create an openid_connect_provider resource for the dualstack endpoint

[mmerickel]

Is your request related to a problem? Please describe.

Using module version 20.31.1.

It is not a drop-in replacement to use the new cluster_dualstack_oidc_issuer_url compared to the previous cluster_oidc_issuer_url module output.

For the old issuer_url this module creates an aws_iam_openid_connect_provider resource in the account creating the cluster. However there is not an analogous dualstack provider created for cluster_dualstack_oidc_issuer_url.

Describe the solution you'd like.

1. Create an aws_iam_openid_connect_provider attached to the dualstack url.
2. Export that provider from the module via cluster_dualstack_oidc_provider_arn.
3. Provide a way / migration path to turn off the old issuer url and only create/use the dualstack version.

[mmerickel]

I'm probably missing something but I guess it's worth pointing out that this dualstack issuer does not work for IRSA. If you do create a new provider with this cluster_dualstack_oidc_issuer_url and you define an IRSA role using this new provider, a pod will not properly AssumeRoleWithWebIdentity with it because the IRSA roles are still tied to the non-dualstack issuer url. The JWT injected into your pod is minted with the iss claim matching the non-dualstack issuer.

[bryantbiggs]

checking on this

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days