-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update hashicorp/terraform-provider-aws version #319
Comments
Thanks for opening the issue @ialidzhikov. As this is a breaking change for end-users, I'm thinking about having some fallback mechanism to the current provider plugin version in case the user's account does not include the required new permission. Do you think something like would be reasonable to prevent too many clusters from becoming stuck in a failed state, or would you rather go the "standard" way (operators announcing the change so that end-users can adapt until a certain time, and only afterwards the version is updated)? |
Such fallback mechanism can be implemented using the operation in question - try to To be honest I am not sure. What would we gain from such fallback mechanism? I assume that there will be always folks that will miss the action required and will potentially update after the Infrastructure reconciliation is failing. I rather see complexity that will be added on top:
So I would rather vote for "announce the upcoming change; give enough period for adaptation; actively monitor the adaptation and roll-out when we are sure". |
Yeah, I agree, let's do it as usual. I was just brain-storming about potential other ways how to deal with this situation and wanted to get some feedback. The points you raised are very valid and there is no good reason to not follow the usual approach. |
Should we add an empty commit with a |
Ref https://groups.google.com/g/gardener/c/sIwiQp6ak_4/m/y2mUd3_lAAAJ and https://kubernetes.slack.com/archives/CB57N0BFG/p1619106318319700 |
I am closing this issue as all subtasks are completed (11/11). /close |
/platform aws
/kind bug
We have the following issues reported in the upstream terraform-provider-aws:
They continuously reproduce on our environments and require manual ops effort to be fixed.
It seems that now both of the issues are fixed (hopefully) in 3.34.0 (see CHANGELOG). So we should update to terraform-provider-aws version
>= 3.34.0
to adopt these fixes.However terraform-provider-aws
>= 3.29.1
requires additional permission that is currently not part of our recommended AWS IAM policy - see https://github.com/gardener/gardener-extension-provider-aws/blob/v1.22.2/docs/usage-as-end-user.md#permissions. The corresponding upstream change is hashicorp/terraform-provider-aws#5904 - it requires additional permissioniam:ListRolePolicies
to be able to successfully apply anaws_iam_role
resource.The required change to the AWS IAM policy:
So before update to terraform-provider-aws
>= 3.29.1
we need to update our recommended AWS IAM policy that is currently maintained in few separate places:We should also treat this AWS IAM policy change as breaking one and we need to document in properly in the release notes.
As hashicorp/terraform-provider-aws is under active development,
terraform-provider-aws@latest
can potentially have other breaking changes. So that's why I propose to first update to3.32.0
to tackle the breaking change in the AWS IAM policy. Then we can work on updating toterraform-provider-aws@latest
which will include the above bug fixes.Tasks related to g/terraformer (update to
terraform-provider-aws@3.32.0
):Tasks related to g/terraformer (update to terraform-provider-aws version
>= 3.34.0
):>= 3.34.0
(if possible terraform-provider-aws@latest) -> Update hashicorp/terraform-provider-aws terraformer#101>= 3.34.0
-> https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.28.0The text was updated successfully, but these errors were encountered: