fix: Add support for overriding DNS suffix for cluster IAM role service principal endpoint (#1905)

examples/eks_managed_node_group/main.tf

@@ -89,7 +89,11 @@ module "eks" {
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     # We are using the IRSA created below for permissions
-    iam_role_attach_cni_policy = false
+    # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
+    # and then turn this off after the cluster/node group is created. Without this initial policy,
+    # the VPC CNI fails to assign IPs and nodes cannot join the cluster
+    # See https://github.com/aws/containers-roadmap/issues/1666 for more context
+    iam_role_attach_cni_policy = true
   }
 
   eks_managed_node_groups = {