From 7ffe5fa88f154ed60b80445365b657c0a01f4a3d Mon Sep 17 00:00:00 2001
From: Brandon McNama <brandonmandrews@outlook.com>
Date: Sat, 30 May 2020 16:25:50 -0400
Subject: [PATCH] fix: Work around path bug in aws-iam-authenticator (#894)

* fix: Work around path bug in aws-iam-authenticator

`aws-iam-authenticator` has an open issue where it will not recognize
IAM roles that include paths. This change causes the path supplied to
`var.iam_path` to be stripped when generating the `aws-auth` ConfigMap
in order to work around this.

https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153
https://github.com/aws/containers-roadmap/issues/926
---
 aws_auth.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/aws_auth.tf b/aws_auth.tf
index db6dea4708..b583c069a9 100644
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -46,7 +46,9 @@ locals {
       module.node_groups.aws_auth_roles,
     ) :
     {
-      rolearn  = role["worker_role_arn"]
+      # Work around https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153
+      # Strip the leading slash off so that Terraform doesn't think it's a regex
+      rolearn  = replace(role["worker_role_arn"], replace(var.iam_path, "/^//", ""), "")
       username = "system:node:{{EC2PrivateDNSName}}"
       groups = tolist(concat(
         [