Open mikalinnanoja-rovio opened 2 weeks ago
I think you are looking for the https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks module - I would switch to that module to see if it resolves your issue
I think you are looking for the https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-role-for-service-accounts-eks module - I would switch to that module to see if it resolves your issue
Hmm interesting, looks like this newer module would be a good fit. Will give it a whirl :) Thanks a bunch.
and if you wan to use EKS Pod Identity instead of IRSA (Pod Identity is the next evolution after IRSA) https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity
Sadly changing module didn't help for this issue. I'll update the plan and module call references but otherwise issue remains. I think it was good to migrate the module anyway :)
Description
edit: updated used module to
iam-role-for-service-accounts-eks
, no difference to outcome however.Hi, I have a module that sets up infra prerequisites for a kubernetes application that includes module call for the submodule iam-assumable-role-with-oidc from this repo to use in AWS EKS with IRSA (thx for the module :bowing_man:).
The module, tested up to latest version 5.40.0 as of writing this, works nicely and produces nice IAM roles our applications can assume inside kubernetes cluster, but terraform is showing this in plan every time for each of our services, making the plan painful to go through:
In above plan output I replaced all real IDs with dummy strings.
When applied, nothing actually changes. But this is quite verbose hence having this kind of thing in plan x 100 makes the plan basically useless. How can we avoid this sort of forever-delta? I've tried passing fixed string
provider_url
(oidc url from amazon) instead of getting it from EKS module call outputs, and that at least doesn't solve this. None of the dependant resources have any counts or for_eaches.Our module call looks like this:
I found one issue from 2022 that had similar findings, but it got closed. Thanks!
Versions
Module version [Required]: 5.40.0
Terraform version: Terraform v1.5.7 on linux_amd64
Provider version(s):
provider registry.terraform.io/hashicorp/aws v5.42.0
provider registry.terraform.io/hashicorp/cloudinit v2.3.4
provider registry.terraform.io/hashicorp/external v2.3.3
provider registry.terraform.io/hashicorp/helm v2.12.1
provider registry.terraform.io/hashicorp/kubernetes v2.27.0
provider registry.terraform.io/hashicorp/local v2.5.1
provider registry.terraform.io/hashicorp/null v3.2.2
provider registry.terraform.io/hashicorp/random v3.6.2
provider registry.terraform.io/hashicorp/time v0.11.2
provider registry.terraform.io/hashicorp/tls v4.0.5
Reproduction Code [Required]
Steps to reproduce the behavior: Module call with given kind of input. Everything applied and working.
Not using workspaces.
Issue reproducible in CI system and local computers for multiple persons, not caching related.
Expected behavior
No delta i.e "No infrastructure changes" in module created role IAM trust policy if nothing changes.
Actual behavior
Given delta always present in plan.