Editing `aws-auth configMap`, with Terraform

General Discussions
#1

I’ve an terrafrom.tf file which is creating an aws-auth configMap instead of editing, is there any examples how I can edit existing aws-auth configMap, and I hope it is related topic

#2

You might need to share a bit more information for help on this. Below are the steps I took to test this. Could you share the relevant tf you’re referring to?

Notes

I created test.tf which will create a config map.

protosam@localhost$ cat test.tf 
provider "kubernetes" {
  config_path    = "~/.kube/config"
  config_context = "docker-desktop"
}


resource "kubernetes_config_map" "example_cm" {
  metadata {
    name = "my-config"
  }

  data = {
    api_host             = "myhost:443"
    db_host              = "dbhost:5432"
  }

}

I applied test.tf which created ConfigMap my-config.

protosam@localhost$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # kubernetes_config_map.example_cm will be created
  + resource "kubernetes_config_map" "example_cm" {
      + data = {
          + "api_host" = "myhost:443"
          + "db_host"  = "dbhost:5432"
        }
      + id   = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + name             = "my-config"
          + namespace        = "default"
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_config_map.example_cm: Creating...
kubernetes_config_map.example_cm: Creation complete after 0s [id=default/my-config]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

I edited the values in `test.tf.

protosam@localhost$ vim test.tf 
protosam@localhost$ cat test.tf 
provider "kubernetes" {
  config_path    = "~/.kube/config"
  config_context = "docker-desktop"
}


resource "kubernetes_config_map" "example_cm" {
  metadata {
    name = "my-config"
  }

  data = {
    api_host             = "abcd"
    db_host              = "1234567898765432"
  }

}

I applied the changes and terraform shows it’s changing ConfigMap and not recreating it.

protosam@localhost$ terraform apply
kubernetes_config_map.example_cm: Refreshing state... [id=default/my-config]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # kubernetes_config_map.example_cm has been changed
  ~ resource "kubernetes_config_map" "example_cm" {
      + binary_data = {}
        id          = "default/my-config"
        # (1 unchanged attribute hidden)

      ~ metadata {
          + annotations      = {}
          + labels           = {}
            name             = "my-config"
            # (4 unchanged attributes hidden)
        }
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # kubernetes_config_map.example_cm will be updated in-place
  ~ resource "kubernetes_config_map" "example_cm" {
      ~ data        = {
          ~ "api_host" = "myhost:443" -> "abcd"
          ~ "db_host"  = "dbhost:5432" -> "1234567898765432"
        }
        id          = "default/my-config"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_config_map.example_cm: Modifying... [id=default/my-config]
kubernetes_config_map.example_cm: Modifications complete after 0s [id=default/my-config]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
#3

Hi, @protosam I’m using AWS EKS, therefore configMap aws-auth is creating automatically when cluster is created. Here is my .tf file.

resource "kubernetes_config_map" "example" {
   count       = 1
   depends_on  = [  ]

   metadata  {
       name      = "aws-auth-test"
       namespace = "kube-system"
       labels    = {}
   }

   data      = {
       mapRoles    = yamlencode(local.test)
   }


   lifecycle { 
       create_before_destroy = false
       ignore_changes        = [  ]
   }
}

locals {
    test = {
        rolearn  = "arn:aws:iam::xx:role/workers"
        username = "system:node:{{EC2PrivateDNSName}}"
        groups   = [
             "system:bootstrappers",
             "system:nodes"
        ]
    }
}
#4

@protosam And when I would like to add extra arn's it is creating another configMap instead of editing

#5

The AWS provider documentation states that by default it manages the aws-auth configmap for you.

So I think the problem is that the Kubernetes provider can’t just go modifying that, it’s managed by the AWS provider.

You could manage it yourself but that would probably require rebuilding the cluster. The only options I see from the AWS provider is to add labels to it or just manage it yourself: https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest