terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

aws configmap

Open Mieszko96 opened this issue 1 year ago β€’ 5 comments

hey in my current terraform i am using to manage aws configmap i'm using module with version 19.20

resource "kubectl_manifest" "aws-auth-cm" {
  yaml_body = <<MANIFEST
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
%{if local.rancher2_import_enabled~}
  mapUsers: |
    - userarn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${var.rancher2_cloud_credentials_name}
      username: ${var.rancher2_cloud_credentials_name}
      groups:
      - system:masters
%{endif~}
%{if length(var.paas_eks_accounts) > 0~}
  mapAccounts: |
    ${replace(yamlencode(var.paas_eks_accounts), "\"", "")~}
%{endif~}
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: ${module.eks.eks_managed_node_groups["default"].iam_role_arn}
      username: system:node:{{EC2PrivateDNSName}}
%{if length(var.paas_eks_roles) > 0~}
    ${indent(4, replace(yamlencode(var.paas_eks_roles), "\"", ""))~}
%{endif~}
MANIFEST
  force_new = false
}

with eks_managed_node_groups and create_aws_auth_configmap = false manage_aws_auth_configmap = false

What i need to do to switch to manage_aws_auth_configmap = true and remove resource "kubectl_manifest" "aws-auth-cm"

What i tested.

scenario 1

removed resource "kubectl_manifest" "aws-auth-cm" manage_aws_auth_configmap = false -> true ❌ configmap was deleted( we don't have configmap in EKS)

scenario 2 removed resource "kubectl_manifest" "aws-auth-cm" create_aws_auth_configmap = true

❌ βœ… this scenario works, but if i use same code for brand new EKS it have error aws-auth already exist. And i need solution for updated exisiting terraform and for brand new.

scenario 3 Also tried with moved block, but getting error

moved {
 from = kubectl_manifest.aws-auth-cm
 to   = module.eks.kubernetes_config_map_v1_data.aws_auth[0]
}

This statement declares a move from kubectl_manifest.aws-auth-cm to module.eks.kubernetes_config_map.aws_auth[0], which is a resource instance of a different type.

or

module.eks.kubernetes_config_map_v1_data.aws_auth[0], which is a resource instance of a different type.

I don't mind if solution require removing state from terraform list

Mieszko96 avatar Apr 11 '24 11:04 Mieszko96

actually checking https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md it will be removed in 21.xx at all so maybe i should not do this.

But if you have opinion/suggestions please let me know

Mieszko96 avatar Apr 11 '24 15:04 Mieszko96

@Mieszko96 Do you know if there new method to handle who has auth to use the cluster? is it access_entries?

kaykhan avatar Apr 16 '24 10:04 kaykhan

@kaykhan It has been moved to submodule https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/20.8.5/submodules/aws-auth

groovyghost avatar Apr 18 '24 07:04 groovyghost

@kaykhan It has been moved to submodule https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/20.8.5/submodules/aws-auth

This sub module is going to be removed in the next version (21) https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md#%EF%B8%8F-upcoming-changes-planned-in-v210-%EF%B8%8F

So just curious how to handle it moving forward.

Im wondering if we should now be creating this resource ourselves. https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1

kaykhan avatar Apr 22 '24 11:04 kaykhan

its a separate sub-module and the code has not changed for this functionality for several years. Even though the code will be removed in v21, theres nothing stopping you from using the sub-module at v20 for years to come.

However, long term the strategy is to use cluster access entries

bryantbiggs avatar Apr 22 '24 11:04 bryantbiggs

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar May 23 '24 00:05 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Jun 02 '24 00:06 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jul 02 '24 02:07 github-actions[bot]