Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: The value for role arn "annotation" is left empty #20

Open
xiaoxi-s opened this issue Sep 25, 2023 · 0 comments
Open

bug: The value for role arn "annotation" is left empty #20

xiaoxi-s opened this issue Sep 25, 2023 · 0 comments
Assignees
@Balsir
Labels
bug Something isn't working

Comments

@xiaoxi-s
Copy link

xiaoxi-s commented Sep 25, 2023
edited
Loading

Summary

In values.tf, the arn value is left blank at line 15. However, the correct behavior of not creating an irsa role should be to use the role provided by irsa_assume_role_arn arn.
Screenshot 2023-09-25 at 5 26 00 PM

Issue Type

Bug Report

Terraform Version

Xiaoxis-MBP:datachat xiaoxisun$ t --version
Terraform v1.5.5
on darwin_amd64

Your version of Terraform is out of date! The latest version
is 1.5.7. You can update by downloading from https://www.terraform.io/downloads.html

Steps to Reproduce

module "eks-cluster-autoscaler" {
  source                           = "lablabs/eks-cluster-autoscaler/aws"
  version                          = "2.1.0"
  cluster_identity_oidc_issuer     = module.eks.oidc_provider
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn
  cluster_name                     = module.eks.cluster_name
  irsa_role_create                 = false
  irsa_policy_enabled              = false
  irsa_assume_role_enabled         = true
  irsa_assume_role_arn             = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AmazonEKSCompactClusterAutoscalerRole"
  helm_chart_version               = "9.29.2"
  helm_lint                        = true
  namespace                        = "kube-system"
  values                           = file("../../modules/eks/values/cluster-autoscaler-values.yaml")
  settings = {
    "autoDiscovery.clusterName" = module.eks.cluster_name
    "image.tag"                 = var.cluster_autoscaler_image_tag
  }
}

Given the usage of EKS Terraform module, the above piece of code doesn't actually use the role AmazonEKSCompactClusterAutoscalerRole. We have to attach the proper policy to the Role that EC2 nodes assume in order for cluster autoscaler to have the proper permission.

After applying the changes, the value of the arn is empty as shown below:
Screenshot 2023-09-25 at 5 36 26 PM

Expected Results

The above configuration should work.

Actual Results

The above configuration leads to 

E0925 21:47:42.412942       1 aws_manager.go:262] Failed to regenerate ASG cache: AccessDenied: User: arn:aws:sts::xxxx:assumed-role/<node group name>/<the node instance id that cluster autoscaler is on> is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action
        status code: 403, request id: d2049ca6-355c-456b-ad63-2abd509cc9a0
F0925 21:47:42.412994       1 aws_cloud_provider.go:426] Failed to create AWS Manager: AccessDenied: User: arn:aws:sts::xxxxxx:assumed-role/<node group name>/<the node instance id that cluster autoscaler is on> is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action
@xiaoxi-s xiaoxi-s added the bug Something isn't working label Sep 25, 2023
@xiaoxi-s xiaoxi-s changed the title bug: The optional value for "annotation" is left empty bug: The value for role arn "annotation" is left empty Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Balsir Balsir

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xiaoxi-s @Balsir