terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Inconsistency with thumbprint_list during cluster update

Open janavenkat opened this issue 1 year ago β€’ 6 comments

Description

Every time when am updating the Kubernetes version, EKS module is replacing the OIDC thumbprint_list.

Versions

  • Module version [Required]: 20.8.3

  • Terraform version: 1.7.5

  • Provider version(s): ~ 5.0

Reproduction Code [Required]

module "eks-test" {  
  source  = "terraform-aws-modules/eks/aws"  
  version = "20.8.3"  
  subnet_ids      = module.vpc.private_subnets  
  vpc_id       = module.vpc.vpc_id  
  cluster_name = var.k8s_cluster_name  
  cluster_version = "1.27"  
  
  enable_irsa  = true

.....
}

Steps to reproduce the behavior:

Expected behavior

I shouldn't see the thumbprint_list change.

Actual behavior

Terraform will perform the following actions:

  # module.eks-test.data.tls_certificate.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "tls_certificate" "this" {
      + certificates = (known after apply)
      + id           = (known after apply)
      + url          = "<redacted>"
    }

  # module.eks-test.aws_eks_cluster.this[0] will be updated in-place
  ~ resource "aws_eks_cluster" "this" {
        id                        = "eks-test"
        name                      = "eks-test"
        tags                      = {
            "terraform-aws-modules" = "eks"
        }
      ~ version                   = "1.27" -> "1.28"
        # (10 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # module.eks-test.aws_iam_openid_connect_provider.oidc_provider[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
        id              = "<redacted>"
        tags            = {
            "Name" = "eks-test-eks-irsa"
        }
      ~ thumbprint_list = [
          - "<redacted>",
        ] -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Seems something with wrong the data tls_certificate while getting the thumbprint.

janavenkat avatar Mar 21 '24 13:03 janavenkat

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Apr 25 '24 00:04 github-actions[bot]

@bryantbiggs It would be great to know the cause.

janavenkat avatar Apr 25 '24 13:04 janavenkat

I see the same behavior using 20.8.3, even without updating the Kubernetes version.

After the initial apply, a subsequent plan without any configuration change is changing the thumbprint_list.

@bryantbiggs - please let me know if further details are required.

hanneshofmann avatar Apr 29 '24 14:04 hanneshofmann

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar May 30 '24 00:05 github-actions[bot]

@bryantbiggs let me know if you need more info.

janavenkat avatar May 30 '24 07:05 janavenkat

there isn't anything that we plan to change for this - as far as I can tell, its just a matter of something showing up in a plan diff, but theres no actual impact to the cluster so this is a no-op

bryantbiggs avatar May 30 '24 11:05 bryantbiggs

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Jul 03 '24 00:07 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Jul 13 '24 00:07 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Aug 12 '24 02:08 github-actions[bot]