r/aws_eks_addon: fix pod_identity_association updates

Previously changes to the `pod_identity_association` argument did not properly trigger the update flow, resulting in persistent differences when attempting to add this argument. Additionally, removal of this argument did not send the correct value to the API to trigger deletion of the existing pod identity associations. This changes fixes both scenarios such that additional and removal of this argument should now function as expected. ```console % make testacc PKG=eks TESTS="TestAccEKSAddon_podIdentityAssociation" make: Verifying source code with gofmt... ==> Checking that code complies with gofmt requirements... TF_ACC=1 go1.23.2 test ./internal/service/eks/... -v -count 1 -parallel 20 -run='TestAccEKSAddon_podIdentityAssociation' -timeout 360m 2024/11/19 10:00:07 Initializing Terraform AWS Provider... --- PASS: TestAccEKSAddon_podIdentityAssociation (796.83s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/eks 803.299s ```
hashicorp · Nov 19, 2024 · a9939ba · a9939ba
1 parent 83e1bc6
commit a9939ba
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 21 deletions.
diff --git a/.changelog/40168.txt b/.changelog/40168.txt
@@ -1,3 +1,6 @@
 ```release-note:bug
 resource/aws_eks_addon: Fix crash when `pod_identity_association` is modified
 ```
+```release-note:bug
+resource/aws_eks_addon: Fix to prevent persistent differences when `pod_identity_association` is changed
+```
diff --git a/internal/service/eks/addon.go b/internal/service/eks/addon.go
@@ -270,7 +270,7 @@ func resourceAddonUpdate(ctx context.Context, d *schema.ResourceData, meta inter
 		return sdkdiag.AppendFromErr(diags, err)
 	}
 
-	if d.HasChanges("addon_version", "service_account_role_arn", "configuration_values") {
+	if d.HasChanges("addon_version", "service_account_role_arn", "configuration_values", "pod_identity_association") {
 		input := &eks.UpdateAddonInput{
 			AddonName:          aws.String(addonName),
 			ClientRequestToken: aws.String(sdkid.UniqueId()),
@@ -288,6 +288,8 @@ func resourceAddonUpdate(ctx context.Context, d *schema.ResourceData, meta inter
 		if d.HasChange("pod_identity_association") {
 			if v, ok := d.GetOk("pod_identity_association"); ok && v.(*schema.Set).Len() > 0 {
 				input.PodIdentityAssociations = expandAddonPodIdentityAssociations(v.(*schema.Set).List())
+			} else {
+				input.PodIdentityAssociations = []types.AddonPodIdentityAssociations{}
 			}
 		}
 

diff --git a/internal/service/eks/addon_test.go b/internal/service/eks/addon_test.go
@@ -381,6 +381,22 @@ func TestAccEKSAddon_podIdentityAssociation(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccAddonConfig_basic(rName, addonName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAddonExists(ctx, resourceName, &addon),
+					resource.TestCheckResourceAttr(resourceName, "pod_identity_association.#", "0"),
+				),
+			},
+			{
+				Config: testAccAddonConfig_podIdentityAssociation(rName, addonName, serviceAccount),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAddonExists(ctx, resourceName, &addon),
+					resource.TestCheckResourceAttr(resourceName, "pod_identity_association.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "pod_identity_association.0.role_arn", podIdentityRoleResourceName, names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, "pod_identity_association.0.service_account", serviceAccount),
+				),
+			},
 		},
 	})
 }
@@ -610,32 +626,36 @@ resource "aws_eks_addon" "test" {
 }
 
 func testAccAddonConfig_podIdentityAssociation(rName, addonName, serviceAccount string) string {
-	return acctest.ConfigCompose(testAccAddonConfig_base(rName), fmt.Sprintf(`
-resource "aws_iam_role" "test_pod_identity" {
-  name               = "test-pod-identity"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "sts:AssumeRole",
-        "sts:TagSession"
-	  ],
-      "Principal": {
-        "Service": "pods.eks.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
+	return acctest.ConfigCompose(
+		testAccAddonConfig_base(rName),
+		fmt.Sprintf(`
+data "aws_iam_policy_document" "test_assume_role" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+      "sts:TagSession",
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["pods.eks.amazonaws.com"]
     }
-  ]
+  }
 }
-EOF
 
-  managed_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy"]
+resource "aws_iam_role" "test_pod_identity" {
+  name               = "%1s-pod-identity"
+  assume_role_policy = data.aws_iam_policy_document.test_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "test-AmazonEKS_CNI_Policy" {
+  role       = aws_iam_role.test_pod_identity.name
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
 }
 
 resource "aws_eks_addon" "test" {
+  depends_on = [aws_iam_role_policy_attachment.test-AmazonEKS_CNI_Policy]
+
   cluster_name = aws_eks_cluster.test.name
   addon_name   = %[2]q