Use of name_prefix about terraform-aws-eks HOT 15 CLOSED

What about use tf-0.12 goodies like this?

resource "aws_iam_role" "workers" {
    count                      = var.manage_worker_iam_resources ? 1 : 0
    name_prefix                = var.override_workers_role_name ? null : aws_eks_cluster.this.name
    name                       = var.override_workers_role_name ? var.workers_role_name : null
    assume_role_policy         = data.aws_iam_policy_document.workers_assume_role_policy.json
    permissions_boundary       = var.permissions_boundary
    path                       = var.iam_path
    force_detach_policies      = true
    tags                       = var.tags
}

from terraform-aws-eks.

Seems to be my personal preference to use name_prefix but both here now and in my ALB module, people seem to want the opposite. To lay it out there:

Brandon's opinion:

• name leaves room for collisions but name_prefix does not. Plays better with testing and means a consumer never needs to worry about creating the same resource in the same region/environment/account/project and hitting a name conflict. idk maybe that's not such a big deal.
• I care much more about a resource's ARN or its tags than its name. ARNs are hairy enough that I assume them to be consumed through remote states but I can see how cross-account needs might not render that possible...
• I (perhaps wrongly) assumed max resource lengths are handled for you with name prefixes... though now I'm second guessing whether this is the case for all resources. Also, unsure of how a name_prefix longer than the allowed name behaves...

Obviously, the drawback of name_prefix being the losing of control of names that become long and ugly.

In any case, I've seen this requested and never the opposite... not really enough data to say what consensus looks like but I'd be willing to make that switch over on the next major release. PR away.

from terraform-aws-eks.

Hmmm, thoughtful points.

Also, when using name_prefix for IAM items, it's possible to have clusters with the same name but in different regions. Without name_prefix, this would fail.

We could also use remote states to solve the names issue but then we also need cross account permissions to read both buckets for TF users.

I'll have a think and maybe make a PR.

from terraform-aws-eks.

I think I've evolved in my thought here as I've built some more things in the wild and use-cases have stacked up for this feature. I think there's a good case to be made for 100% user specified names of the resources in question rather than using name_prefix. This may be a breaking change but worth the trouble.

If a user wants to give randomization to any/all resource names, the module still allows that without enforcing it (i.e. append your cluster_name with random_string.suffix.result). I've come around that configuration details like naming should generally be passed, rather than assumed or enforced.

The name collision for globally-scoped resources (i.e. IAM) as you mentioned is what we're signing up for as a trade-off. I think clear docs around how to avoid that through good naming is reasonable. Thanks for linking the issue and consider the field open for PR here. 👍

from terraform-aws-eks.

Thanks for linking the issue and consider the field open for PR here.

Nice!

from terraform-aws-eks.

How to fetch IAM roles with name_prefix? Currently, terraform data_source for IAM role doesn't provide functionality to fetch with tags and neither do we have role tagging implemented. For certain automation like access to elasticsearch or IAM trust policy, it would be nice to use data source provider for IAM role.

from terraform-aws-eks.

How to fetch IAM roles with name_prefix?

I don't think it's possible. I think you need to use an output of the module instead.

from terraform-aws-eks.

is it possible to override the default worker role name if provided by a variable? I can create a PR if you are ready to approve.

from terraform-aws-eks.

@rverma-nikiai see here: #282

from terraform-aws-eks.

#282 is actually an alternative solution than having a name override. It's not I am facing any limitations with IAM creation. I do understand that the rationale behind name prefix is name clash accros region. We can handle this with having region in IAM role name.

from terraform-aws-eks.

Ah yes, you are right, sorry. Sure, make a PR 👍

from terraform-aws-eks.

Related: #496

from terraform-aws-eks.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from terraform-aws-eks.

This issue has been automatically closed because it has not had recent activity since being marked as stale.

from terraform-aws-eks.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

from terraform-aws-eks.