cert_manager with IRSA creates policy with incorrect service account name

[joaocc]

Description

We are deploying cert-manager using the addons, in order to use IRSA for DNS01 with Route53.
We also checked https://cert-manager.io/docs/configuration/acme/dns01/route53/#eks-iam-role-for-service-accounts-irsa and configured the cluster issuers and the certificates as per the documentation.

There may be a relation with #185 (comment)

At the moment we are receiving the following error

Error cleaning up challenge: error instantiating route53 challenge solver: unable to assume role: AccessDenied: User: arn:aws:sts::000000000000:assumed-role/something--cert-man--roleks/1695826447002323123 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/something--cert-man--roleks status code: 403, request id: af0000b6-0000-0000-0000-760000000002

The module creates the following trust policy, which has an incorrect service account name.

We have used the same mechanism for external-dns (and others) and it is working (meaning basic parameters like cluster info and oidc should be ok).
In this case, the SA is created as cert-man-cert-manager (with cert-man being the helm release name, and sys--cert being the namespace).

• [ X ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version: 1.9.0

• Terraform version:
  1.5.7

• Provider version(s):
  "registry.terraform.io/gavinbunney/kubectl" "1.14.0"
  "registry.terraform.io/hashicorp/aws" "4.67.0"
  "registry.terraform.io/hashicorp/helm" "2.10.1"
  "registry.terraform.io/hashicorp/kubernetes" "2.22.0"
  "registry.terraform.io/hashicorp/null" "3.2.1"
  "registry.terraform.io/hashicorp/random" "3.5.1"
  "registry.terraform.io/hashicorp/time" "0.9.1"
  "registry.terraform.io/metio/k8s" "2023.9.4"

Reproduction Code [Required]

Expected behaviour

The account name in the trust policy document should be corrected

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/xxx"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.eu-west-1.amazonaws.com/id/xxx:sub": "system:serviceaccount:sys--cert:cert-manager",
                    "oidc.eks.eu-west-1.amazonaws.com/id/xxx:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Actual behaviour

The module creates a service-account which seems to either use a default or ignore the release name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/xxx"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.eu-west-1.amazonaws.com/id/xxx:sub": "system:serviceaccount:sys--cert:cert-manager",
                    "oidc.eks.eu-west-1.amazonaws.com/id/xxx:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Terminal Output Screenshot(s)

[askulkarni2]

@joaocc can you please provide the code to reproduce the issue?

[joaocc]

Not sure I will be able to. We have this inside a non-trivial terragrunt setup. I can try checking if we can create a simplified version, but don't know when I will have time. I will also try to upgrade to 1.9.1, and revent cert-manager to 1.12 (as we had that working with IAM though not IRSA).
The issue seems quite simple, so maybe these changes will show where the issue lies.
Will keep you posted.