Comments (7)
Correct, it's not supported
from terraform-aws-eks.
I suppose that means the true 'bug' would be this line:
terraform-aws-eks/variables.tf
Line 42 in afadb14
since this module does not support the first option listed.
from terraform-aws-eks.
It's not a bug, it's a decision we have elected to take. Any particular reason you want your use the configmap only mode?
from terraform-aws-eks.
For us there is a bit of a mix of reasons; but the main reason is we add role ARNs that do not exist (yet) during cluster seeding and that's not possible with access entries, and a secondary reason is that we seed aws-auth from terraform but then have ArgoCD take over the runtime configuration.
We generally have a group of AWS accounts, one EKS cluster per account, where a controlling cluster owns multiple workload clusters. The controlling cluster runs application management functions (like ArgoCD) and distributes configurations and deployments. The order in which the clusters and AWS accounts themselves are created is not deterministic but is eventually consistent.
The groups themselves are managed by a global ArgoCD instance, its role is to provision other ArgoCDs.
Terraform kickstarts the AWS account and VPC baseline, and then an EKS-specific payload is applied on top of that, also with terraform to deploy EKS and a minimal configuration to allow remote control of the cluster. This is done using simple string templating for the ARNs, which might not exist (yet) if an entire environment is being replaced, seeded or reset to whatever is in Git (in case someone made manual changes).
While we technically don't require ConfigMap-exclusive access management, we're not using access entries so when reading the documentation of the module we used the values that are documented to be supported, but the described value is actually not supported at all and thus the configuration cannot be applied. We also have been trying out a way to run aws-auth from a forked version that supports wildcards (for SSO roles), which also isn't supported by access entries.
The comment above bootstrap_cluster_creator_admin_permissions
suggests this default was made because it's a one-time setting during cluster creation and therefore it's better to set it to false and use access entries instead since those can be changed at will, but the same applies to downgrading authentication_mode
, which can also only be done at creation time.
So, in short: the documentation of this module says something can be configured a certain way, but it can't. It's fine if we can't, but in such a case the documentation should probably not contradict the EKS API or AWS provider. We ran into that because we currently don't use access entries, and IAM-wise we don't tend to enable things we don't use.
from terraform-aws-eks.
So, in short: the documentation of this module says something can be configured a certain way, but it can't. It's fine if we can't, but in such a case the documentation should probably not contradict the EKS API or AWS provider. We ran into that because we currently don't use access entries, and IAM-wise we don't tend to enable things we don't use.
I don't follow - I don't see where we are contradicting with anything. if you have an existing cluster, that was created prior to v20 of this module, you can think of it as configmap only. you can upgrade to v20 and keep this same setting if you wish. however, on new clusters created starting with v20 and later, we are only supporting clusters that utilize access entry in API only mode, or API and configmap. and in the latter, it just means its possible to create access entries, but it doesn't mean you have to or that you aren't using something. this is why the default on v20 is API_AND_CONFIG_MAP
so in your scenario, I would stick with the v20 defaults, and keep using the configmap as you wish. the only scenario where this becomes an issue currently is with local clusters on outposts. otherwise, I don't see any issues with what we have provided
from terraform-aws-eks.
So the fact that authentication_mode = "CONFIG_MAP"
yields InvalidParameterException
, yet is documented as being supported (and not documented as being upgrade-only) is not a [documentation] bug?
I figured either of two things can be true:
-
CONFIG_MAP is supported as described
-
CONFIG_MAP is not supported, contrary to what is described
Maybe this makes my comment seem pedantic, but this just is what we observed when upgrading from 19.x to 20.x.
Perhaps this is due to the nature of some of our clusters being wiped and re-created from a single codebase, causing that codebase to not only roll forwards (with in-place upgrades) but also used to reset to a known state. I know that from an upgrade-only perspective,
terraform-aws-eks/docs/UPGRADE-20.0.md
Line 13 in afadb14
Either way, this still doesn't allow us to create clusters with CONFIG_MAP
only (unless we fall back to v19 first, and then go to v20 post-creation), regardless of whether this is a documentation specificity issue or not, but we can remedy that by modifying our process to just use API_AND_CONFIG_MAP
and update all clusters or wait until they are rotated out.
Do I close this as a non-bug, or do I make a PR to update the documentation and description to reflect the fact that this doesn't work for new clusters?
from terraform-aws-eks.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-eks.
Related Issues (20)
- Bottlerocket - SelfManaged NodeGroup - extra parameter issue HOT 2
- Error: Unsupported attribute for provider_key_arn when Upgrading to V19 from v18 HOT 6
- Add support for `ignore_failed_scaling_activities` HOT 1
- Add flexibility to choose cloudwatch event rule name HOT 1
- EKS cluster module doesn't create a cluster access entry for SSO users HOT 4
- No default networking add-ons: Terraform waiting for the nodes to be in Ready state (question) HOT 2
- Port 9443 and 8443 should not be added to node nsg unless these modules are installed HOT 2
- ConfigMap "aws-auth": Unauthorized HOT 6
- Can't pass tags to EC2 instance from eks managed node group HOT 1
- Add upgrade_policy config block for aws_eks_cluster HOT 1
- Created ec2 instances cannot join the cluster HOT 1
- Add depends_on for the 'resource "aws_eks_addon" "before_compute"' HOT 1
- dynamic number of access_entires HOT 1
- Documentation needs improvement + linting issue?
- Using terraform <1.6.0, `aws_ec2_tag` with dynamic tag *values* results in for_each error about unknown *keys* HOT 1
- Missing node to node security group
- AWS CLB creation question HOT 1
- 'cluster_service_ipv4_cidr' input variable apparently only accepts RFC1918 HOT 1
- Add gitlab ci for module creation HOT 1
- Use aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule instead of aws_security_group_rule HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-eks.