Skip to content

Commit

Permalink
chore: update from testing and validation, add note on main README
Browse files Browse the repository at this point in the history
  • Loading branch information
bryantbiggs committed Jan 11, 2022
1 parent e6545ab commit a772cf6
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 4 deletions.
31 changes: 31 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,37 @@ Terraform module which creates AWS EKS (Kubernetes) resources
- Support for providing maps of node groups/Fargate profiles to the cluster module definition or use separate node group/Fargate profile sub-modules
- Provisions to provide node group/Fargate profile "default" settings - useful for when creating multiple node groups/Fargate profiles where you want to set a common set of configurations once, and then individual control only select features

## ℹ️ `Error: Invalid for_each argument ...`

Users may come across an error such as `Error: Invalid for_each argument - The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply ...`

This error is due to an upstream issue with [Terraform core](https://github.com/hashicorp/terraform/issues/4149). There are two options users can take to help mitigate this issue:

1. Create the dependent resources before the cluster => `terraform apply --target <your policy or your security group>` and then `terraform apply` for the cluster
- Note: this is the route users will have to take for adding additonal security groups to nodes since there isn't a separate "security group attachment" resource
2. For addtional IAM policies, users can attach the policies outside of the cluster definition as demonstrated below

```hcl
resource "aws_iam_role_policy_attachment" "additional" {
for_each = module.eks.eks_managed_node_groups
# you could also do the following or any comibination:
# for_each = merge(
# module.eks.eks_managed_node_groups,
# module.eks.self_managed_node_group,
# module.eks.fargate_profile,
# )
policy_arn = aws_iam_policy.node_additional.arn
role = each.value.iam_role_name
}
```

The tl;dr for this issue is that the Terraform resource passed into the modules map definition *must* be known before you can apply the EKS module. The variables this potentially affects are:

- `cluster_security_group_additional_rules` (i.e. - referencing an external security group resource in a rule)
- `node_security_group_additional_rules` (i.e. - referencing an external security group resource in a rule)
- `iam_role_additional_policies` (i.e. - referencing an external policy resource)

## Usage

```hcl
Expand Down
3 changes: 1 addition & 2 deletions examples/eks_managed_node_group/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,6 @@ module "eks" {
tags = local.tags
}


# References to resources that do not exist yet when creating a cluster will cause a plan failure due to https://github.com/hashicorp/terraform/issues/4149
# There are two options users can take
# 1. Create the dependent resources before the cluster => `terraform apply --target <your policy or your security group> and then `terraform apply`
Expand All @@ -280,7 +279,7 @@ resource "aws_iam_role_policy_attachment" "additional" {
for_each = module.eks.eks_managed_node_groups

policy_arn = aws_iam_policy.node_additional.arn
role = each.value.iam_role_arn
role = each.value.iam_role_name
}

################################################################################
Expand Down
2 changes: 1 addition & 1 deletion modules/eks-managed-node-group/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ module "eks_managed_node_group" {
| <a name="input_post_bootstrap_user_data"></a> [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
| <a name="input_pre_bootstrap_user_data"></a> [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket` | `string` | `""` | no |
| <a name="input_ram_disk_id"></a> [ram\_disk\_id](#input\_ram\_disk\_id) | The ID of the ram disk | `string` | `null` | no |
| <a name="input_remote_access"></a> [remote\_access](#input\_remote\_access) | Configuration block with remote access settings | `map(string)` | `{}` | no |
| <a name="input_remote_access"></a> [remote\_access](#input\_remote\_access) | Configuration block with remote access settings | `any` | `{}` | no |
| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description for the security group created | `string` | `"EKS managed node group security group"` | no |
| <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | List of security group rules to add to the security group created | `any` | `{}` | no |
Expand Down
2 changes: 1 addition & 1 deletion modules/eks-managed-node-group/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -334,7 +334,7 @@ variable "launch_template_version" {

variable "remote_access" {
description = "Configuration block with remote access settings"
type = map(string)
type = any
default = {}
}

Expand Down

0 comments on commit a772cf6

Please sign in to comment.