search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.24k stars 3.97k forks source link

Inconsistency with thumbprint_list during cluster update #2982

Open janavenkat opened 3 months ago

janavenkat commented 3 months ago

Description

Every time when am updating the Kubernetes version, EKS module is replacing the OIDC thumbprint_list.

Versions

Reproduction Code [Required]

module "eks-test" {  
  source  = "terraform-aws-modules/eks/aws"  
  version = "20.8.3"  
  subnet_ids      = module.vpc.private_subnets  
  vpc_id       = module.vpc.vpc_id  
  cluster_name = var.k8s_cluster_name  
  cluster_version = "1.27"  

  enable_irsa  = true

.....
}

Steps to reproduce the behavior:

Expected behavior

I shouldn't see the thumbprint_list change.

Actual behavior

Terraform will perform the following actions:

  # module.eks-test.data.tls_certificate.this[0] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "tls_certificate" "this" {
      + certificates = (known after apply)
      + id           = (known after apply)
      + url          = "<redacted>"
    }

  # module.eks-test.aws_eks_cluster.this[0] will be updated in-place
  ~ resource "aws_eks_cluster" "this" {
        id                        = "eks-test"
        name                      = "eks-test"
        tags                      = {
            "terraform-aws-modules" = "eks"
        }
      ~ version                   = "1.27" -> "1.28"
        # (10 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

  # module.eks-test.aws_iam_openid_connect_provider.oidc_provider[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "oidc_provider" {
        id              = "<redacted>"
        tags            = {
            "Name" = "eks-test-eks-irsa"
        }
      ~ thumbprint_list = [
          - "<redacted>",
        ] -> (known after apply)
        # (4 unchanged attributes hidden)
    }

Seems something with wrong the data tls_certificate while getting the thumbprint.

github-actions[bot] commented 2 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

janavenkat commented 2 months ago

@bryantbiggs It would be great to know the cause.

hanneshofmann commented 2 months ago

I see the same behavior using 20.8.3, even without updating the Kubernetes version.

After the initial apply, a subsequent plan without any configuration change is changing the thumbprint_list.

@bryantbiggs - please let me know if further details are required.

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

janavenkat commented 1 month ago

@bryantbiggs let me know if you need more info.

bryantbiggs commented 1 month ago

there isn't anything that we plan to change for this - as far as I can tell, its just a matter of something showing up in a plan diff, but theres no actual impact to the cluster so this is a no-op

github-actions[bot] commented 2 hours ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days