Comments (15)
What about use tf-0.12 goodies like this?
resource "aws_iam_role" "workers" {
count = var.manage_worker_iam_resources ? 1 : 0
name_prefix = var.override_workers_role_name ? null : aws_eks_cluster.this.name
name = var.override_workers_role_name ? var.workers_role_name : null
assume_role_policy = data.aws_iam_policy_document.workers_assume_role_policy.json
permissions_boundary = var.permissions_boundary
path = var.iam_path
force_detach_policies = true
tags = var.tags
}
from terraform-aws-eks.
Seems to be my personal preference to use name_prefix
but both here now and in my ALB module, people seem to want the opposite. To lay it out there:
Brandon's opinion:
name
leaves room for collisions butname_prefix
does not. Plays better with testing and means a consumer never needs to worry about creating the same resource in the same region/environment/account/project and hitting a name conflict. idk maybe that's not such a big deal.- I care much more about a resource's ARN or its tags than its
name
. ARNs are hairy enough that I assume them to be consumed through remote states but I can see how cross-account needs might not render that possible... - I (perhaps wrongly) assumed max resource lengths are handled for you with name prefixes... though now I'm second guessing whether this is the case for all resources. Also, unsure of how a
name_prefix
longer than the allowed name behaves...
Obviously, the drawback of name_prefix
being the losing of control of names that become long and ugly.
In any case, I've seen this requested and never the opposite... not really enough data to say what consensus looks like but I'd be willing to make that switch over on the next major release. PR away.
from terraform-aws-eks.
Hmmm, thoughtful points.
Also, when using name_prefix
for IAM items, it's possible to have clusters with the same name but in different regions. Without name_prefix
, this would fail.
We could also use remote states to solve the names issue but then we also need cross account permissions to read both buckets for TF users.
I'll have a think and maybe make a PR.
from terraform-aws-eks.
I think I've evolved in my thought here as I've built some more things in the wild and use-cases have stacked up for this feature. I think there's a good case to be made for 100% user specified names of the resources in question rather than using name_prefix
. This may be a breaking change but worth the trouble.
If a user wants to give randomization to any/all resource names, the module still allows that without enforcing it (i.e. append your cluster_name
with random_string.suffix.result
). I've come around that configuration details like naming should generally be passed, rather than assumed or enforced.
The name collision for globally-scoped resources (i.e. IAM) as you mentioned is what we're signing up for as a trade-off. I think clear docs around how to avoid that through good naming is reasonable. Thanks for linking the issue and consider the field open for PR here. 👍
from terraform-aws-eks.
Thanks for linking the issue and consider the field open for PR here.
Nice!
from terraform-aws-eks.
How to fetch IAM roles with name_prefix? Currently, terraform data_source for IAM role doesn't provide functionality to fetch with tags and neither do we have role tagging implemented. For certain automation like access to elasticsearch or IAM trust policy, it would be nice to use data source provider for IAM role.
from terraform-aws-eks.
How to fetch IAM roles with name_prefix?
I don't think it's possible. I think you need to use an output of the module instead.
from terraform-aws-eks.
is it possible to override the default worker role name if provided by a variable? I can create a PR if you are ready to approve.
from terraform-aws-eks.
@rverma-nikiai see here: #282
from terraform-aws-eks.
#282 is actually an alternative solution than having a name override. It's not I am facing any limitations with IAM creation. I do understand that the rationale behind name prefix is name clash accros region. We can handle this with having region in IAM role name.
from terraform-aws-eks.
Ah yes, you are right, sorry. Sure, make a PR 👍
from terraform-aws-eks.
Related: #496
from terraform-aws-eks.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from terraform-aws-eks.
This issue has been automatically closed because it has not had recent activity since being marked as stale.
from terraform-aws-eks.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-eks.
Related Issues (20)
- Add tag_specifications to ASG created by eks_managed_nodegroup HOT 4
- how to achieve blue-green deployment using this module. Could you please help with proper steps HOT 2
- AWS EKS Access Policy Association - ResourceNotFoundException: PrincipalArn Not Found HOT 11
- Terraform tries to recreate clusters previously using ConfigMap auth
- v20 does not support EKS cluster creation with authentication_mode=CONFIG_MAP HOT 6
- Karpenter example does not work, pods are pending (version 20.8.5) HOT 2
- Pod Identity Association missing from Karpenter module HOT 2
- EKS should be recreated when changing the value of create_kms_key HOT 1
- The module should support eks add-ons deploy flag HOT 7
- Manage node group user data is not being parsed HOT 4
- eks-managed-node-group requires cluster_service_cidr when use_custom_launch_template = false HOT 1
- Module argument cluster_encryption_config does not handle a null value HOT 1
- No way to tackle Karpenter when KMS is mandatory by default HOT 21
- fargate-profile: restrict role access based on SourceArn (or custom assume_role_policy) HOT 2
- Error: waiting for Security Group with node_security_group_additional_rules HOT 2
- Unable to update Node Groups in place with cluster placement group strategy without EFA HOT 3
- Allow tags in metadata and launch template tags not being applied to eks managed launch template HOT 2
- accessEntries not removed on node group(s) deletion HOT 3
- ERROR: The cluster's authentication mode must be set to one of [API, API_AND_CONFIG_MAP] to perform this operation. HOT 2
- Log rotation configuration. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-eks.