enable_irsa = true fails on new cluster

[d-m]

Issue

I'm working through the Karpenter example and enabling IRSA via enable_irsa = true fails on a new cluster with the following error when attempting terraform plan and terraform apply:

│ Error: Invalid index
│ 
│   on .terraform/modules/eks/main.tf line 211, in resource "aws_iam_openid_connect_provider" "oidc_provider":
│  211:   thumbprint_list = concat([data.tls_certificate.this[0].certificates[0].sha1_fingerprint], var.custom_oidc_thumbprints)
│     ├────────────────
│     │ data.tls_certificate.this[0].certificates is empty list of object
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.

It succeeds when I set enable_irsa = false, run terraform apply, set enable_irsa = true, and then run terraform apply again. Is this intended? I didn't see anything in the documentation saying that it couldn't be used on a new cluster.

Terraform manifest

module "eks" {
  # https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest
  source  = "terraform-aws-modules/eks/aws"
  version = "18.17.0"

  cluster_name    = local.cluster_name
  cluster_version = "1.21"

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  # Required for Karpenter role below
  enable_irsa = true

  # We will rely only on the cluster security group created by the EKS service
  # See note below for `tags`
  create_cluster_security_group = false
  create_node_security_group    = false

  # Only need one node to get Karpenter up and running.
  # This ensures core services such as VPC CNI, CoreDNS, etc. are up and running
  # so that Karpenter can be deployed and start managing compute capacity as required
  eks_managed_node_groups = {
    initial = {
      instance_types = ["t3.medium"]
      # We don't need the node security group since we are using the
      # cluster-created security group, which Karpenter will also use
      create_security_group                 = false
      attach_cluster_primary_security_group = true

      min_size     = 1
      max_size     = 1
      desired_size = 1

      iam_role_additional_policies = [
        # Required by Karpenter
        "arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
      ]
    }
  }

  tags = {
    # Tag node group resources for Karpenter auto-discovery
    # NOTE - if creating multiple security groups with this module, only tag the
    # security group that Karpenter should utilize with the following tag
    "karpenter.sh/discovery" = local.cluster_name
  }
}

Terraform version

❯ terraform -version
Terraform v1.2.5
on linux_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v4.22.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/helm v2.5.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.12.1
+ provider registry.terraform.io/hashicorp/tls v4.0.0

[mikeinton]

Also wanted to comment here that I encountered the same issue while testing the creation of new EKS clusters using EKS Blueprints.

❯ terraform version
Terraform v1.2.5
on darwin_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v4.22.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/helm v2.6.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.10.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/hashicorp/tls v3.4.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1

[tieujason330]

Also seeing this error when running terraform apply in terraform-aws-eks/examples/complete

╷
│ Error: Invalid index
│
│ on ../../main.tf line 211, in resource "aws_iam_openid_connect_provider" "oidc_provider":
│ 211: thumbprint_list = concat([data.tls_certificate.this[0].certificates[0].sha1_fingerprint], var.custom_oidc_thumbprints)
│ ├────────────────
│ │ data.tls_certificate.this[0].certificates is empty list of object
│
│ The given key does not identify an element in this collection value.

[fahadahammed]

ALso seeing this error:

│ Error: Invalid index
│ 
│   on modules/terraform-aws-eks/main.tf line 211, in resource "aws_iam_openid_connect_provider" "oidc_provider":
│  211:   thumbprint_list = concat([data.tls_certificate.this[0].certificates[0].sha1_fingerprint], var.custom_oidc_thumbprints)
│     ├────────────────
│     │ data.tls_certificate.this[0].certificates is empty list of object
│ 
│ The given key does not identify an element in this collection value: the collection has no elements.

[smuth4]

We also received this error, and were able to work around it by pinning hashicorp/tls to <4.0.0

terraform {
  required_providers {
    tls = {
      version = "<4.0.0"
    }
  }
}

[anhqqt]

I also encountered the same issue today

@smuth4 Thank you, you saved my life

[spr-mweber3]

This is hunting us aswell.

[FernandoMiguel]

FYI this is the underlying issue hashicorp/terraform-provider-tls#244

[antonbabenko]

This issue has been resolved in version 18.26.6 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.