configmap change fail when changing global tags

[ArchiFleKs]

Description

When changing cluster tag and running apply ( tested in TF 0.14.10 and 1.0.0) even when forcing a refresh before the configmmap map refresh fail with the classic:

╷                                                                                                                                                                                                                                                                                                                                                                                                                                      
│ Error: Get "http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth": dial tcp 127.0.0.1:80: connect: connection refused                                                                                                                                                                                                                                                                                                  
│                                                                                                                                                                                                                                                                                                                                                                                                                                      
│   with kubernetes_config_map.aws_auth[0],                                                                                                                                                                                                                                                                                                                                                                                            
│   on aws_auth.tf line 63, in resource "kubernetes_config_map" "aws_auth":                                                                                                                                                                                                                                                                                                                                                            
│   63: resource "kubernetes_config_map" "aws_auth" {                                                                                                                                                              
│                                                                                            
╵                                                

Versions

• Terraform: 1.0.0

• Provider(s):

Terraform v1.0.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.43.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.3.0
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1

• Module:

Reproduction

Steps to reproduce the behavior:

Code Snippet to Reproduce

Change the tags values on the module

Expected behavior

Configmap is refreshed

Actual behavior

╷                                                                                                                                                                                                                                                                                                                                                                                                                                      
│ Error: Get "http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth": dial tcp 127.0.0.1:80: connect: connection refused                                                                                                                                                                                                                                                                                                  
│                                                                                                                                                                                                                                                                                                                                                                                                                                      
│   with kubernetes_config_map.aws_auth[0],                                                                                                                                                                                                                                                                                                                                                                                            
│   on aws_auth.tf line 63, in resource "kubernetes_config_map" "aws_auth":                                                                                                                                                                                                                                                                                                                                                            
│   63: resource "kubernetes_config_map" "aws_auth" {                                                                                                                                                                                                                                                                                                                                                                                  
│                                                                                                                                                                                                                                                                                                                                                                                                                                      
╵                                                                                                                                                                                                                                                                                                                                                                                                                                      
ERRO[0012] Hit multiple errors:              

Additional context

I'm using Terragrunt, here is my provider block:

    provider "aws" {
      region = "${local.aws_region}"
    }
    provider "kubernetes" {
      host                   = data.aws_eks_cluster.cluster.endpoint
      cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
      token                  = data.aws_eks_cluster_auth.cluster.token
    }
    data "aws_eks_cluster" "cluster" {
      name = aws_eks_cluster.this[0].id
    }
    data "aws_eks_cluster_auth" "cluster" {
      name = aws_eks_cluster.this[0].id
    }

[rymancl]

Just commenting that I have run into this issue multiple times in the past when trying to alter tags. I don't use this module, so I suspect the issue may be related to the kubernetes provider itself. I'm using the latest v2.x.x provider version.

Currently the only way we can change the tags is to destroy the cluster and re-create it with the updated tags.

If anyone has a better workaround, please let me know!

[ArchiFleKs]

Just commenting that I have run into this issue multiple times in the past when trying to alter tags. I don't use this module, so I suspect the issue may be related to the kubernetes provider itself. I'm using the latest v2.x.x provider version.

Currently the only way we can change the tags is to destroy the cluster and re-create it with the updated tags.

If anyone has a better workaround, please let me know!

You can set manage AWS auth to false in module. Then remove the config map from the state. Then apply your changes. Then switch the flag to true. Finally reimport config map in state

[igorinsky]

We've spotted the same issue in attempts to change EKS cluster version - terragrunt failed to authorize while refreshing for kubernetes_config_map.aws_auth[0].

But it doesn't fail when you do other operations (it refreshes the state without errors) or even modify map_roles, which is all about this resource.

Our workaround was to add config_path to kubernetes provider identical to kubeconfig_output_path, e.g.

provider "kubernetes" {
  config_path = "/tmp/kubeconfig"
}

and move back to

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.cluster.token
}

once changes were applied.

P.S. Still seems like a bug. FYI module version we used was 17.0.3

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity since being marked as stale.

[clushie]

I'm not sure there are bunch of issues related to this behavior, perhaps it would maybe make sense to track them in some place? It is definitively still an issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.