search

aliyun / terraform-provider-alicloud

Terraform AliCloud provider
https://www.terraform.io/docs/providers/alicloud/
Mozilla Public License 2.0
587 stars 550 forks source link

alicloud_cs_kubernetes_permissions #6719

Open gerbil opened 10 months ago

gerbil commented 10 months ago

Terraform Version

1.6.2

Affected Resource(s)

alicloud_cs_kubernetes_permissions

Terraform Configuration Files

resource "alicloud_cs_kubernetes_permissions" "admin" {
  uid      = "386123810581389766"
  permissions {
    cluster          = "c7a3e6bcf0ab442d0b704cfba16fd81d3"
    role_type      = "cluster"
    role_name    = "admin"
    is_custom     = false
    is_ram_role   = true
  } 
}

Expected Behavior

ClusterRoleBinding should be created/updated for a specific cluster ("c7a3e6bcf0ab442d0b704cfba16fd81d3"), but in reality using provider version 1.211+ EVERY CS cluster will receive this update resulting in wrong cluster id in the binding (except "c7a3e6bcf0ab442d0b704cfba16fd81d3" cluster of course).

Actual Behavior

After cluster "ce58abd0cf36e4dd7885fd878403cd68d" got updated permissions, "c7a3e6bcf0ab442d0b704cfba16fd81d3" cluster got "ce58abd0cf36e4dd7885fd878403cd68d" as admin clusterrolebinding cluster parameter. This is a plan for "c7a3e6bcf0ab442d0b704cfba16fd81d3" that will brake "ce58abd0cf36e4dd7885fd878403cd68d" located in the same account and region.

module.ali_k8s[0].module.rbac.alicloud_cs_kubernetes_permissions.admin["RAM-AliCloudAdmin"] will be updated in-place ~ resource "alicloud_cs_kubernetes_permissions" "admin" { id = "386123810581389766"

(1 unchanged attribute hidden)

  - permissions {
      - cluster     = "ce58abd0cf36e4dd7885fd878403cd68d" -> null
      - is_custom   = false -> null
      - is_ram_role = true -> null
      - role_name   = "admin" -> null
      - role_type   = "cluster" -> null
    }
  + permissions {
      + cluster     = "c7a3e6bcf0ab442d0b704cfba16fd81d3"
      + is_custom   = false
      + is_ram_role = true
      + role_name   = "admin"
      + role_type   = "cluster"
    }
}

Steps to Reproduce

  1. Create two CS manager clusters in one region
  2. Update alicloud_cs_kubernetes_permissions for one of the clusters for specific RAM role id (any role you like)
  3. Try the same on second cluster
  4. Check the first cluster rbac - rolebinging will be broken (not sure exactly what's wrong, maybe they will be just deleted)
sanyangji commented 3 months ago

Same as https://github.com/aliyun/terraform-provider-alicloud/issues/6645 This was caused by modification from https://github.com/aliyun/terraform-provider-alicloud/pull/6646 (version 1.213) and was reverted by https://github.com/aliyun/terraform-provider-alicloud/pull/6769 (version 1.214) so that the resource behaved as before. Further updates to make resource alicloud_cs_kubernetes_permissions better:

https://github.com/aliyun/terraform-provider-alicloud/pull/6996 (version 1.220) fix delete, update bugs. https://github.com/aliyun/terraform-provider-alicloud/pull/7100 (version 1.222) fix concurrent operation conflict.