
                      ~ resource "aws_iam_role" "eks_lb_controller" {
                          ~ assume_role_policy    = jsonencode(
                              ~ {
                                  ~ Statement = [
                                      ~ {
                                          ~ Condition = {
                                              ~ StringEquals = {
                                                  + "aws_iam_openid_connect_provider.oidc_provider (oidc_provider).url:sub"                    = "system:serviceaccount:kube-system:aws-load-balancer-controller"
                                                  - "oidc.eks.us-west-2.amazonaws.com/id/78FBBFA50C5182DF54CBF222699F1025:sub" = "system:serviceaccount:kube-system:aws-load-balancer-controller" -> null
                                                }
                                            }
                                          ~ Principal = {
                                              ~ Federated = "arn:aws:iam::301417190815:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/78FBBFA50C5182DF54CBF222699F1025" -> "arn:aws:iam::301417190815:oidc-provider/aws_iam_openid_connect_provider.oidc_provider (oidc_provider).url"
                                            }
                                            # (3 unchanged elements hidden)
                                        },
                                    ]
                                    # (1 unchanged element hidden)
                                }
                            )
                            id                    = "AmazonEKSLoadBalancerControllerRole"
                            name                  = "AmazonEKSLoadBalancerControllerRole"
                            tags                  = {}
                            # (9 unchanged attributes hidden)

It seems the URL is no longer being used when generating the IAM policy.

Why is this happening and how can I fix it? I tried adding .toString() on the url but that doesn’t seem to help at all.

As usual, found the answer as soon as I posted. Using oidcProvider.url.replace("https://", "") instead of the previous terraform replace function works.

1 Like