-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Add support for Outposts, remove node security group, add support for addon preserve
and most_recent
configurations
#2250
feat!: Add support for Outposts, remove node security group, add support for addon preserve
and most_recent
configurations
#2250
Conversation
…ts on addons; raise minimum requirements to support
… update examples to consolidate
…date cluster encryption config
preserve
and most_recent
configurations
…licts; this is the responsibility of the provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good! Just a few minor comments here and there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 87ced51
When specifying create_kms_key = false
, this error happens.
cluster_encryption_config = {
provider_key_arn = aws_kms_key.eks.arn
resources = ["secrets"]
}
create_kms_key = false
╷
│ Error: Unsupported attribute
│
│ on .terraform/modules/eks/main.tf line 350, in resource "aws_iam_policy" "cluster_encryption":
│ 350: Resource = var.create_kms_key ? [module.kms.key_arn] : [for config in var.cluster_encryption_config : config.provider_key_arn]
│
│ Can't access attributes on a primitive-typed value (string).
╵
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After a small fix in the upgrade guide, it looks great to me. I have successfully applied this PR and migrated from v18. No problems so far :)
FYI - we are validating deployment of EKS on Outposts in local mode and further changes may be added |
…d by AWS provider
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (still)
f106c6c
to
7146a82
Compare
bug found in provider, converting to draft until fixed and supported hashicorp/terraform-provider-aws#27560 |
…dation hence the git push
7146a82
to
2b69482
Compare
…ompatibilityf or cluster ID vs name
## [19.0.0](v18.31.2...v19.0.0) (2022-12-05) ### ⚠ BREAKING CHANGES * Add support for Outposts, remove node security group, add support for addon `preserve` and `most_recent` configurations (#2250) ### Features * Add support for Outposts, remove node security group, add support for addon `preserve` and `most_recent` configurations ([#2250](#2250)) ([b2e97ca](b2e97ca))
This PR is included in version 19.0.0 🎉 |
…ort for addon `preserve` and `most_recent` configurations (terraform-aws-modules#2250) Co-authored-by: Anton Babenko <[email protected]> Resolves undefined
## [19.0.0](terraform-aws-modules/terraform-aws-eks@v18.31.2...v19.0.0) (2022-12-05) ### ⚠ BREAKING CHANGES * Add support for Outposts, remove node security group, add support for addon `preserve` and `most_recent` configurations (terraform-aws-modules#2250) ### Features * Add support for Outposts, remove node security group, add support for addon `preserve` and `most_recent` configurations ([terraform-aws-modules#2250](terraform-aws-modules#2250)) ([b2e97ca](terraform-aws-modules@b2e97ca))
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
List of backwards incompatible changes
cluster_id
output used to output the name of the cluster. This is due to the fact that the cluster name is a unique constraint and therefore its set as the unique identifier within Terraform's state map. However, starting with local EKS clusters created on Outposts, there is now an attribute returned from theaws eks create-cluster
API namedid
. Thecluster_id
has been updated to return this value which means that for current, standard EKS clusters created in the AWS cloud, no value will be returned (at the time of this writing) forcluster_id
and only local EKS clusters on Outposts will return a value that looks like a UUID/GUID. Users should switch all instances ofcluster_id
to usecluster_name
before upgrading to v19. Referencevar.iam_role_additional_policies
(one for each of the following: cluster IAM role, EKS managed node group IAM role, self-managed node group IAM role, and Fargate Profile IAM role) accepted a list of strings. This worked well for policies that already existed but failed for policies being created at the same time as the cluster due to the well known issue of unkown values used in afor_each
loop. To rectify this issue inv19.x
, two changes were made:var.iam_role_additional_policies
was changed from typelist(string)
to typemap(string)
-> this is a breaking change. More information on managing this change can be found below, underTerraform State Moves
try()
withlookup()
. More details on why can be found hereClusterName
tag and the event rule name is now a prefix. This guarantees that users can have multiple instances of Karpenter withe their respective event rules/SQS queue without name collisions, while also still being able to identify which queues and event rules belong to which cluster.Added
preserve
as well asmost_recent
on addons.preserve
indicates if you want to preserve the created resources when deleting the EKS add-onmost_recent
indicates if you want to use the most recent revision of the add-on or the default version (default)Modified
cluster_security_group_additional_rules
andnode_security_group_additional_rules
have been modified to uselookup()
instead oftry()
to avoid the well known issue of unkown values within afor_each
loopblock_device_mappings
previously required a map of maps but has since changed to an array of maps. Users can remove the outer key for each block device mapping and replace the outermost map{}
with an array[]
. There are no state changes required for this change.node_security_group_ntp_ipv4_cidr_block
previously defaulted to["0.0.0.0/0"]
and now defaults to["169.254.169.123/32"]
(Referenc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html)node_security_group_ntp_ipv6_cidr_block
previously defaulted to["::/0"]
and now defaults to["fd00:ec2::123/128"]
(Referenc: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html)create_kms_key
previously defaulted tofalse
and now defaults totrue
. Clusters created with this module now default to enabling secret encryption by default with a customer managed KMS key created by this modulecluster_encryption_config
previously used a type oflist(any)
and now uses a type ofany
-> users can simply remove the outer[
...]
brackets onv19.x
cluster_encryption_config
previously defaulted to[]
and now defaults to{resources = ["secrets"]}
to encrypt secrets by defaultcluster_endpoint_public_access
previously defaulted totrue
and now defaults tofalse
. Clusters created with this module now default to private only access to the cluster endpointcluster_endpoint_private_access
previously defaulted tofalse
and now defaults totrue
"OVERWRITE"
as the default value forresolve_conflicts
to ease addon upgrade management. Users can opt out of this by instead setting"NONE"
as the value forresolve_conflicts
kms
module used has been updated fromv1.0.2
tov1.1.0
- no material changes other than updated to latestUPGRADE-19.0.md
for full list of changes and upgrade guidanceMotivation and Context
Breaking Changes
UPGRADE-19.0.md
for full list of changes and upgrade guidanceHow Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull request