lablabs / terraform-aws-eks-external-dns Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
The iam policy can't be created in AWS China, because AWS china the arn format is: arn:awscn
Bug Report
terraform --version
Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/cloudposse/utils v1.6.0
+ provider registry.terraform.io/hashicorp/aws v4.45.0
+ provider registry.terraform.io/hashicorp/external v2.2.3
+ provider registry.terraform.io/hashicorp/helm v2.7.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.11.0
module "external_dns" {
count = var.environment == "dev" ? 1 : 0
source = "lablabs/eks-external-dns/aws"
version = "1.1.0"
cluster_identity_oidc_issuer = data.aws_iam_openid_connect_provider.meid_eks_oidc.url
cluster_identity_oidc_issuer_arn = data.aws_iam_openid_connect_provider.meid_eks_oidc.arn
irsa_role_name_prefix = "irsa-external-dns-${var.projectname}-${var.environment}-${var.region}"
irsa_tags = {
Name = "external-dns-${var.projectname}-${var.environment}-${var.region}"
Region = var.region
Environment = var.environment
Managedby = "Terraform"
}
helm_chart_version = "6.8.1"
values = yamlencode({
policy = "sync"
triggerLoopOnEvent = true
txtPrefix = "z-external-dns-"
global = { imageRegistry = "${var.accountid}.dkr.ecr.${var.region}.${var.awsdomain}" }
})
}
The iam policy cloud be created successfully
Error: error creating IAM Policy irsa-external-dns-meid-cn-dev-cn-north-1-external-dns: MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:route53:::hostedzone/*".
│ status code: 400, request id: ecc835f4-88df-401b-a4a5-36a16e692e8b
│
│ with module.external_dns[0].aws_iam_policy.this[0],
│ on .terraform/modules/external_dns/iam.tf line 49, in resource "aws_iam_policy" "this":
│ 49: resource "aws_iam_policy" "this" {
When the settings map has values, and argocd is being used, a boolean check for forceString fails with the following error:
Error: error validating "": error validating data: ValidationError(Application.spec.source.helm.parameters[0].forceString): invalid type for io.argoproj.v1alpha1.Application.spec.source.helm.parameters.forceString: got "string", expected "boolean"
The tomap() function in terraform causes all objects in the function to be converted to the same type. https://developer.hashicorp.com/terraform/language/functions/tomap
In argo.tf you can remove the tomap() function on line 15 and the forceString parameter makes it through as a boolean. This worked on my local machine.
Bug Report
$ terraform --version
Terraform v1.3.3
on windows_amd64
Your version of Terraform is out of date! The latest version
is 1.3.6. You can update by downloading from https://www.terraform.io/downloads.html
module "eks-external-dns" {
source = "lablabs/eks-external-dns/aws"
version = "1.1.0"
cluster_identity_oidc_issuer = module.eks.oidc_provider
cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
# https://registry.terraform.io/modules/lablabs/eks-external-dns/aws/latest#argo-helm
enabled = true
argo_enabled = true
argo_helm_enabled = true
argo_namespace = helm_release.argocd.namespace
argo_sync_policy = {
"automated" : {}
"syncOptions" = ["CreateNamespace=true"]
}
settings = {
"policy" = "sync"
}
}
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Error: error validating "": error validating data: ValidationError(Application.spec.source.helm.parameters[0].forceString): invalid type for io.argoproj.v1alpha1.Application.spec.source.helm.parameters.forceString: got "string", expected "boolean"
I would like to be able to deploy External DNS into an existent K8S namespace in my cluster, such as kube-dns
, without letting this module to create it for me.
As per actual behavior, the options are to use default kube-system
or to create a new namespace.
I suggest to create an optional boolean flag (i.e.) k8s_create_namespace
with default value true
.
The new flag should be introduced in the count
field of the kubernetes_namespace
resource as follows:
count = (var.enabled && var.k8s_create_namespace && var.k8s_namespace != "kube-system") ? 1 : 0
....
I think I am hitting this bug in the modules due to the use of the dynamic providers but I cannot test to confirm since the modules do not support Terraform 0.14. Can we add support for that?
When I try to add external dns version 0.8.1 it conflicts and says that chart version 5.4.4 not available.
Bug Report
Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/cloudposse/utils v1.6.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v3.76.1
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/helm v2.8.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.16.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4
module "eks-external-dns" {
source = "lablabs/eks-external-dns/aws"
version = "0.8.1"
cluster_identity_oidc_issuer = module.eks.cluster_oidc_issuer_url
cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
cluster_name = module.eks.cluster_id
}
I expected terraform to deploy external dns release on cluster
╷
│ Error: could not download chart: chart "external-dns" version "5.4.4" not found in https://charts.bitnami.com/bitnami repository
│
│ with module.eks-external-dns.helm_release.external_dns[0],
│ on .terraform/modules/eks-external-dns/main.tf line 32, in resource "helm_release" "external_dns":
│ 32: resource "helm_release" "external_dns" {
│
╵
Using the below TF code the generated kubernetes service account for external-dns is not annotated with the IAM role. The same values in an output prints correctly, but the sa is annotated with an empty string instead of the iam role arn.
Bug Report
➜ common git:(SDP-6527f) ✗ terraform version
Terraform v1.4.6
on darwin_arm64
+ provider registry.terraform.io/cloudposse/utils v1.9.0
+ provider registry.terraform.io/cyrilgdn/postgresql v1.20.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/goharbor/harbor v3.9.4
+ provider registry.terraform.io/hashicorp/aws v4.67.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/helm v2.10.1
+ provider registry.terraform.io/hashicorp/http v3.4.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.21.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4
module "external_dns_eks" {
source = "lablabs/eks-external-dns/aws"
version = "1.2.0"
providers = {
kubernetes = kubernetes.platform
helm = helm.platform
}
irsa_policy_enabled = true
irsa_role_create = false
irsa_assume_role_enabled = true
irsa_assume_role_arn = "arn:aws:iam::${var.allowed_account_ids[0]}:role/AmazonEKSExternalDns-${var.region}"
cluster_identity_oidc_issuer = module.eks.cluster_oidc_issuer_url
cluster_identity_oidc_issuer_arn = data.aws_iam_openid_connect_provider.eks_cluster.arn
# for doc see: https://artifacthub.io/packages/helm/bitnami/external-dns
values = yamlencode({
"txtOwnerId" : "${local.eks_cluster_name}"
"domainFilters" : [
"${var.platform_domain}"
]
"policy" : "sync"
"aws.zoneType" : "public"
})
}
KUBERNETES SA:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
namespace: kube-system
labels:
app.kubernetes.io/instance: external-dns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-dns
helm.sh/chart: external-dns-6.5.6
annotations:
eks.amazonaws.com/role-arn: 'THE ROLE ARN HERE'
meta.helm.sh/release-name: external-dns
meta.helm.sh/release-namespace: kube-system
KUBERNETES SA:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
namespace: kube-system
labels:
app.kubernetes.io/instance: external-dns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-dns
helm.sh/chart: external-dns-6.5.6
annotations:
eks.amazonaws.com/role-arn: '' <--------- EMPTY_STRING
meta.helm.sh/release-name: external-dns
meta.helm.sh/release-namespace: kube-system
After upgrading AWS EKS to version 1.22, the lablabs 0.9.0 external-dns pod goes into a CrashLoopBackOff. This is caused by k8s 1.22 stopping to support a couple deprecated APIs, including the Ingress in extensions/v1beta1.
Fix is in external-dns version 0.10.0+ :
kubernetes-sigs/external-dns#2168
The external-dns logs show this fatal error:
time="2022-04-15T21:19:09Z" level=fatal msg="failed to sync cache: timed out waiting for the condition"
Hi,
I have an issue with passing values to extraEnv parameter of helm chart via set.
I tried few ways, but with no success.
Could you please advise how it can be implemented.
Thanks a lot
Hi;
I would like to be able to configure the External DNS "policy" argument (as per Setup Guide), to be able to set "upset-only" or "sync" values.
Enable full sync - kubernetes-sigs/external-dns#442
Required changes:
values.yaml.tpl
## Modify how DNS records are sychronized between sources and providers (options: sync, upsert-only)
##
policy: ${ policy }
main.tf
resource "helm_release" "external_dns" {
...
values = [
"${templatefile("${path.module}/templates/values.yaml.tpl",
{
"cluster_name" = var.cluster_name,
...
"policy" = var.policy
})
}"
]
}
variables.tf
variable "policy" {
default = "upsert-only"
description = "Policy for creating or updating records. Possible values: \"sync\" - allows for full synchronization of DNS records or \"upsert-only\" - allows evrything but deleting DNS records."
}
It should either be configurable via terraform variable or just use the default of the helm-chart version.
It would be nice to add a lifecycle rule to the "aws_iam_role" "this" so that usage doesn't cause change detection notes on every apply.
This appears in almost every Terraform run in our system (which is a dev system, so it experiences a fair amount of application change):
~ role_last_used = [
~ {
~ last_used_date = "2023-05-19T13:45:44Z" -> "2023-05-19T15:03:24Z"
# (1 unchanged attribute hidden)
},
]
Feature Idea
after providing argo_helm_values deployments args is not changed.
Bug Report
% terraform --version
Terraform v1.4.3-dev
on darwin_amd64
+ provider registry.terraform.io/cloudposse/utils v1.5.0
+ provider registry.terraform.io/hashicorp/aws v4.40.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.4.3
Your version of Terraform is out of date! The latest version
is 1.4.6. You can update by downloading from https://www.terraform.io/downloads.html
locals {
external_dns_values = templatefile("./helm-values/external-dns.yaml", {})
}
module "argo_external_dns" {
enabled = true
argo_enabled = true
argo_helm_enabled = true
....
argo_helm_values = local.external_dns_values
}
./helm-values/external-dns.yaml contains
`global:
imageRegistry: docker.io
nodeSelector:
node-group-purpose: infra
policy: sync
logLevel: debug
triggerLoopOnEvent: true
interval: 5s
cloudflare:
proxied: true
secretName: cloudflare
#env:
# - name: CF_API_TOKEN
# valueFrom:
# secretKeyRef:
# name: cloudflare
# key: CF_API_TOKEN
domainFilters: ["google.com"]
#zoneIdFilters: ["1c5106c2b6c6c329ce0acc3bff85380b"]
resources:
limits:
memory: 100Mi
cpu: 100m
requests:
memory: 50Mi
cpu: 50m
metrics:
enabled: true
serviceMonitor:
enabled: true
interval: 60s
scrapeTimeout: 10s
`
As I passed external-dns.yaml, deployment arguments should be applied, but it is the default:
containers: - args: - '--metrics-address=:7979' - '--log-level=info' - '--log-format=text' - '--policy=upsert-only' - '--provider=aws' - '--registry=txt' - '--interval=1m' - '--source=service' - '--source=ingress' - '--aws-api-retries=3' - '--aws-zone-type=' - '--aws-batch-change-size=1000' -
Apply complete! Resources: 9 added,
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.