[Bug]: irsa roles are not being created with correct name for aws_for_fluentbit

[IrishAfrican]

Welcome to Amazon EKS Blueprints!

• Yes, I've searched similar issues on GitHub and didn't find any.

Amazon EKS Blueprints Release version

4.5.0

What is your environment, configuration and the example used?

The name of the IAM role created when using OpenSearch with aws_for_fluentbit is important as it has to be added to the security settings of OpenSearch. As such the name should be configurable, unfortunately something in v4.5.0 has prevented this from being possible (unless I am missing something).

It appears as if the change made to support named irsa roles in the irsa module is not propagated through to the addons.

As such I cannot find anyway to name the role (the optional irsa_iam_role_name configuration isn't propagated upwards) and at least in the case of the aws_for_fluentbit addon, the role seems to be created with the name "terraform--****" instead of the name resulting from format("%s-%s-%s", var.addon_context.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa").

I am unsure where it is getting the "terraform--****" value from but it seems to be set in var.addon_context.irsa_iam_role_name some how.

What did you do and What did you see instead?

In v4.4.0 the name of the aws_for_fluentbit irsa role was something like amce-preprod-test-eks-aws-for-fluent-bit-sa-irsa based on the code format("%s-%s-%s", var.addon_context.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa") but in v4.5.0 the role name is terraform-2022071810100220800000001a

Additional Information

I believe the same issue is happening with other add ons including but not limited to:
cluster-autoscaler
aws_load_balancer_controller
aws_vpc_cni

This may not be an issue other than making it difficult to see which roles are for which purpose in AWS IAM, but for the aws_for_fluentbit case it is an issue as the role name is now no longer configurable and hence can not be set in OpenSearch in advance of the role being created (especially NB when the cluster is created and destroyed on a regular basis as in the case of a test cluster)

[SemperRuminare]

It looks like it's getting set by terraform.

name - (Optional, Forces new resource) Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role

While the name should also set the friendly name, somehow it's not getting picked up.

I wonder if they should set line 47-52 back with the try block from the last update (c3882d9)

[SemperRuminare]

@bryantbiggs Just tested this and it seems to break AWS Load Balancer Controller with "service/ingress-nginx-controller-internal Failed build model due to WebIdentityErr: failed to retrieve credential caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity"

I reverted the name back to original and it seems to work after rebuilding cluster. I think this has to do with a terraform apply in place mismatching Service Account names, even though when I do a kubectl describe sa <LB-IRSA> -n kubesystem shows matching ARN.

[bryantbiggs]

apologies - this looks like its due to the optional variable attribute which results in a null and therefore defaults back to a terraform provided name. in the interim you can use irsa_iam_role_name to set the name, but I'll push up a fix now for this