I’ve an terrafrom.tf
file which is creating an aws-auth configMap
instead of editing, is there any examples how I can edit existing aws-auth configMap
, and I hope it is related topic
You might need to share a bit more information for help on this. Below are the steps I took to test this. Could you share the relevant tf
you’re referring to?
Notes
I created test.tf
which will create a config map.
protosam@localhost$ cat test.tf
provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "docker-desktop"
}
resource "kubernetes_config_map" "example_cm" {
metadata {
name = "my-config"
}
data = {
api_host = "myhost:443"
db_host = "dbhost:5432"
}
}
I applied test.tf
which created ConfigMap
my-config
.
protosam@localhost$ terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# kubernetes_config_map.example_cm will be created
+ resource "kubernetes_config_map" "example_cm" {
+ data = {
+ "api_host" = "myhost:443"
+ "db_host" = "dbhost:5432"
}
+ id = (known after apply)
+ metadata {
+ generation = (known after apply)
+ name = "my-config"
+ namespace = "default"
+ resource_version = (known after apply)
+ self_link = (known after apply)
+ uid = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
kubernetes_config_map.example_cm: Creating...
kubernetes_config_map.example_cm: Creation complete after 0s [id=default/my-config]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
I edited the values in `test.tf.
protosam@localhost$ vim test.tf
protosam@localhost$ cat test.tf
provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "docker-desktop"
}
resource "kubernetes_config_map" "example_cm" {
metadata {
name = "my-config"
}
data = {
api_host = "abcd"
db_host = "1234567898765432"
}
}
I applied the changes and terraform shows it’s changing ConfigMap and not recreating it.
protosam@localhost$ terraform apply
kubernetes_config_map.example_cm: Refreshing state... [id=default/my-config]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
# kubernetes_config_map.example_cm has been changed
~ resource "kubernetes_config_map" "example_cm" {
+ binary_data = {}
id = "default/my-config"
# (1 unchanged attribute hidden)
~ metadata {
+ annotations = {}
+ labels = {}
name = "my-config"
# (4 unchanged attributes hidden)
}
}
Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# kubernetes_config_map.example_cm will be updated in-place
~ resource "kubernetes_config_map" "example_cm" {
~ data = {
~ "api_host" = "myhost:443" -> "abcd"
~ "db_host" = "dbhost:5432" -> "1234567898765432"
}
id = "default/my-config"
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
kubernetes_config_map.example_cm: Modifying... [id=default/my-config]
kubernetes_config_map.example_cm: Modifications complete after 0s [id=default/my-config]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Hi, @protosam I’m using AWS EKS
, therefore configMap aws-auth
is creating automatically when cluster is created. Here is my .tf
file.
resource "kubernetes_config_map" "example" {
count = 1
depends_on = [ ]
metadata {
name = "aws-auth-test"
namespace = "kube-system"
labels = {}
}
data = {
mapRoles = yamlencode(local.test)
}
lifecycle {
create_before_destroy = false
ignore_changes = [ ]
}
}
locals {
test = {
rolearn = "arn:aws:iam::xx:role/workers"
username = "system:node:{{EC2PrivateDNSName}}"
groups = [
"system:bootstrappers",
"system:nodes"
]
}
}
@protosam And when I would like to add extra arn's
it is creating another configMap
instead of editing
The AWS provider documentation states that by default it manages the aws-auth
configmap for you.
So I think the problem is that the Kubernetes provider can’t just go modifying that, it’s managed by the AWS provider.
You could manage it yourself but that would probably require rebuilding the cluster. The only options I see from the AWS provider is to add labels to it or just manage it yourself: https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest