Add kubernetes_config_map_v1_data resource #1671
Conversation
jrhouston
force-pushed
the
configmap-data-resource
branch
from
0495501 to
6e78753
Compare
kubernetes/provider.go
Outdated
| "kubernetes_annotations": resourceKubernetesAnnotations(), | ||
| "kubernetes_labels": resourceKubernetesLabels(), | ||
| "kubernetes_annotations": resourceKubernetesAnnotations(), | ||
| "kubernetes_config_map_v1_data": resourceKubernetesConfigMapV1Data(), |
There was a problem hiding this comment.
Most of our resources have a version at the end of their names, shall we continue this practice and call it kubernetes_config_map_data_v1? I am not sure though if that one won't overlap with any native Kubernetes resources in the future. I am totally fine with the current name and can see the logic here too, so I am just curious.
There was a problem hiding this comment.
Yeah I wasn't sure how to place the version – I formatted it like this to reflect that we're managing the data field of the kubernetes_config_map_v1 resource since the data field isn't versioned.
|
🥇 |
|
Since this PR is aimed at solving #723, I ran a few test runs patching the resource "kubernetes_config_map_v1_data" "aws_auth" {
metadata {
name = "aws-auth"
namespace = "kube-system"
}
data = {
"mapRoles" = <<-EOT
- rolearn: arn:aws:iam::111111111111:role/DemoEKS-NodeInstanceRole
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::111111111111:role/TeamRole
username: TeamRole
groups:
- system:masters
EOT
"mapUsers" = <<-EOT
- userarn: arn:aws:iam::111111111111:user/sukumar-test-test
username: sukumar
groups:
- system:masters
EOT
}
force = true
}and the apply... Terraform will perform the following actions:
# module.eks_auth.kubernetes_config_map_v1_data.aws_auth will be created
+ resource "kubernetes_config_map_v1_data" "aws_auth" {
+ data = {
+ "mapAccounts" = <<-EOT
- "777777777777"
- "888888888888"
EOT
+ "mapRoles" = <<-EOT
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::326504147071:role/foo-eks-node-group-20220401053147969300000001"
"username": "system:node:{{EC2PrivateDNSName}}"
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::326504147071:role/boo-node-group-20220401053147969900000003"
"username": "system:node:{{EC2PrivateDNSName}}"
- "groups":
- "system:bootstrappers"
- "system:nodes"
- "system:node-proxier"
"rolearn": "arn:aws:iam::326504147071:role/bar-20220401053147969700000002"
"username": "system:node:{{SessionName}}"
- "groups":
- "system:masters"
"rolearn": "arn:aws:iam::66666666666:role/role1"
"username": "role1"
EOT
+ "mapUsers" = <<-EOT
- "groups":
- "system:masters"
"userarn": "arn:aws:iam::66666666666:user/user1"
"username": "user1"
- "groups":
- "system:masters"
"userarn": "arn:aws:iam::66666666666:user/user2"
"username": "user2"
EOT
}
+ force = true
+ id = (known after apply)
+ metadata {
+ name = "aws-auth"
+ namespace = "kube-system"
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
module.eks_auth.kubernetes_config_map_v1_data.aws_auth: Creating...
module.eks_auth.kubernetes_config_map_v1_data.aws_auth: Creation complete after 1s [id=kube-system/aws-auth]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.This resource is consistent with the |
|
This resource will fail if the configmap does not exist. I realize that is by design... But please consider that the
I will admit that these are edge case scenarios, but think it would be nice to have a general workaround for this type of scenario. I tried getting around this by using the data "kubernetes_resource" "aws_auth" {
api_version = "v1"
kind = "ConfigMap"
metadata {
name = "aws-auth"
namespace = "kube-system"
}
}
output "aws_auth_cm" {
value = try(data.kubernetes_resource.aws_auth, null)
}but then i encounter this issue with the provider ╷
│ Error: Provider produced null object
│
│ Provider "provider[\"registry.terraform.io/hashicorp/kubernetes\"]" produced a null value for
│ data.kubernetes_resource.aws_auth.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵again, I understand that is by design as it is consistent with other data resources like data.aws_ami that also throw an error when no resource is found. But I think it would be nice if the data resource would return a |
|
I suppose another workaround could be to indirectly check for the existence of |
|
Thanks for testing this out @aidanmelen and for the great discussion. Throwing an error when the data source doesn't exist is pretty standard across terraform providers and so I would prefer to stay consistent with that pattern. However, I do have plans (soon) to add a |
It is unfortunate that Terraform took that approach for data resources. But I agree, it is best to stay consistent. |
I like that a lot. I vote yes. It would be really similiar to the pattern used by the kubectl_server_version resource in the kubectl provider. |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
This PR adds a resource which allows Terraform to use field manager to manage the data within a ConfigMap that already exists. The implementation of this resource is similar to kubernetes_annotations (#1660) and kubernetes_labels (#1616) but does not require the dynamic client, so does not need the user to specify the apiVersion and kind.
Acceptance tests
Output from acceptance testing:
Release Note
Release note for CHANGELOG:
References
#723 – one of the frequent use cases in this issue is patching configmaps
Community Note