You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.
If your request is for a new feature, please use the Feature request template.
✋ I have searched the open/closed issues and my issue is not listed.
Error: expected length of name to be in the range (1-64), got <cluster-name>-aws-load-balancer-controller-sa-irsa
with module.addons.module.aws_load_balancer_controller[0].module.helm_addon.module.irsa[0].aws_iam_role.irsa[0],
on .terraform/modules/addons/modules/irsa/main.tf line 38, in resource "aws_iam_role""irsa":38:name=try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null)
Terminal Output Screenshot(s)
N/A
Additional context
I believe the bug #333 is still present for the aws-load-balancer-controller.
It's failing for the irsa module's aws_iam_role which is controlled by var.irsa_iam_role_name.
So the only way I can currently solve without forking is to use a smaller cluster name (cluster name cannot exceed 27 chars) but I'd rather not do this.
Option 1: allow overriding local.name or local.service_account_name with helm_config
We could do this var.helm_config using something like helm_config["name"] or helm_config["service_account_name"] or both
module"addons" {
source="github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.16.0"# ...enable_aws_load_balancer_controller=trueaws_load_balancer_controller_helm_config={
# either of the below would avoid the 64 char max limit
name ="aws-lb"
service_account_name ="aws-lb-sa"
}
}
Option 2: allow overriding the irsa_config
We do this already with local.helm_config which is a merge of local.default_helm_config and var.helm_config.
We could do the same with the local.irsa_config but then we would have to expose a new input variable across all submodules e.g. aws_load_balancer_controller_irsa_config
After some thought on this, it's probably not the best idea since the local.service_account_name is used in many places so overriding the local.irsa_config would not impact the other places.
Thoughts
I think Option 1 would be easier.
I also think that doing a validation for the IAM role name to ensure it's not over 64 chars during plan-time would be good too. That way we do not have to wait until we deploy our cluster to know that we have to shorten the IAM role name.
The error could be as simple as this where the error is thrown if the length of a string is fed as the index of the array.
>range(0, 65)[64]
64>range(0, 65)[67]
╷
│ Error: Invalid index
Edit: on second thought, the.above check is covered by tflint and its aws plugin.
The text was updated successfully, but these errors were encountered:
Description
Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the
examples/*
directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by runningterraform init && terraform apply
without any further changes.If your request is for a new feature, please use the
Feature request
template.Versions
Reproduction Code [Required]
Steps to reproduce the behavior:
Expected behaviour
Successful terraform apply
Actual behaviour
Terminal Output Screenshot(s)
N/A
Additional context
I believe the bug #333 is still present for the
aws-load-balancer-controller
.It's failing for the
irsa
module'saws_iam_role
which is controlled byvar.irsa_iam_role_name
.terraform-aws-eks-blueprints/modules/irsa/main.tf
Lines 16 to 19 in f233a46
terraform-aws-eks-blueprints/modules/irsa/main.tf
Lines 35 to 38 in f233a46
The
irsa
module is consumed by thehelm_addon
moduleterraform-aws-eks-blueprints/modules/kubernetes-addons/helm-addon/main.tf
Line 63 in f233a46
terraform-aws-eks-blueprints/modules/kubernetes-addons/helm-addon/main.tf
Line 71 in f233a46
terraform-aws-eks-blueprints/modules/kubernetes-addons/helm-addon/main.tf
Line 74 in f233a46
The
helm
addon does not expose theirsa_iam_role_name
inputterraform-aws-eks-blueprints/modules/kubernetes-addons/aws-load-balancer-controller/main.tf
Lines 1 to 8 in f233a46
The local
irsa_config
has a hard codedkubernetes_service_account
terraform-aws-eks-blueprints/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf
Lines 2 to 3 in f233a46
terraform-aws-eks-blueprints/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf
Lines 46 to 52 in f233a46
terraform-aws-eks-blueprints/modules/kubernetes-addons/main.tf
Lines 180 to 186 in f233a46
What's also interesting is how the
aws_iam_policy
uses a shorter name to most likely avoid the same max char issue that theaws_iam_role
role hits.terraform-aws-eks-blueprints/modules/kubernetes-addons/aws-load-balancer-controller/main.tf
Lines 10 to 11 in f233a46
Options
So the only way I can currently solve without forking is to use a smaller cluster name (cluster name cannot exceed 27 chars) but I'd rather not do this.
Option 1: allow overriding
local.name
orlocal.service_account_name
withhelm_config
We could do this
var.helm_config
using something likehelm_config["name"]
orhelm_config["service_account_name"]
or bothand then we can do this
Option 2: allow overriding the
irsa_config
We do this already with
local.helm_config
which is a merge oflocal.default_helm_config
andvar.helm_config
.terraform-aws-eks-blueprints/modules/kubernetes-addons/aws-load-balancer-controller/locals.tf
Lines 16 to 25 in f233a46
We could do the same with the
local.irsa_config
but then we would have to expose a new input variable across all submodules e.g.aws_load_balancer_controller_irsa_config
After some thought on this, it's probably not the best idea since the
local.service_account_name
is used in many places so overriding thelocal.irsa_config
would not impact the other places.Thoughts
I think Option 1 would be easier.
I also think that doing a validation for the IAM role name to ensure it's not over 64 chars during plan-time would be good too. That way we do not have to wait until we deploy our cluster to know that we have to shorten the IAM role name.
The error could be as simple as this where the error is thrown if the length of a string is fed as the index of the array.
Edit: on second thought, the.above check is covered by tflint and its aws plugin.
The text was updated successfully, but these errors were encountered: