[eks/cluster] Fix AWS SSO support (#1072)

modules/eks/cluster/CHANGELOG.md

@@ -1,4 +1,13 @@
-## Release 1.466.1
+## Release 1.468.0
+
+PR [#1072](https://github.com/cloudposse/terraform-aws-components/pull/1072)
+
+Bugfix:
+
+- Correctly map AWS SSO Permission Sets referenced by `aws_sso_permission_sets_rbac` to IAM Role ARNs.
+- Broken in Release 1.431.1: Update to use AWS Auth API
+
+## Release 1.467.0
 
 PR [#1071](https://github.com/cloudposse/terraform-aws-components/pull/1071)
 
@@ -34,7 +43,9 @@ script.
 This support should be considered an `alpha` version, as it may change when support for Amazon Linux 2023 is added, and
 does not work with Bottlerocket.
 
-## Breaking Changes: Components PR [#1033](https://github.com/cloudposse/terraform-aws-components/pull/1033)
+## Release 1.431.1: Breaking Changes
+
+Components PR [#1033](https://github.com/cloudposse/terraform-aws-components/pull/1033)
 
 ### Major Breaking Changes
 

modules/eks/cluster/aws-sso.tf

@@ -4,7 +4,7 @@
 locals {
 
   aws_sso_access_entry_map = {
-    for role in var.aws_sso_permission_sets_rbac : data.aws_iam_roles.sso_roles[role.aws_sso_permission_set] => {
+    for role in var.aws_sso_permission_sets_rbac : tolist(data.aws_iam_roles.sso_roles[role.aws_sso_permission_set].arns)[0] => {
       kubernetes_groups = role.groups
     }
   }
@@ -14,4 +14,13 @@ data "aws_iam_roles" "sso_roles" {
   for_each    = toset(var.aws_sso_permission_sets_rbac[*].aws_sso_permission_set)
   name_regex  = format("AWSReservedSSO_%s_.*", each.value)
   path_prefix = "/aws-reserved/sso.amazonaws.com/"
+
+  lifecycle {
+    postcondition {
+      condition = length(self.arns) == 1
+      error_message = length(self.arns) == 0 ? "Could not find Role ARN for the AWS SSO permission set: ${each.value}" : (
+        "Found more than one (${length(self.arns)}) Role ARN for the AWS SSO permission set: ${each.value}"
+      )
+    }
+  }
 }