Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Apply distinct() on role arns to ensure no duplicated roles in aws-auth configmap #2097

Merged
merged 1 commit into from
Jun 2, 2022
Merged

feat: Apply distinct() on role arns to ensure no duplicated roles in aws-auth configmap #2097

merged 1 commit into from
Jun 2, 2022

Conversation

chrissng
Copy link
Contributor

@chrissng chrissng commented Jun 2, 2022

Description

Apply distinct() on role arns to ensure no duplicated roles in aws auth configmap

Motivation and Context

  1. Created a cluster with a couple of eks managed node groups which shared the same iam role names
module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 18.21"

  # other fields...

  eks_managed_node_groups = {
    "dummy_cpu" = {
      "ami_type" = "AL2_x86_64"
      "desired_size" = 1
      "instance_types" = [
        "t3.small",
      ]
      "max_size" = 1
      "min_size" = 0
      # other fields...
    }
    "dummy_gpu" = {
      "ami_type" = "AL2_x86_64_GPU"
      "desired_size" = 0
      "instance_types" = [
        "g4dn.xlarge",
      ]
      "max_size" = 1
      "min_size" = 0
      "taints" = [
        {
          "effect" = "NO_SCHEDULE"
          "key" = "nvidia.com/gpu"
          "value" = "true"
        },
      ]
      # other fields...
    }
    "dummy_testapp_cpu" = {
      "ami_type" = "AL2_x86_64"
      "desired_size" = 1
      "instance_types" = [
        "t3.small",
      ]
      "max_size" = 1
      "min_size" = 0
      # other fields...
    }
    "platform" = {
      "desired_size" = 1
      "instance_types" = [
        "t3.medium",
      ]
      "max_size" = 6
      "min_size" = 0
      # other fields...
    }
  }

  eks_managed_node_group_defaults = {
    "ami_type" = "AL2_x86_64"
    "capacity_type" = "SPOT"
    "create_iam_role" = false
    "iam_role_arn" = "arn:aws:iam::01234567890:role/eks-dummy-worker"
    # other fields...
  }

  manage_aws_auth_configmap = true
  aws_auth_roles            = var.map_roles
  aws_auth_users            = var.map_users
}
  1. When the module creates the aws auth configmap, there will be duplicates:
# module.eks.kubernetes_config_map_v1_data.aws_auth[0] will be created
  + resource "kubernetes_config_map_v1_data" "aws_auth" {
      + data  = {
          + "mapAccounts" = jsonencode([])
          + "mapRoles"    = <<-EOT
                - "groups":
                  - "system:bootstrappers"
                  - "system:nodes"
                  "rolearn": "arn:aws:iam::01234567890:role/eks-dummy-worker"
                  "username": "system:node:{{EC2PrivateDNSName}}"
                - "groups":
                  - "system:bootstrappers"
                  - "system:nodes"
                  "rolearn": "arn:aws:iam::01234567890:role/eks-dummy-worker"
                  "username": "system:node:{{EC2PrivateDNSName}}"
                - "groups":
                  - "system:bootstrappers"
                  - "system:nodes"
                  "rolearn": "arn:aws:iam::01234567890:role/eks-dummy-worker"
                  "username": "system:node:{{EC2PrivateDNSName}}"
                - "groups":
                  - "system:bootstrappers"
                  - "system:nodes"
                  "rolearn": "arn:aws:iam::01234567890:role/eks-dummy-worker"
                  "username": "system:node:{{EC2PrivateDNSName}}"
                - "groups":
                  - "dummy"
                  "rolearn": "arn:aws:iam::01234567890:role/dummy"
                ...
            EOT
          + "mapUsers"    = <<-EOT
                - ...
            EOT
        }
      + force = true
      + id    = (known after apply)

      + metadata {
          + name      = "aws-auth"
          + namespace = "kube-system"
        }
    }
  1. Although there may not be any effect, but it is probably undesirable to have duplicate role configuration. So this PR addresses this.

Breaking Changes

No breaking changes as it is a minor fix.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@chrissng chrissng changed the title Apply distinct() on role arns to ensure no duplicated roles in aws auth configmap fix: Apply distinct() on role arns to ensure no duplicated roles in aws auth configmap Jun 2, 2022
@bryantbiggs bryantbiggs changed the title fix: Apply distinct() on role arns to ensure no duplicated roles in aws auth configmap feat: Apply distinct() on role arns to ensure no duplicated roles in aws-auth configmap Jun 2, 2022
bryantbiggs
bryantbiggs approved these changes Jun 2, 2022
View reviewed changes
Copy link
Member

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks for the PR @chrissng !

@bryantbiggs bryantbiggs merged commit 3feb369 into terraform-aws-modules:master Jun 2, 2022
antonbabenko pushed a commit that referenced this pull request Jun 2, 2022
@semantic-release-bot
chore(release): version 18.22.0 [skip ci]
8178010 
## [18.22.0](v18.21.0...v18.22.0) (2022-06-02)

### Features

* Apply `distinct()` on role arns to ensure no duplicated roles in aws-auth configmap ([#2097](#2097)) ([3feb369](3feb369))
@antonbabenko
Copy link
Member

This PR is included in version 18.22.0 🎉

spr-mweber3 pushed a commit to spring-media/terraform-aws-eks that referenced this pull request Jun 7, 2022
@chrissng @spr-mweber3
feat: Apply distinct() on role arns to ensure no duplicated roles i…
dc8d9cc 
…n aws-auth configmap (terraform-aws-modules#2097)
spr-mweber3 pushed a commit to spring-media/terraform-aws-eks that referenced this pull request Jun 7, 2022
@semantic-release-bot @spr-mweber3
chore(release): version 18.22.0 [skip ci]
81c567e 
## [18.22.0](terraform-aws-modules/terraform-aws-eks@v18.21.0...v18.22.0) (2022-06-02)

### Features

* Apply `distinct()` on role arns to ensure no duplicated roles in aws-auth configmap ([terraform-aws-modules#2097](terraform-aws-modules#2097)) ([3feb369](terraform-aws-modules@3feb369))
baibailiha added a commit to baibailiha/terraform-aws-eks that referenced this pull request Sep 13, 2022
@baibailiha @semantic-release-bot
chore(release): version 18.22.0 [skip ci]
ca95061 
## [18.22.0](terraform-aws-modules/terraform-aws-eks@v18.21.0...v18.22.0) (2022-06-02)

### Features

* Apply `distinct()` on role arns to ensure no duplicated roles in aws-auth configmap ([#2097](terraform-aws-modules/terraform-aws-eks#2097)) ([00a7592](terraform-aws-modules/terraform-aws-eks@00a7592))
@github-actions
Copy link

github-actions bot commented Nov 8, 2022

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chrissng @antonbabenko @bryantbiggs