aws configmap

[Mieszko96]

hey in my current terraform i am using to manage aws configmap i'm using module with version 19.20

resource "kubectl_manifest" "aws-auth-cm" {
  yaml_body = <<MANIFEST
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
%{if local.rancher2_import_enabled~}
  mapUsers: |
    - userarn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${var.rancher2_cloud_credentials_name}
      username: ${var.rancher2_cloud_credentials_name}
      groups:
      - system:masters
%{endif~}
%{if length(var.paas_eks_accounts) > 0~}
  mapAccounts: |
    ${replace(yamlencode(var.paas_eks_accounts), "\"", "")~}
%{endif~}
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: ${module.eks.eks_managed_node_groups["default"].iam_role_arn}
      username: system:node:{{EC2PrivateDNSName}}
%{if length(var.paas_eks_roles) > 0~}
    ${indent(4, replace(yamlencode(var.paas_eks_roles), "\"", ""))~}
%{endif~}
MANIFEST
  force_new = false
}

with eks_managed_node_groups and create_aws_auth_configmap = false manage_aws_auth_configmap = false

What i need to do to switch to manage_aws_auth_configmap = true and remove resource "kubectl_manifest" "aws-auth-cm"

What i tested.

scenario 1

removed resource "kubectl_manifest" "aws-auth-cm" manage_aws_auth_configmap = false -> true ❌ configmap was deleted( we don't have configmap in EKS)

scenario 2 removed resource "kubectl_manifest" "aws-auth-cm" create_aws_auth_configmap = true

❌ ✅ this scenario works, but if i use same code for brand new EKS it have error aws-auth already exist. And i need solution for updated exisiting terraform and for brand new.

scenario 3 Also tried with moved block, but getting error

 moved {
  from = kubectl_manifest.aws-auth-cm
  to   = module.eks.kubernetes_config_map_v1_data.aws_auth[0]
}

This statement declares a move from kubectl_manifest.aws-auth-cm to module.eks.kubernetes_config_map.aws_auth[0], which is a resource instance of a different type.

or

module.eks.kubernetes_config_map_v1_data.aws_auth[0], which is a resource instance of a different type.

I don't mind if solution require removing state from terraform list

[Mieszko96]

actually checking https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md it will be removed in 21.xx at all so maybe i should not do this.

But if you have opinion/suggestions please let me know

[kaykhan]

@Mieszko96 Do you know if there new method to handle who has auth to use the cluster? is it access_entries?

[groovyghost]

@kaykhan It has been moved to submodule https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/20.8.5/submodules/aws-auth

[kaykhan]

@kaykhan It has been moved to submodule https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/20.8.5/submodules/aws-auth

This sub module is going to be removed in the next version (21) https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md#%EF%B8%8F-upcoming-changes-planned-in-v210-%EF%B8%8F

So just curious how to handle it moving forward.

Im wondering if we should now be creating this resource ourselves. https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1

[bryantbiggs]

its a separate sub-module and the code has not changed for this functionality for several years. Even though the code will be removed in v21, theres nothing stopping you from using the sub-module at v20 for years to come.

However, long term the strategy is to use cluster access entries

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days