[Bug]: changing bootstrap configuration on existing EKS clusters should not trigger destroy/rebuild

[iancward]

Terraform Core Version

v1.5.5

AWS Provider Version

v5.63.1

Affected Resource(s)

• aws_eks_cluster

Expected Behavior

Changing value for access_config.bootstrap_cluster_creator_admin_permissions on an existing cluster should not trigger cluster destroy/rebuild

Actual Behavior

Changing access_config.bootstrap_cluster_creator_admin_permissions on an existing cluster triggers cluster destroy/rebuild

Relevant Error/Panic Output Snippet

~ access_config {
          ~ bootstrap_cluster_creator_admin_permissions = false -> true # forces replacement
            # (1 unchanged attribute hidden)
        }

Terraform Configuration Files

resource "aws_eks_cluster" "control_plane" {
  name                      = "${var.prefix}-eks"
  ...

  # Enable aws-auth configuration via configmap AND API
  access_config {
    authentication_mode = "API_AND_CONFIG_MAP"
    # This should always be default true
    bootstrap_cluster_creator_admin_permissions = true
  }
}

Steps to Reproduce

• Create EKS cluster with AWS provider version prior to v5.33.0 (which added access entries)
• Update project to use AWS provider v5.33.0 but do not enable access entries
• Enable access entries and set access_config.bootstrap_cluster_creator_admin_permissions to false to prevent cluster from being destroyed and re-created
• Update project to use AWS provider to v5.59.0 and set access_config.bootstrap_cluster_creator_admin_permissions to true via shared terraform module to be consistent with newly created clusters
• Observe that Terraform wants to destroy and re-create the EKS cluster

Debug Output

No response

Panic Output

No response

Important Factoids

This came up in #35824, but wasn't fully addressed, because changing the value still triggers a destroy/re-create.

References

35824

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bryantbiggs]

Duplicate of https://github.com/hashicorp/terraform-provider-aws/issues/38967

there isn't anything that Terraform can do for this - it is dictated by the EKS API - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-accessconfig.html#cfn-eks-cluster-accessconfig-bootstrapclustercreatoradminpermissions

Update requires: Replacement

[justinretzolk]

I'm going to close this issue so that we can consolidate the conversation on #38967. Please direct any further updates to that issue.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.