aws_eks_addon updates version and reverts service role arn

[kreativka]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.7

Affected Resource(s)

• aws_eks_addon

Terraform Configuration Files

This is just a snippet.
var.vpc_cni_addon_role_arn is the arn of a custom role with CNI policy attached to it.

Before:

resource "aws_eks_addon" "eks_vpc_cni_addon" {
  cluster_name             = "clusterName"
  addon_name               = "vpc-cni"
  service_account_role_arn = var.vpc_cni_addon_role_arn
  addon_version            = "v1.7.5-eksbuild.2"
}

After:

resource "aws_eks_addon" "eks_vpc_cni_addon" {
  cluster_name             = "clusterName"
  addon_name               = "vpc-cni-addon-name"
  service_account_role_arn = var.vpc_cni_addon_role_arn
  addon_version            = "v1.7.10-eksbuild.1"
}

Expected Behavior

Terraform should update the addon version and keep the already provided service role arn.

Actual Behavior

Terraform updates the addon version and reverts to the default role for AWS Node.
eks UpdateAddonInfo's comment:

    // The Amazon Resource Name (ARN) of an existing IAM role to bind to the add-on's
    // service account. The role must be assigned the IAM permissions required by
    // the add-on. If you don't specify an existing IAM role, then the add-on uses
    // the permissions assigned to the node IAM role. For more information, see
    // Amazon EKS node IAM role (https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html)
    // in the Amazon EKS User Guide.

Steps to Reproduce

1. Create the VPC CNI addon with the 1.7.5 version and specify a service account role ARN with the correct AWS_CNI policy attached to it. Then drop the CNI policy from the node IAM role.
2. Update the addon version, terraform apply and the cluster is broken, as the add-on will not work. terraform wants to use the add-on with node IAM role without CNI policy, instead of already provided IAM role for the service account.

[ghost]

This has been released in version 3.43.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.