fix: Remove trailing hyphen from cluster security group and iam role name prefix #1745
Conversation
|
I will let others chime in, but this is the defacto standard that we have adopted across the modules and the breaking nature of the change is why we have introduced it in the v18.x breaking change |
|
Well, just a day has passed since we released 18.0. I think we can bump 18.1.0 with this PR merged. We just need to ask people to use the latest version. Are there any other similar changes we should be doing? |
|
@antonbabenko Not a breaking change per se, but the default description of the security group was changed from: In addition, the resource rename of IMO as long as there is a workaround to prevent cluster recreation it's fine. While I understand this is a breaking change by nature of the v18.x bump, I suspect most people will expect to be able to upgrade this module without a requirement of needing to tear down their existing cluster. |
|
@imdevin567 users can elect to manage/create those roles and security groups outside of the EKS module and then pass them in - therefore, users still have the ability to avoid re-creation disruptions |
|
If you are defaulting to things that cause a cluster re-creation, their probably needs to be really good documentation on what is required to prevent that from happening. |
|
@bryantbiggs yes, but roles/security groups created by the module previously have dates appended to the names: i.e. As @jseiser said above, if we're going to leave this as the default then we should add more to the upgrade guide to prevent this from happening in the first place. |
|
If we want to leave the standard in place, would it be better to just add two variables?
This would decouple the name from the name prefix, allowing users to override either. |
|
@jseiser we have documentation, if there are pieces missing then PRs are welcome https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/UPGRADE-18.0.md Again, a lot of the changes made in v18.x are intended to hopefully simplify and stabilize the module. This module has been notoriously complex leading to very difficult maintenance and troubleshooting (#635). There are always ways around mitigating resource disruption depending on the level of user experience. The external role and security group creation that I am referring to @imdevin567 is not via imports but creating fresh new roles/security groups and then swapping those in to the EKS module. This does not result in any downtime or disruption and can potentially save you any additional headaches in the future |
|
@bryantbiggs correct me if I'm wrong, but you can't swap out a cluster role or security group without recreating the cluster. This was the original reason for the PR. |
|
the security group you should be able to since its an additional security group. I can't say for certain on the IAM role swap as I have not attempted it myself |
Considering I have yet to be able to follow your upgrade guide and end up with a working cluster, i do not think ill be much help adding to the documentation. So our enterprise is hard stuck on <18 for the time being. |
You or your enterprise can reach out and contribute a sponsorship if you would like, otherwise please feel free to enjoy the free OSS |
|
I think we should add a couple of new variables as per this comment by @imdevin567 - #1745 (comment) So that people in the same situation as @imdevin567 can provide the values to prevent an unnecessary recreation of resources. @bryantbiggs agree? |
|
I can make those changes to this PR pending a thumbs up from @bryantbiggs I'll submit a separate PR with additions to the upgrade guide for steps I needed to work through to avoid cluster recreation. |
You really think that is an appropriate response? |
are we doing this for all occurrences of both IAM role name and security group name?
|
|
@bryantbiggs I am thinking only about places where it actually changed between v17 and v18. |
|
if we are only looking at the cluster IAM role and security group then we could probably get away with a patch variable like
And add a note in the upgrade doc about flipping this value to |
|
Works for me. I'll add the change. |
CHANGELOG.md
Outdated
| @@ -2,6 +2,13 @@ | |||
|
|
|||
| All notable changes to this project will be documented in this file. | |||
|
|
|||
| ### [18.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v18.0.0...v18.0.1) (2022-01-06) | |||
There was a problem hiding this comment.
we can leave out any changes here, the release workflow will automatically update this
There was a problem hiding this comment.
My bad, needed to pull from upstream.
UPGRADE-18.0.md
Outdated
| @@ -28,6 +28,8 @@ Please consult the `examples` directory for reference example configurations. If | |||
| - The underlying autoscaling group and launch template have been updated to more closely match that of the [`terraform-aws-autoscaling`](https://github.com/terraform-aws-modules/terraform-aws-autoscaling) module and the features it offers | |||
| - The previous iteration used a count over a list of node group definitions which was prone to disruptive updates; this is now replaced with a map/for_each to align with that of the EKS managed node group and Fargate profile behaviors/style | |||
| - The user data configuration supported across the module has been completely revamped. A new `_user_data` internal sub-module has been created to consolidate all user data configuration in one location which provides better support for testability (via the [`examples/user_data`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/user_data) example). The new sub-module supports nearly all possible combinations including the ability to allow users to provide their own user data template which will be rendered by the module. See the `examples/user_data` example project for the full plethora of example configuration possibilities and more details on the logic of the design can be found in the [`modules/_user_data`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/modules/_user_data_) directory. | |||
| - The `aws_eks_cluster` resource has been removed and replaced with the `aws_eks_cluster_role_policy_attachment` resource. This change is to align with the [AWS EKS API changes](https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateCluster.html) and [AWS EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html) | |||
There was a problem hiding this comment.
is this line 31 change intentional?
There was a problem hiding this comment.
hahaha nope, that would be Copilot chiming in. Don't hit tab too quickly.
### [18.0.3](v18.0.2...v18.0.3) (2022-01-06) ### Bug Fixes * Remove trailing hyphen from cluster security group and iam role name prefix ([#1745](#1745)) ([7089c71](7089c71))
|
This PR is included in version 18.0.3 🎉 |
### [18.0.3](terraform-aws-modules/terraform-aws-eks@v18.0.2...v18.0.3) (2022-01-06) ### Bug Fixes * Remove trailing hyphen from cluster security group and iam role name prefix ([#1745](terraform-aws-modules/terraform-aws-eks#1745)) ([6722f30](terraform-aws-modules/terraform-aws-eks@6722f30))
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
A small naming change to prevent downstream recreation of resources.
Motivation and Context
Clusters created with previous versions of this module that relied on the generated cluster security group and/or cluster iam role are forced to be recreated when upgrading to version 18. The previous version used the cluster name as a prefix for both the SG and role. While you can override these now with
cluster_security_group_nameandiam_role_name, the module appends a hyphen to these values, which makes it impossible to set to the previous value.Renaming a security group or an IAM role causes a recreation of the resource; changing the security group or IAM role for an EKS cluster forces a recreation of the cluster.
Removing this hyphen still allows the user to append one if they want to, but doesn't force it, making the upgrade smoother.
Breaking Changes
No breaking change
How Has This Been Tested?
examples/*projects