terraform-aws-eks-cluster-autoscaler icon indicating copy to clipboard operation
terraform-aws-eks-cluster-autoscaler copied to clipboard

Published 20 hours ago verified publisher icon lablabs

bug: The value for role arn "annotation" is left empty

Open xiaoxi-s opened this issue 1 year ago • 0 comments

Summary

In values.tf, the arn value is left blank at line 15. However, the correct behavior of not creating an irsa role should be to use the role provided by irsa_assume_role_arn arn. Screenshot 2023-09-25 at 5 26 00 PM

Issue Type

Bug Report

Terraform Version

Xiaoxis-MBP:datachat xiaoxisun$ t --version
Terraform v1.5.5
on darwin_amd64

Your version of Terraform is out of date! The latest version
is 1.5.7. You can update by downloading from https://www.terraform.io/downloads.html

Steps to Reproduce

module "eks-cluster-autoscaler" {
  source                           = "lablabs/eks-cluster-autoscaler/aws"
  version                          = "2.1.0"
  cluster_identity_oidc_issuer     = module.eks.oidc_provider
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
  cluster_name                     = module.eks.cluster_name
  irsa_role_create                 = false
  irsa_policy_enabled              = false
  irsa_assume_role_enabled         = true
  irsa_assume_role_arn             = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AmazonEKSCompactClusterAutoscalerRole"
  helm_chart_version               = "9.29.2"
  helm_lint                        = true
  namespace                        = "kube-system"
  values                           = file("../../modules/eks/values/cluster-autoscaler-values.yaml")
  settings = {
    "autoDiscovery.clusterName" = module.eks.cluster_name
    "image.tag"                 = var.cluster_autoscaler_image_tag
  }
}

Given the usage of EKS Terraform module, the above piece of code doesn't actually use the role AmazonEKSCompactClusterAutoscalerRole. We have to attach the proper policy to the Role that EC2 nodes assume in order for cluster autoscaler to have the proper permission.

After applying the changes, the value of the arn is empty as shown below: Screenshot 2023-09-25 at 5 36 26 PM

Expected Results

The above configuration should work.

Actual Results

The above configuration leads to 

E0925 21:47:42.412942       1 aws_manager.go:262] Failed to regenerate ASG cache: AccessDenied: User: arn:aws:sts::xxxx:assumed-role/<node group name>/<the node instance id that cluster autoscaler is on> is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action
        status code: 403, request id: d2049ca6-355c-456b-ad63-2abd509cc9a0
F0925 21:47:42.412994       1 aws_cloud_provider.go:426] Failed to create AWS Manager: AccessDenied: User: arn:aws:sts::xxxxxx:assumed-role/<node group name>/<the node instance id that cluster autoscaler is on> is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action

xiaoxi-s avatar Sep 25 '23 22:09 xiaoxi-s