[Bug]: Resource aws_eks_access_entry only updates group OR username

[calvin-barelds]

Terraform Core Version

1.7.5

AWS Provider Version

5.41.0

Affected Resource(s)

resource aws_eks_access_entry

Expected Behavior

I have defined an aws_eks_access_entry with the following configuration:

resource "aws_eks_access_entry" "example" {
  cluster_name      = "eks-cluster"
  principal_arn     = "arn:aws:iam::xxxxxxxx:role/eks-user"
  type              = "STANDARD"
  user_name         = "eks-user:{{SessionName}}"
  kubernetes_groups = ["ae-test"]
}

I would like to be able to make independent changes to either the user_name attribute or the kubernetes_groups attribute. If one of those values is altered, that's the only change I would like to see in the AWS console.

Actual Behavior

When changing either the user_name or kubernetes_groups attribute values, this value gets updated while the value for the other attribute gets reverted to default. For example:

When changing the kubernetes_groups in the following resource:

resource "aws_eks_access_entry" "example" {
  cluster_name      = "eks-cluster"
  principal_arn     = "arn:aws:iam::xxxxxxxx:role/eks-user"
  type              = "STANDARD"
  user_name         = "eks-user:{{SessionName}}"
  kubernetes_groups = ["ae-test"]
}

to:

resource "aws_eks_access_entry" "example" {
  cluster_name      = "eks-cluster"
  principal_arn     = "arn:aws:iam::xxxxxxxx:role/eks-user"
  type              = "STANDARD"
  user_name         = "eks-user:{{SessionName}}"
  kubernetes_groups = ["ae-user"]
}

And applying this change, the user_name gets reverted back to the default rather than maintaining what is configured in the resource. The same happens when having an existing kubernetes_groups list defined and altering the user_name attribute. This would only update the user_name and remove any group mappins.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_eks_access_entry" "example" {
  cluster_name      = "eks-cluster"
  principal_arn     = "arn:aws:iam::xxxxxxxx:role/eks-user"
  type              = "STANDARD"
  user_name         = "eks-user:{{SessionName}}"
  kubernetes_groups = ["ae-test"]
}

Steps to Reproduce

1. Create the resource aws_eks_access_entry with the attributes as provided above, please do update the cluster_name to match an existing cluster and the principal_arn to an existing IAM role principal.
2. Apply the resource
3. Check the created resources in the console, specifically look at the values for "groups" and "username". This should match the terraform configuration.
4. Update ONLY the groups list (by either changing the existing group name or add a new element to the list) or the user_name value.
5. Apply the resource
6. Now check the AWS console again, depending on what you altered, that value is updated while reverting the other to the default.

Debug Output

Initial create:

2024-03-20T15:40:15.883+0100 [DEBUG] provider.terraform-provider-aws_v5.41.0_x5: HTTP Response Received: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.49/logging/tf_logger.go:45 aws.region=eu-west-1 http.duration=383 rpc.service=EKS tf_provider_addr=registry.terraform.io/hashicorp/aws http.response.body="{
  "accessEntry" : {
    "clusterName" : "eks-cluster",
    "principalArn" : "arn:aws:iam::XXXXXXXXXX:role/eks-user",
    "kubernetesGroups" : [ "ae-test" ],
    "accessEntryArn" : "arn:aws:eks:eu-west-1:XXXXXXXXXX:access-entry/eks-cluster/role/eks-user/XXXXXXXXXXXXXX",
    "createdAt" : 1.710945615219E9,
    "modifiedAt" : 1.710945615219E9,
    "tags" : { },
    "username" : "eks-user:{{SessionName}}",
    "type" : "STANDARD"
  }
}

Then after updating the groups attribute only:

2024-03-20T15:42:17.051+0100 [DEBUG] provider.terraform-provider-aws_v5.41.0_x5: HTTP Response Received: http.response.header.content_type=application/json http.response.header.x_amzn_trace_id=Root=1-65faf5c8-41affe5627da6dd26ffded2a http.response.header.access_control_allow_origin=* http.response.body="{
  "accessEntry" : {
    "clusterName" : "eks-cluster",
    "principalArn" : "arn:aws:iam::XXXXXXXXXX:role/eks-user",
    "kubernetesGroups" : [ "ae-test2" ],
    "accessEntryArn" : "arn:aws:eks:eu-west-1:XXXXXXXXXX:access-entry/eks-cluster/role/eks-user/XXXXXXXXXXXXXX",
    "createdAt" : 1.710945615219E9,
    "modifiedAt" : 1.710945736019E9,
    "tags" : { },
    "username" : "arn:aws:sts::XXXXXXXXXX:assumed-role/eks-user/{{SessionName}}",
    "type" : "STANDARD"
  }
}

Panic Output

No response

Important Factoids

No response

References

When testing with aws-cli we see a similair behaviour, when running the following:

$ aws eks update-access-entry --cluster-name eks-cluster --principal-arn "arn:aws:iam::XXXXXXXXX:role/eks-user" --kubernetes-groups test
{
    "accessEntry": {
        "clusterName": "eks-cluster",
        "principalArn": "arn:aws:iam::XXXXXXXXX:role/eks-user",
        "kubernetesGroups": [
            "test"
        ],
        "accessEntryArn": "arn:aws:eks:eu-west-1:XXXXXXXXXX:access-entry/eks-cluster/role/XXXXXXXXXX/eks-user",
        "createdAt": "2024-03-20T15:04:47.111000+01:00",
        "modifiedAt": "2024-03-20T15:15:50.947000+01:00",
        "tags": {},
        "username": "arn:aws:sts::XXXXXXXXXX:assumed-role/eks-user/{{SessionName}}",
        "type": "STANDARD"
    }
}

Then when changing the username:

$ aws eks update-access-entry --cluster-name eks-cluster --principal-arn "arn:aws:iam::XXXXXXXXX:role/eks-user" --username test
{
    "accessEntry": {
        "clusterName": "eks-cluster",
        "principalArn": "arn:aws:iam::XXXXXXXXX:role/eks-user",
        "kubernetesGroups": [],
        "accessEntryArn": "arn:aws:eks:eu-west-1:XXXXXXXXXX:access-entry/eks-cluster/role/XXXXXXXXXX/eks-user",
        "createdAt": "2024-03-20T15:04:47.111000+01:00",
        "modifiedAt": "2024-03-20T15:16:04.220000+01:00",
        "tags": {},
        "username": "test",
        "type": "STANDARD"
    }
}

We can see the group is wiped. This makes me believe that if both arguments are defined in TF, they should both be passed al the time. When checking the code of the TF provider however, we can see it appears to be only passed if it contains a change:

https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/eks/access_entry.go#L186
https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/eks/access_entry.go#L190

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[LukasdeBoer]

I'm happy to try to fix this.

[github-actions]

This functionality has been released in v5.42.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.