terraform-provider-rancher2 icon indicating copy to clipboard operation
terraform-provider-rancher2 copied to clipboard
verified publisher icon rancher

Cannot enable LocalClusterAuthEndpoint when importing bootstrapped RKE2 Cluster

Open revog opened this issue 3 years ago • 1 comments

I already setup a RKE2 cluster and now I'd like to import it into Rancher with ACE. TF Resource definition is like this:

resource "rancher2_cluster" "imported" {
  name  = local.stage

  cluster_auth_endpoint {
    enabled  = true
    ca_certs = base64decode(trimspace(element(regex("certificate-authority-data:(.*)", data.local_file.kubeconfig.content), 1)))
    fqdn     = local.cluster_api
  }

  depends_on = [data.local_file.kubeconfig]
}

It seems that when configuring the cluster_auth_endpoint parameters in the ressource it is failing as follows:

¦ Error: Bad response statusCode [422]. Status [422 Unprocessable Entity]. Body: [baseType=error, code=InvalidState, fieldName=LocalClusterAuthEndpoint.Enabled, message=Can only enable LocalClusterAuthEndpoint with RKE, RKE2, or K3s] from [https://rancher.domain.local/v3/clusters]
¦ 
¦   with module.cluster.rancher2_cluster.imported[0],
¦   on ../modules/cluster/import.tf line 1, in resource "rancher2_cluster" "imported":
¦    1: resource "rancher2_cluster" "imported" {
¦

I think the problem is, that when creating an Imported Cluster in Rancher its type (RKE2, ...) is not known at this state and will be fetched during the import process. And setting ACE is only possible for specified cluster types - Chicken-egg problem ...

Is there another way to achieve this?

revog avatar Mar 09 '22 09:03 revog

In the meantime I found an alternative/workaround. I'm doing the ACE enablement for now by a null_resource:

# enable ACE (Authorized Cluster Endpoint) after cluster registration (not possible in 1-step with rancher2_cluster resource)
resource "null_resource" "enable_ace" {
  provisioner "local-exec" {
    command = "curl --location --request PUT '${var.rancher_url}/v3/clusters/${rancher2_cluster.imported[0].id}' --header 'Authorization: Bearer ${var.rancher_token}' --header 'Content-Type: application/json' --data-raw '{\"name\": \"${local.stage}\", \"localClusterAuthEndpoint\": { \"enabled\": \"true\", \"fqdn\": \"${local.cluster_api}\", \"caCerts\": \"${local.ca-cert}\" }}'"
  }

  triggers = {
    caCerts = local.ca-cert
  }
}

revog avatar Mar 14 '22 14:03 revog