Closed flostadler closed 2 months ago
This seems to be an upstream bug: https://github.com/hashicorp/terraform-provider-aws/issues/36259
The root cause of this is how boolean values are handled in terraform-plugin-sdk: https://github.com/hashicorp/terraform-plugin-sdk/issues/817.
A boolean value being set to false and a boolean value being non-existent are handled the same way. This in combination with EKS defaulting the parameter to true leads to this problem.
We could fix the docs to say it's defaulting to false, but that's not entirely true either. If the accessConfig
block is not specified, it's actually correctly defaulting to true because the nested bootstrapClusterCreatorAdminPermissions
isn't even evaluated.
The linked issue mentions that we might be able to work around the wrong defaulting by inspecting the raw configuration (by using GetRawConfig
) but that isn't supported for computing changes.
Well, the upstream bug (https://github.com/hashicorp/terraform-provider-aws/issues/36259) has been fixed yesterday evening. I'm gonna test if it solves the problems on the pulumi side as well, if it does even better because we don't need a patch.
The upstream fix went with the option of having the bi-modal default behavior I described above. If accessConfig
is not specified, bootstrapClusterCreatorAdminPermissions
defaults to true. If accessConfig
is provided but bootstrapClusterCreatorAdminPermissions
is not set, it defaults to false.
That's not perfect, but after looking at the upstream code it's the closest we can get without introducing breaking changes. The problem with bootstrapClusterCreatorAdminPermissions
is that it's not returned by the GetCluster
API call and that it forces replacements. Forcing replacements for EKS clusters is extremely disruptive, because it deletes the clusters and all resources running on it.
We'll pull this fix in as part of our next upstream upgrade which will happen as soon as hashicorp/terraform-provider-aws cuts a new release.
This issue has been addressed in PR #4217 and shipped in release v6.45.0.
What happened?
The documentation mentions that bootstrapClusterCreatorAdminPermissions of EKS clusters defaults to
true
. This is also the default behavior for the case when no ClusterAccessConfig is defined.But in reality the
bootstrapClusterCreatorAdminPermissions
defaults to false.This can cause the replacement of the whole cluster because changes to this parameter trigger replacements.
Example
After deploying the snippet above, observe the cluster being created without admin permissions for the IAM principal that created the cluster.
This can also be seen in the CloudTrail event of the cluster creation:
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).