aws configmap

[Mieszko96]

hey in my current terraform i am using to manage aws configmap
i'm using module with version 19.20

resource "kubectl_manifest" "aws-auth-cm" {
  yaml_body = <<MANIFEST
apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
%{if local.rancher2_import_enabled~}
  mapUsers: |
    - userarn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${var.rancher2_cloud_credentials_name}
      username: ${var.rancher2_cloud_credentials_name}
      groups:
      - system:masters
%{endif~}
%{if length(var.paas_eks_accounts) > 0~}
  mapAccounts: |
    ${replace(yamlencode(var.paas_eks_accounts), "\"", "")~}
%{endif~}
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: ${module.eks.eks_managed_node_groups["default"].iam_role_arn}
      username: system:node:{{EC2PrivateDNSName}}
%{if length(var.paas_eks_roles) > 0~}
    ${indent(4, replace(yamlencode(var.paas_eks_roles), "\"", ""))~}
%{endif~}
MANIFEST
  force_new = false
}

with eks_managed_node_groups and
create_aws_auth_configmap = false
manage_aws_auth_configmap = false

What i need to do to switch to
manage_aws_auth_configmap = true
and remove resource "kubectl_manifest" "aws-auth-cm"

What i tested.

scenario 1

removed resource "kubectl_manifest" "aws-auth-cm"
manage_aws_auth_configmap = false -> true
❌ configmap was deleted( we don't have configmap in EKS)

scenario 2
removed resource "kubectl_manifest" "aws-auth-cm"
create_aws_auth_configmap = true

❌ ✅ this scenario works, but if i use same code for brand new EKS it have error aws-auth already exist.
And i need solution for updated exisiting terraform and for brand new.

scenario 3
Also tried with moved block, but getting error

moved {
 from = kubectl_manifest.aws-auth-cm
 to   = module.eks.kubernetes_config_map_v1_data.aws_auth[0]
}

This statement declares a move from kubectl_manifest.aws-auth-cm to
module.eks.kubernetes_config_map.aws_auth[0], which is a resource instance of
a different type.

or

module.eks.kubernetes_config_map_v1_data.aws_auth[0], which is a resource
instance of a different type.

I don't mind if solution require removing state from terraform list

[Mieszko96]

actually checking
https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md
it will be removed in 21.xx at all so maybe i should not do this.

But if you have opinion/suggestions please let me know

[kaykhan]

@Mieszko96 Do you know if there new method to handle who has auth to use the cluster? is it access_entries?

[groovyghost]

@kaykhan It has been moved to submodule
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/20.8.5/submodules/aws-auth

[kaykhan]

@kaykhan It has been moved to submodule https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/20.8.5/submodules/aws-auth

This sub module is going to be removed in the next version (21) https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md#%EF%B8%8F-upcoming-changes-planned-in-v210-%EF%B8%8F

So just curious how to handle it moving forward.

Im wondering if we should now be creating this resource ourselves. https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1

[bryantbiggs]

its a separate sub-module and the code has not changed for this functionality for several years. Even though the code will be removed in v21, theres nothing stopping you from using the sub-module at v20 for years to come.

However, long term the strategy is to use cluster access entries