terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Irsa `passRole` should accept a list instead of ony one since we can have different node roles for each nodeClass

Open luciano-buono opened this issue 2 years ago β€’ 0 comments

Description

Since v0.32 Karpenter allows to specify a different role for each nodeClass. Since this means that you may have >1 role, the IRSA should have the Passrole action to all necesary resources.

Right now, if you set create_iam_role=false, the module only allows to pass a single roleArn for this.

iam_role_arn should be a list so IRSA can pass any of those

  • [X] βœ‹ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]: 19.20

  • Terraform version: 1.5.7

Reproduction Code [Required]

module "karpenter" {
  source  = "terraform-aws-modules/eks/aws//modules/karpenter"
  version = "19.20.0"

  cluster_name = var.cluster_name

  irsa_oidc_provider_arn          = var.cluster_oidc_provider_arn
  irsa_namespace_service_accounts = ["karpenter:karpenter"]
  irsa_use_name_prefix            = var.irsa_use_name_prefix

  # Since Karpenter is running on an EKS Managed Node group,
  # we can re-use the role that was created for the node group
  create_iam_role = false
  iam_role_arn    = var.cluster_karpenter_controller_nodegroup.iam_role_arn

  # In v0.32.0/v1beta1, Karpenter now creates the IAM instance profile
  # so we disable the Terraform creation and add the necessary permissions for Karpenter IRSA
  enable_karpenter_instance_profile_creation = true

  tags = var.tags
}

Expected behavior

iam_role_arn should be a list so IRSA can pass any of those

Actual behavior

iam_role_arn only accepts a single role, thus nodes defined in many NodeClasses can only assume a single role

Terminal Output Screenshot(s)

Additional context

luciano-buono avatar Nov 22 '23 21:11 luciano-buono