[Bug]: aws_eks_identity_provider_config - all oidc parameters are passed with additional quotes causing API server failure

[gerty3000]

Terraform Core Version

1.7.3

AWS Provider Version

5.37.0

Affected Resource(s)

aws_eks_identity_provider_config

Expected Behavior

Parameters ( identity_provider_config_name, client_id, groups_claim, issuer_url, username_claim) passed to control plane do not contain additional quotes

Actual Behavior

Parameters ( identity_provider_config_name, client_id, groups_claim, issuer_url, username_claim) passed to control plane do contain additional quotes. Below part of api server logs

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|   timestamp   |                                                                                                                                                                     message                                                                                                                                                                      |
|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|                                                                                                                                                                                                        |                                                                                                                                                                                                                                                                     |
| 1708625358000 | I0222 18:09:18.551116      11 flags.go:64] FLAG: --oidc-client-id="\"***-***-***-***-***\""                                                                                                                                                                                                                                     |
| 1708625358000 | I0222 18:09:18.551119      11 flags.go:64] FLAG: --oidc-groups-claim="\"groups\""                                                                                                                                                                                                                                                                |
| 1708625358000 | I0222 18:09:18.551121      11 flags.go:64] FLAG: --oidc-groups-prefix=""                                                                                                                                                                                                                                                                         |
| 1708625358000 | I0222 18:09:18.551124      11 flags.go:64] FLAG: --oidc-issuer-url="\"https://sts.windows.net/***-***-***-***-***/\""                                                                                                                                                                                                           |
| 1708625358000 | I0222 18:09:18.551127      11 flags.go:64] FLAG: --oidc-required-claim=""                                                                                                                                                                                                                                                                        |
| 1708625358000 | I0222 18:09:18.551135      11 flags.go:64] FLAG: --oidc-username-claim="\"upn\""                                                                                                                                                                                                                                                                 |
| 1708625358000 | I0222 18:09:18.552095      11 server.go:148] Version: v1.29.1-eks-508b6b3                                                                                                                                                                                                                                                                        |
| 1708625358000 | I0222 18:09:18.552110      11 server.go:150] "Golang settings" GOGC="" GOMAXPROCS="" GOTRACEBACK=""                                                                                                                                                                                                                                              |
| 1708625358000 | I0222 18:09:18.552709      11 dynamic_serving_content.go:113] "Loaded a new cert/key pair" name="serving-cert::/etc/kubernetes/pki/apiserver.crt::/etc/kubernetes/pki/apiserver.key"                                                                                                                                                             |
| 1708625359000 | I0222 18:09:19.080886      11 apf_controller.go:292] NewTestableController "Controller" with serverConcurrencyLimit=600, name=Controller, asFieldManager="api-priority-and-fairness-config-consumer-v1"                                                                                                                                          |
| 1708625359000 | I0222 18:09:19.080985      11 apf_controller.go:861] Introducing queues for priority level "exempt": config={"type":"Exempt","exempt":{"nominalConcurrencyShares":0,"lendablePercent":0}}, nominalCL=0, lendableCL=0, borrowingCL=600, currentCL=0, quiescing=false (shares=0xc000029c60, shareSum=5)                                            |
| 1708625359000 | I0222 18:09:19.081083      11 apf_controller.go:861] Introducing queues for priority level "catch-all": config={"type":"Limited","limited":{"nominalConcurrencyShares":5,"limitResponse":{"type":"Reject"},"lendablePercent":0}}, nominalCL=600, lendableCL=0, borrowingCL=600, currentCL=600, quiescing=false (shares=0xc0000282e4, shareSum=5) |
| 1708625359000 | I0222 18:09:19.091401      11 config.go:746] "KMSv1 is deprecated and will only receive security updates going forward. Use KMSv2 instead."                                                                                                                                                                                                      |
| 1708625359000 | I0222 18:09:19.091734      11 dynamic_cafile_content.go:119] "Loaded a new CA Bundle and Verifier" name="client-ca-bundle::/etc/kubernetes/pki/internal-auth/ca.crt"                                                                                                                                                                             |
| 1708625359000 | E0222 18:09:19.092520      11 run.go:74] "command failed" err="jwt[0].issuer.url: Invalid value: \"\\\"https://sts.windows.net/***/\\\"\": parse \"\\\"https://sts.windows.net/***/\\\"\": first path segment in URL cannot contain colon"                                     |
| 1708625659000 | W0222 18:14:19.555912      11 feature_gate.go:239] Setting deprecated feature gate KMSv1=true. It will be removed in a future release.                                                                                                                                                                                                           |                                                                                                                                                                                                                                                  |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Relevant Error/Panic Output Snippet

| 1708625359000 | E0222 18:09:19.092520      11 run.go:74] "command failed" err="jwt[0].issuer.url: Invalid value: \"\\\"https://sts.windows.net/***/\\\"\": parse \"\\\"https://sts.windows.net/***/\\\"\": first path segment in URL cannot contain colon"

Terraform Configuration Files

resource "aws_eks_identity_provider_config" "eks_identity_provider" {
  cluster_name = local.cluster_name

  oidc {
    identity_provider_config_name = "aad"
    client_id                     = "***"
    groups_claim                  = "groups"
    issuer_url                    = "***"
    username_claim                = "upn"
  }

  timeouts {
    create = "1h"
    delete = "1h"
  }
}

Steps to Reproduce

1. Add aws_eks_identity_provider_config
2. See error logs on API server

Debug Output

No response

Panic Output

No response

Important Factoids

I tried to reproduce the error on different cluster, created from scratch but wasn't able to see the same error. I also tried to associate oidc provider using AWS console and aws cli - in both cases I've got the same error

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[gerty3000]

Today it works. Dunno what happened :shrug:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.