Description
Description
When running Terraform on a network with an EKS VPC Endpoint, the process fails to get data from the tls_certificate resource
The error occurs because the domain oidc.eks.us-east-1.amazonaws.com becomes inaccessible once the EKS VPC Endpoint is created. This behavior is documented by AWS:
If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn’t be accessed from inside that VPC. Consequently, operations such as creating an OIDC provider with eksctl within the VPC will not work.- https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
Suggestion:
Use the dualstack_oidc_issuer_url to access the tls_certificate data, the dualstack url uses another domain and is not overridden by DNS
Place to fix the code:
Line 415 in a713f6f
Suggested code to be used:
Versions
-
Module version [Required]: v20.31.6
-
Terraform version: 1.9.8
-
Provider version(s):
- provider registry.terraform.io/hashicorp/aws v5.72.1
- provider registry.terraform.io/hashicorp/cloudinit v2.3.5
- provider registry.terraform.io/hashicorp/helm v2.16.1
- provider registry.terraform.io/hashicorp/kubernetes v2.33.0
- provider registry.terraform.io/hashicorp/null v3.2.3
- provider registry.terraform.io/hashicorp/time v0.12.1
- provider registry.terraform.io/hashicorp/tls v4.0.6
Reproduction Code [Required]
Plain tf code.
Steps to reproduce the behavior:
- In an AWS network that has an EKS VPC Endpoint, perform terraform plan.
Expected behavior
- success in terraform planning
Actual behavior
- terraform planning failed
Terminal Output
| with module.eks.module.eks.data.tls_certificate.this[0],
│ on .terraform/modules/eks.eks/main.tf line 344, in data "tls_certificate" "this":
│ 344: data "tls_certificate" "this" {
│
│ failed to fetch certificates from URL 'https': Get "https://oidc.eks.us-east-1.amazonaws.com:443/id/???????": dial tcp: lookup
│ oidc.eks.us-east-1.amazonaws.com on 10.1.1.2:53: no such host