aws_auth does not seem to work with iam_path thereby marking the managed nodes with health issues

[Puneeth-n]

Configuration:

data "aws_eks_cluster" "cluster" {
  name = module.eks.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks.cluster_id
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.cluster.token
  load_config_file       = false
  version                = "~> 1.9"
}

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "13.0.0"

  cluster_name                                   = local.kubernetes_cluster_name
  cluster_version                                = "1.18"
  cluster_endpoint_private_access                = true
  cluster_create_endpoint_private_access_sg_rule = true
  cluster_endpoint_private_access_cidrs          = ["0.0.0.0/0"]
  cluster_endpoint_public_access                 = false
  cluster_enabled_log_types                      = ["api", "audit", "authenticator", "controllerManager", "scheduler"]


  enable_irsa     = true
  manage_aws_auth = true

  kubeconfig_name = local.kubernetes_cluster_name
  iam_path        = local.iam_path
  map_roles       = var.map_roles


  vpc_id  = module.infra_vpc.vpc_id
  subnets = module.infra_vpc.private_subnets

  node_groups_defaults = {
    ami_type  = "AL2_x86_64"
    disk_size = 200
  }

  node_groups = {
    stateful = {
      name             = "stateful"
      desired_capacity = 1
      max_capacity     = 3
      min_capacity     = 1

      instance_type = "t3a.large"
      k8s_labels = {
        Environment = terraform.workspace
        Name        = "stateful"
        type        = "on-demand"
      }
    }
  }
}


resource "aws_security_group_rule" "workers_vpn_access" {
  type              = "ingress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = [var.ct_transit_gateway.stateless_cidr]
  security_group_id = module.eks.worker_security_group_id
}

resource "aws_security_group_rule" "master_vpn_access" {
  type              = "ingress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = [var.ct_transit_gateway.stateless_cidr]
  security_group_id = module.eks.cluster_security_group_id
}

After a successful apply:

Terraform will perform the following actions:

  # module.eks.kubernetes_config_map.aws_auth[0] will be updated in-place
  ~ resource "kubernetes_config_map" "aws_auth" {
        binary_data = {}
      ~ data        = {
            "mapAccounts" = jsonencode([])
          ~ "mapRoles"    = <<~EOT
              - - groups:
              -   - system:bootstrappers
              -   - system:nodes
              -   rolearn: arn:aws:iam::1234567890:role/infra20201020133406634100000009
              -   username: system:node:{{EC2PrivateDNSName}}
              - - groups:
              -   - system:masters
              -   rolearn: arn:aws:iam::1234567890:role/AWSReservedSSO_admin_access_bf617e03c361929e
              -   username: eks-admin
              - - groups:
              -   - system:masters
              -   rolearn: arn:aws:iam::940226765273:role/AWSReservedSSO_admin_access_6b01ad0cb21f3e06
              -   username: eks-admin
              - - groups:
              -   - system:bootstrappers
              -   - system:nodes
              -   rolearn: arn:aws:iam::1234567890:role/infra/infra20201020133406634100000009
              -   username: system:node:{{EC2PrivateDNSName}}
              + - "groups":
              +   - "system:bootstrappers"
              +   - "system:nodes"
              +   "rolearn": "arn:aws:iam::1234567890:role/infra20201020133406634100000009"
              +   "username": "system:node:{{EC2PrivateDNSName}}"
              + - "groups":
              +   - "system:masters"
              +   "rolearn": "arn:aws:iam::1234567890:role/AWSReservedSSO_admin_access_bf617e03c361929e"
              +   "username": "eks-admin"
              + - "groups":
              +   - "system:masters"
              +   "rolearn": "arn:aws:iam::940226765273:role/AWSReservedSSO_admin_access_6b01ad0cb21f3e06"
              +   "username": "eks-admin"
            EOT
            "mapUsers"    = jsonencode([])
        }
        id          = "kube-system/aws-auth"

        metadata {
            annotations      = {}
            generation       = 0
            labels           = {}
            name             = "aws-auth"
            namespace        = "kube-system"
            resource_version = "2304"
            self_link        = "/api/v1/namespaces/kube-system/configmaps/aws-auth"
            uid              = "6b5dcee9-117e-41f5-945f-5553a6306ae5"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

[barryib]

This is related to #894.

See also for more context aws/containers-roadmap#926

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity since being marked as stale.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.