terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Question - v1.29 to v1.30 OIDC Provider/Issuer URL upgrade problem?

Open AdamS3x opened this issue 1 year ago β€’ 2 comments

Description

Question - Are we going to be affected by this issue?

https://repost.aws/questions/QUM2Zyd5KsT4yKV1qheHKaeQ/eks-upgrade-from-1-29-to-1-30

We've recently built 4 clusters using this module, currently on version 19.21.0 and running v1.29 in EKS currently. I'm just planning the upgrade to v1.30 and came across this article which states there is going to be a failure during upgrade if the OIDC Service Account Issuer URL and OIDC Provider URL are the same - ours are, I assume everyones is?

The official answer from AWS on the above article is to just disassociate the oidc provider and then re-attach it. This hardly seems like a solution to this problem when surely nearly everyone is building these with Terraform if not this official module. Even if you do this "workaround" - does this need doing every time?

Does the OIDC Provider URL then change? If so what happens on the next Terraform plan/apply, the module "vpc_cni_irsa" uses the module.eks.oidc_provider_arn and we several other IAM IAM Roles setup for IAM Role to Service Account mapping, the Trust Relatonships of which use the module.eks.oidc_provider output. What happens to these? What happens to any pods/services running which are using IRSA and you then disassociate the OIDC Provider in the steps provided, do these break? If it changes do their IAM Trust Policies then need re-creating with the new OIDC URL and then all pods restarting? The questions are endless.. I've been searching online around this all day and can't really find much, so either it's a non-issue in most cases, or most people haven't upgraded to v1.30 yet and hit the problem and I need to find out the right answer and steps involved so thought I'd ask here - this module is so good and we're really happy with it so I'm just wondering if there is a better way to handle this upgrade.

Any advise or help or guidance on this would be greatly appreciated.

AdamS3x avatar Jun 28 '24 16:06 AdamS3x

I don't know, you haven't provided your configuration.

In the module, we have started enforcing this behavior starting with version 20.30.0 https://github.com/terraform-aws-modules/terraform-aws-eks/pull/3055

So if you update to at least that version (preferably latest), and run terraform plan - if you hit the validation error, then you will need to take action

bryantbiggs avatar Jun 28 '24 16:06 bryantbiggs

clarification - In the module, we have started enforcing this behavior for Kubernetes 1.30+ starting with version module version 20.30.0 https://github.com/terraform-aws-modules/terraform-aws-eks/pull/3055

bryantbiggs avatar Jun 28 '24 16:06 bryantbiggs

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Aug 03 '24 02:08 github-actions[bot]