-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Evaluate aws_iam_role_policy_attachment.this conditional before items #2396
Conversation
This is an incorrect understanding. The format used currently is correct - the format proposed is incorrect and will throw a type mis-match error |
Based on this feedback I have run tests for various Terraform versions that are supported by this module, and cannot find an instance of a type mis-match error being thrown. I've tested against the following versions, with the apply logs uploaded to https://github.com/demolitionmode/terraform-aws-eks/tree/testing/testing/results
I made use of Terragrunt and tfenv to switch versions and module sources to compare both master and my fork; the script to do so is test.sh (here), and the Terraform resources in the templated main.tf (here). The resources were simplified from the examples as creating/destroying a cluster each time would be time-consuming, but I'm happy to run those tests if there's something missing from these. |
The left side of the conditional is of type var.create && var.create_iam_instance_profile ? toset(compact([
"${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy",
"${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly",
var.iam_role_attach_cni_policy ? local.cni_policy : "",
])) : [] This is a type mis-match and will produce the well known error |
However, if we ignore all of that - the code is written as intended and is correct. If I had to make a guess, I suspect you have a |
This would be the case if the false result was
I'm happy to upload test results comparing
That is correct. The reason for this is that there is a resource (vpc-cni) being created outside the module which should happen before any nodes are created, but there is no data being accessed by the nodegroup module; the dependency is solely based on preventing a race condition in which a node is created before a particular kubernetes object exists (ENIConfig). The reason for delaying node creation stems from the note in AWS docs
Given that there are hidden dependencies that Terraform cannot automatically infer,
|
you can read through #2337 which covers all of this |
I'm afraid I don't see a solution in that thread. There are others who also need to wait for the CNI plugin to finish before the node group module can run, but they have been steered towards building their own module for this and implementing a "fake" dependency fix. The alternative I have if this module can't be updated is that I'll have to duplicate the
Yes, Terraform say the above, but it is not possible to use an explicit reference to have the node group wait for the CNI plugin to finish before creating; the node group uses no data from this resource. The example in the issue given when making that statement is not the same as the situation in the node group module. The use case I have been explaining does not have resources being created that are relying on To be clear, I have no issue with the data block being in the module, and I don't intend to create any resources that make use of it when using I can create another example that spins up a VPC etc, similar to https://github.com/bryantbiggs/how-to-create-reproduction, if it will help to show why the module needs |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
Currently the
for_each
inaws_iam_role_policy_attachment.this
will cause Terraform to resolve each item in the set before evaluating whether it would use that set; this change postpones the resolution until after evaluatingvar.create
andvar.create_iam_instance_profile
. This means that the items are allowed to be unresolvable, given that they are discarded immediately by the conditionals.Motivation and Context
For example:
depends_on
when calling this module to delay nodegroup creation until after deploying a CNI config dependencyThe "for_each" value depends on resource attributes that cannot be determined until apply...
)aws_partition
data source, and does not needdepends_on
)depends_on
to delay creation)create_iam_instance_profile = false
still relies on theaws_partition
data source due to the evaluation order (this PR fixes that).Example code
Breaking Changes
No breaking changes
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull requestTesting has been done using the code snippet in the example above (prior to cluster creation; the intention is that this can be used to create a brand new cluster from scratch, fully automated)
Prior to fix
Output:
After fix
Plan is successful