This repository has been archived by the owner on Jul 21, 2023. It is now read-only.
terraform: don't configure kubernetes provider with output from gke/eks modules
#1046
Comments
tgeoghegan
added a commit
that referenced
this issue
Jan 6, 2022
Introduces a new module in `terraform/cluster_boostrap` which is responsible for provisioning a managed GKE or EKS Kubernetes cluster into a GCP project or AWS account provisioned by `isrg-cloud-bootstrap`. The bulk of the new module consists of the existing `eks` and `gke` modules, moved to a new location. We do this in a separate TF state to avoid configuring a TF provider with output from TF managed resources (see #1046 for details). The following functionality is new: - creation of an AWS ECR or Google Artifact Registry repository for container images via Terraform - creation of a ClusterRoleBinding for the read-only group in EKS This commit removes from `terraform/Makefile` management of the GCS bucket used to store the Terraform remote state. We now expect the bucket to have been created manually by the operator. This reduces the risk of bugs in `Makefile` targets accidentally destroying Terraform state. Finally, we align documentation in `terraform/README.md` with docs introduced in isrg-cloud-boostrap [1] and abetterinternet/docs [2]. [1] https://github.com/abetterinternet/isrg-cloud-bootstrap/pull/1 [2] https://github.com/abetterinternet/docs/pull/10 Resolves #1046 Part of #1170 Part of #1031
tgeoghegan
added a commit
that referenced
this issue
Jan 11, 2022
Introduces a new module in `terraform/cluster_boostrap` which is responsible for provisioning a managed GKE or EKS Kubernetes cluster into a GCP project or AWS account provisioned by `isrg-cloud-bootstrap`. The bulk of the new module consists of the existing `eks` and `gke` modules, moved to a new location. We do this in a separate TF state to avoid configuring a TF provider with output from TF managed resources (see #1046 for details). The following functionality is new: - creation of an AWS ECR or Google Artifact Registry repository for container images via Terraform - creation of a ClusterRoleBinding for the read-only group in EKS This commit removes from `terraform/Makefile` management of the GCS bucket used to store the Terraform remote state. We now expect the bucket to have been created manually by the operator. This reduces the risk of bugs in `Makefile` targets accidentally destroying Terraform state. Finally, we align documentation in `terraform/README.md` with docs introduced in isrg-cloud-boostrap [1] and abetterinternet/docs [2]. [1] https://github.com/abetterinternet/isrg-cloud-bootstrap/pull/1 [2] https://github.com/abetterinternet/docs/pull/10 Resolves #1046 Part of #1170 Part of #1031
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Our Terraform modules aim to manage an entire env with a single
terraform applycommand. Accordingly, we have moduleseksandgkewhich manage Elastic Kubernetes Service and Google Kubernetes Engine clusters, respectively, and we use outputs from those modules to configure providerkubernetes(e.g., API endpoint, server certificate, that sort of thing). According to issues on the Terraform project and TF documentation, this is an antipattern, is not supported by Terraform, and may break in future releases.We should understand what Terraform intends to support in the long term and do whatever refactoring of our modules is necessary to colour inside of the lines Hashicorp is providing. That might mean managing two Terraform states per environment (one to bring up a k8s cluster, one for every thing else), or it might mean more thoroughly dividing our
applyfromapply-bootstrapto rule out the possibility of any individualterraform plan/applyinvocation trying to modify too many resources at once.The text was updated successfully, but these errors were encountered: