lablabs / terraform-aws-eks-external-dns Goto Github PK

Summary

The iam policy can't be created in AWS China, because AWS china the arn format is: arn:awscn

Issue Type

Bug Report

Terraform Version

terraform --version
Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/cloudposse/utils v1.6.0
+ provider registry.terraform.io/hashicorp/aws v4.45.0
+ provider registry.terraform.io/hashicorp/external v2.2.3
+ provider registry.terraform.io/hashicorp/helm v2.7.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.11.0

Steps to Reproduce

module "external_dns" {
count = var.environment == "dev" ? 1 : 0
source = "lablabs/eks-external-dns/aws"
version = "1.1.0"

cluster_identity_oidc_issuer = data.aws_iam_openid_connect_provider.meid_eks_oidc.url
cluster_identity_oidc_issuer_arn = data.aws_iam_openid_connect_provider.meid_eks_oidc.arn

irsa_role_name_prefix = "irsa-external-dns-${var.projectname}-${var.environment}-${var.region}"
irsa_tags = {
Name = "external-dns-${var.projectname}-${var.environment}-${var.region}"
Region = var.region
Environment = var.environment
Managedby = "Terraform"
}

helm_chart_version = "6.8.1"

values = yamlencode({
policy = "sync"
triggerLoopOnEvent = true
txtPrefix = "z-external-dns-"
global = { imageRegistry = "${var.accountid}.dkr.ecr.${var.region}.${var.awsdomain}" }
})
}

Expected Results

The iam policy cloud be created successfully

Actual Results

Error: error creating IAM Policy irsa-external-dns-meid-cn-dev-cn-north-1-external-dns: MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:route53:::hostedzone/*".
│       status code: 400, request id: ecc835f4-88df-401b-a4a5-36a16e692e8b
│ 
│   with module.external_dns[0].aws_iam_policy.this[0],
│   on .terraform/modules/external_dns/iam.tf line 49, in resource "aws_iam_policy" "this":
│   49: resource "aws_iam_policy" "this" {

Summary

When the settings map has values, and argocd is being used, a boolean check for forceString fails with the following error:

Error: error validating "": error validating data: ValidationError(Application.spec.source.helm.parameters[0].forceString): invalid type for io.argoproj.v1alpha1.Application.spec.source.helm.parameters.forceString: got "string", expected "boolean"

The tomap() function in terraform causes all objects in the function to be converted to the same type. https://developer.hashicorp.com/terraform/language/functions/tomap

In argo.tf you can remove the tomap() function on line 15 and the forceString parameter makes it through as a boolean. This worked on my local machine.

Issue Type

Bug Report

Terraform Version

$ terraform --version
Terraform v1.3.3
on windows_amd64

Your version of Terraform is out of date! The latest version
is 1.3.6. You can update by downloading from https://www.terraform.io/downloads.html

Steps to Reproduce

module "eks-external-dns" {
  source  = "lablabs/eks-external-dns/aws"
  version = "1.1.0"

  cluster_identity_oidc_issuer     = module.eks.oidc_provider
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn


  # https://registry.terraform.io/modules/lablabs/eks-external-dns/aws/latest#argo-helm
  enabled           = true
  argo_enabled      = true
  argo_helm_enabled = true

  argo_namespace = helm_release.argocd.namespace
  argo_sync_policy = {
    "automated" : {}
    "syncOptions" = ["CreateNamespace=true"]
  }

  settings = {
    "policy" = "sync"
  }
}

Expected Results

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Actual Results

Error: error validating "": error validating data: ValidationError(Application.spec.source.helm.parameters[0].forceString): invalid type for io.argoproj.v1alpha1.Application.spec.source.helm.parameters.forceString: got "string", expected "boolean"

I would like to be able to deploy External DNS into an existent K8S namespace in my cluster, such as kube-dns, without letting this module to create it for me.
As per actual behavior, the options are to use default kube-system or to create a new namespace.
I suggest to create an optional boolean flag (i.e.) k8s_create_namespace with default value true.
The new flag should be introduced in the count field of the kubernetes_namespace resource as follows:

  count = (var.enabled && var.k8s_create_namespace && var.k8s_namespace != "kube-system") ? 1 : 0
  ....

I think I am hitting this bug in the modules due to the use of the dynamic providers but I cannot test to confirm since the modules do not support Terraform 0.14. Can we add support for that?

hashicorp/terraform-provider-helm#476

Summary

When I try to add external dns version 0.8.1 it conflicts and says that chart version 5.4.4 not available.

Issue Type

Bug Report

Terraform Version

Terraform v1.3.6
on linux_amd64
+ provider registry.terraform.io/cloudposse/utils v1.6.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v3.76.1
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/helm v2.8.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.16.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Steps to Reproduce

module "eks-external-dns" {
  source  = "lablabs/eks-external-dns/aws"
  version = "0.8.1"

  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
  cluster_name                     = module.eks.cluster_id
}

Expected Results

I expected terraform to deploy external dns release on cluster

Actual Results

╷
│ Error: could not download chart: chart "external-dns" version "5.4.4" not found in https://charts.bitnami.com/bitnami repository
│ 
│   with module.eks-external-dns.helm_release.external_dns[0],
│   on .terraform/modules/eks-external-dns/main.tf line 32, in resource "helm_release" "external_dns":
│   32: resource "helm_release" "external_dns" {
│ 
╵

Summary

Using the below TF code the generated kubernetes service account for external-dns is not annotated with the IAM role. The same values in an output prints correctly, but the sa is annotated with an empty string instead of the iam role arn.

Issue Type

Bug Report

Terraform Version

➜  common git:(SDP-6527f) ✗ terraform version 
Terraform v1.4.6
on darwin_arm64
+ provider registry.terraform.io/cloudposse/utils v1.9.0
+ provider registry.terraform.io/cyrilgdn/postgresql v1.20.0
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/goharbor/harbor v3.9.4
+ provider registry.terraform.io/hashicorp/aws v4.67.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/helm v2.10.1
+ provider registry.terraform.io/hashicorp/http v3.4.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.21.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Steps to Reproduce

module "external_dns_eks" {
  source  = "lablabs/eks-external-dns/aws"
  version = "1.2.0"
  providers = {
    kubernetes = kubernetes.platform
    helm       = helm.platform
  }
  irsa_policy_enabled              = true
  irsa_role_create                 = false
  irsa_assume_role_enabled         = true
  irsa_assume_role_arn             = "arn:aws:iam::${var.allowed_account_ids[0]}:role/AmazonEKSExternalDns-${var.region}"
  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
  cluster_identity_oidc_issuer_arn = data.aws_iam_openid_connect_provider.eks_cluster.arn

  # for doc see: https://artifacthub.io/packages/helm/bitnami/external-dns
  values = yamlencode({
    "txtOwnerId" : "${local.eks_cluster_name}"
    "domainFilters" : [
      "${var.platform_domain}"
    ]
    "policy" : "sync"
    "aws.zoneType" : "public"
  })
}

Expected Results

KUBERNETES SA:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
namespace: kube-system
labels:
app.kubernetes.io/instance: external-dns
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-dns
helm.sh/chart: external-dns-6.5.6
annotations:
eks.amazonaws.com/role-arn: 'THE ROLE ARN HERE'
meta.helm.sh/release-name: external-dns
meta.helm.sh/release-namespace: kube-system

Actual Results

KUBERNETES SA: 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  namespace: kube-system
  labels:
    app.kubernetes.io/instance: external-dns
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: external-dns
    helm.sh/chart: external-dns-6.5.6
  annotations:
    eks.amazonaws.com/role-arn: '' <--------- EMPTY_STRING 
    meta.helm.sh/release-name: external-dns
    meta.helm.sh/release-namespace: kube-system

After upgrading AWS EKS to version 1.22, the lablabs 0.9.0 external-dns pod goes into a CrashLoopBackOff. This is caused by k8s 1.22 stopping to support a couple deprecated APIs, including the Ingress in extensions/v1beta1.

Fix is in external-dns version 0.10.0+ :
kubernetes-sigs/external-dns#2168

The external-dns logs show this fatal error:
time="2022-04-15T21:19:09Z" level=fatal msg="failed to sync cache: timed out waiting for the condition"

Hi,

I have an issue with passing values to extraEnv parameter of helm chart via set.

I tried few ways, but with no success.

Could you please advise how it can be implemented.

Thanks a lot

Hi;
I would like to be able to configure the External DNS "policy" argument (as per Setup Guide), to be able to set "upset-only" or "sync" values.

Enable full sync - kubernetes-sigs/external-dns#442

Required changes:

values.yaml.tpl

## Modify how DNS records are sychronized between sources and providers (options: sync, upsert-only)
##
policy: ${ policy }

main.tf

resource "helm_release" "external_dns" {
...
  values = [
    "${templatefile("${path.module}/templates/values.yaml.tpl",
      {
        "cluster_name"              = var.cluster_name,
        ...
        "policy"                    = var.policy
      })
    }"
  ]
}

variables.tf

variable "policy" {
  default     = "upsert-only"
  description = "Policy for creating or updating records. Possible values: \"sync\" - allows for full synchronization of DNS records or \"upsert-only\" - allows evrything but deleting DNS records."
}

See https://github.com/lablabs/terraform-aws-eks-external-dns/blob/master/templates/values.yaml.tpl#L49-L52

It should either be configurable via terraform variable or just use the default of the helm-chart version.

Summary

It would be nice to add a lifecycle rule to the "aws_iam_role" "this" so that usage doesn't cause change detection notes on every apply.

This appears in almost every Terraform run in our system (which is a dev system, so it experiences a fair amount of application change):

~ role_last_used = [
~ {
~ last_used_date = "2023-05-19T13:45:44Z" -> "2023-05-19T15:03:24Z"
# (1 unchanged attribute hidden)
},
]

Issue Type

Feature Idea

Summary

after providing argo_helm_values deployments args is not changed.

Issue Type

Bug Report

Terraform Version

% terraform --version 
Terraform v1.4.3-dev
on darwin_amd64
+ provider registry.terraform.io/cloudposse/utils v1.5.0
+ provider registry.terraform.io/hashicorp/aws v4.40.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.4.3

Your version of Terraform is out of date! The latest version
is 1.4.6. You can update by downloading from https://www.terraform.io/downloads.html

Steps to Reproduce

locals {
  external_dns_values = templatefile("./helm-values/external-dns.yaml", {})
}


module "argo_external_dns" {
  enabled           = true
  argo_enabled      = true
  argo_helm_enabled = true
  ....
  argo_helm_values =  local.external_dns_values
}

./helm-values/external-dns.yaml contains

`global:
  imageRegistry: docker.io

nodeSelector:
  node-group-purpose: infra

policy: sync
logLevel: debug
triggerLoopOnEvent: true
interval: 5s

cloudflare:
  proxied: true
  secretName: cloudflare

#env:
#  - name: CF_API_TOKEN
#    valueFrom:
#      secretKeyRef:
#        name: cloudflare
#        key: CF_API_TOKEN

domainFilters: ["google.com"]
#zoneIdFilters: ["1c5106c2b6c6c329ce0acc3bff85380b"]



resources:
  limits:
    memory: 100Mi
    cpu: 100m
  requests:
    memory: 50Mi
    cpu: 50m

metrics:
  enabled: true
  serviceMonitor:
    enabled: true
    interval: 60s
    scrapeTimeout: 10s
`

Expected Results

As I passed external-dns.yaml, deployment arguments should be applied, but it is the default:

containers: - args: - '--metrics-address=:7979' - '--log-level=info' - '--log-format=text' - '--policy=upsert-only' - '--provider=aws' - '--registry=txt' - '--interval=1m' - '--source=service' - '--source=ingress' - '--aws-api-retries=3' - '--aws-zone-type=' - '--aws-batch-change-size=1000' -

Actual Results

Apply complete! Resources: 9 added,