I’m upgrading from cdktf 0.12.3 to 0.16.3 and I’m having issues with AWS OIDC URLs. Here’s the code
const oidcProvider = new aws.iam.IamOpenidConnectProvider(
this,
"oidc_provider",
{
clientIdList: ["sts.amazonaws.com"],
thumbprintList: [
dataTlsCertificateCertificate.certificates.get(0).sha1Fingerprint,
],
url,
dependsOn: [dataTlsCertificateCertificate],
}
);
const dataAwsIamPolicyDocumentElbAssumeRolePolicy =
new aws.iam.DataAwsIamPolicyDocument(this, "elb_assume_role_policy", {
statement: [
{
actions: ["sts:AssumeRoleWithWebIdentity"],
condition: [
{
test: "StringEquals",
values: [
"system:serviceaccount:kube-system:aws-load-balancer-controller",
],
variable: `\${replace("${oidcProvider.url}", "https://", "")}:sub`,
},
],
effect: "Allow",
principals: [
{
identifiers: [
`arn:aws:iam::${dataCallerIdentity.id}:oidc-provider/\${replace("${oidcProvider.url}", "https://", "")}`,
],
type: "Federated",
},
],
},
],
dependsOn: [dataCallerIdentity],
});
Note that I try to replace the https://
OIDC url prefix with an empty string using replace
. This worked well with 0.12.3. When I run a diff using 0.16.3 I see the following output
goldsky-infra-prod # aws_iam_role.eks_lb_controller (eks_lb_controller) will be updated in-place
~ resource "aws_iam_role" "eks_lb_controller" {
~ assume_role_policy = jsonencode(
~ {
~ Statement = [
~ {
~ Condition = {
~ StringEquals = {
+ "aws_iam_openid_connect_provider.oidc_provider (oidc_provider).url:sub" = "system:serviceaccount:kube-system:aws-load-balancer-controller"
- "oidc.eks.us-west-2.amazonaws.com/id/78FBBFA50C5182DF54CBF222699F1025:sub" = "system:serviceaccount:kube-system:aws-load-balancer-controller" -> null
}
}
~ Principal = {
~ Federated = "arn:aws:iam::301417190815:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/78FBBFA50C5182DF54CBF222699F1025" -> "arn:aws:iam::301417190815:oidc-provider/aws_iam_openid_connect_provider.oidc_provider (oidc_provider).url"
}
# (3 unchanged elements hidden)
},
]
# (1 unchanged element hidden)
}
)
id = "AmazonEKSLoadBalancerControllerRole"
name = "AmazonEKSLoadBalancerControllerRole"
tags = {}
# (9 unchanged attributes hidden)
It seems the URL is no longer being used when generating the IAM policy.
Why is this happening and how can I fix it? I tried adding .toString()
on the url
but that doesn’t seem to help at all.