When adding new roles to aws-auth, rolearn should be used instead of userarn

[Markonick]

Describe the bug Adding a role in map_roles inside stacks/service/kubernetes/terragrunt.hcl results in the following error:

│ Error: Invalid value for input variable
│ 
│   on variables.tf line 98:
│   98: variable "map_roles" {
│ 
│ Unsuitable value for var.map_roles set using the TF_VAR_map_roles
│ environment variable: element 0: attribute "userarn" is required.

Workflow To recreate this bug, let me give some context:

I needed to add a CI role (not user) for GitHub actions to be able to talk to the EKS cluster. My role looks like this:

map_roles = [
    {
      rolearn  = "arn:aws:iam::${local.account_id}:role/GitHubAction-AssumeRoleWithAction"
      username = "AWSSession_GitHub"
      groups   = ["system:masters"]
    },
  ]

When I tried applying my change following the build sequence:

cd …/openedx_devops/terraform/stacks/service
terragrunt run-all init

cd kubernetes
terragrunt apply -target module.cookiecutter_meta
terragrunt apply

the error described above occurs.

Expected behavior The error above should not occur.

Additional context According to https://registry.terraform.io/modules/aidanmelen/eks-auth/aws/1.0.0#:~:text=no-,map_roles,-Additional%20IAM%20roles, rolearn should be used instead.

[lpm0073]

Thanks for reporting this @Markonick . You might consider creating a PR for this, noting the following:

• there's hook for map_roles[] located here which i've yet to code simply for lack of a need on any my projects so far.
• you can refer to the code pattern for map_user[], which ends here
• map_roles[] is already declared in variable.tf

As an interim workaround you might consider editing kube-system/aws-auth:configMap directly, which looks approximately like the following:

[Markonick]

Sorry about this, my first time actually trying to contribute in an open-source project. I already opened a pull-request but must have done something wrong: https://github.com/cookiecutter-openedx/cookiecutter-openedx-devops/pull/61 (couldn't find how to assign a reviewer).

As for your solution, yep, I edited it in aws-authon Lens so this doesn't block me.

[lpm0073]

Closing this via PR #61