Editing `aws-auth configMap`, with Terraform

Iโ€™ve an terrafrom.tf file which is creating an aws-auth configMap instead of editing, is there any examples how I can edit existing aws-auth configMap, and I hope it is related topic

1 Like

You might need to share a bit more information for help on this. Below are the steps I took to test this. Could you share the relevant tf youโ€™re referring to?

Notes

I created test.tf which will create a config map.

protosam@localhost$ cat test.tf 
provider "kubernetes" {
  config_path    = "~/.kube/config"
  config_context = "docker-desktop"
}


resource "kubernetes_config_map" "example_cm" {
  metadata {
    name = "my-config"
  }

  data = {
    api_host             = "myhost:443"
    db_host              = "dbhost:5432"
  }

}

I applied test.tf which created ConfigMap my-config.

protosam@localhost$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # kubernetes_config_map.example_cm will be created
  + resource "kubernetes_config_map" "example_cm" {
      + data = {
          + "api_host" = "myhost:443"
          + "db_host"  = "dbhost:5432"
        }
      + id   = (known after apply)

      + metadata {
          + generation       = (known after apply)
          + name             = "my-config"
          + namespace        = "default"
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_config_map.example_cm: Creating...
kubernetes_config_map.example_cm: Creation complete after 0s [id=default/my-config]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

I edited the values in `test.tf.

protosam@localhost$ vim test.tf 
protosam@localhost$ cat test.tf 
provider "kubernetes" {
  config_path    = "~/.kube/config"
  config_context = "docker-desktop"
}


resource "kubernetes_config_map" "example_cm" {
  metadata {
    name = "my-config"
  }

  data = {
    api_host             = "abcd"
    db_host              = "1234567898765432"
  }

}

I applied the changes and terraform shows itโ€™s changing ConfigMap and not recreating it.

protosam@localhost$ terraform apply
kubernetes_config_map.example_cm: Refreshing state... [id=default/my-config]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # kubernetes_config_map.example_cm has been changed
  ~ resource "kubernetes_config_map" "example_cm" {
      + binary_data = {}
        id          = "default/my-config"
        # (1 unchanged attribute hidden)

      ~ metadata {
          + annotations      = {}
          + labels           = {}
            name             = "my-config"
            # (4 unchanged attributes hidden)
        }
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # kubernetes_config_map.example_cm will be updated in-place
  ~ resource "kubernetes_config_map" "example_cm" {
      ~ data        = {
          ~ "api_host" = "myhost:443" -> "abcd"
          ~ "db_host"  = "dbhost:5432" -> "1234567898765432"
        }
        id          = "default/my-config"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_config_map.example_cm: Modifying... [id=default/my-config]
kubernetes_config_map.example_cm: Modifications complete after 0s [id=default/my-config]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Hi, @protosam Iโ€™m using AWS EKS, therefore configMap aws-auth is creating automatically when cluster is created. Here is my .tf file.

resource "kubernetes_config_map" "example" {
   count       = 1
   depends_on  = [  ]

   metadata  {
       name      = "aws-auth-test"
       namespace = "kube-system"
       labels    = {}
   }

   data      = {
       mapRoles    = yamlencode(local.test)
   }


   lifecycle { 
       create_before_destroy = false
       ignore_changes        = [  ]
   }
}

locals {
    test = {
        rolearn  = "arn:aws:iam::xx:role/workers"
        username = "system:node:{{EC2PrivateDNSName}}"
        groups   = [
             "system:bootstrappers",
             "system:nodes"
        ]
    }
}

@protosam And when I would like to add extra arn's it is creating another configMap instead of editing

The AWS provider documentation states that by default it manages the aws-auth configmap for you.

So I think the problem is that the Kubernetes provider canโ€™t just go modifying that, itโ€™s managed by the AWS provider.

You could manage it yourself but that would probably require rebuilding the cluster. The only options I see from the AWS provider is to add labels to it or just manage it yourself: https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest