Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: public_access_cidrs require a value even if public endpoint is disabled #2320

Merged
merged 2 commits into from
Dec 6, 2022

Conversation

smelchior
Copy link
Contributor

Description

Do not set public_access_cidr when public access is disabled.

Motivation and Context

When upgrading from v18 -> v19 with an existing private-only cluster we were shown the following plan:

  # module.eks.aws_eks_cluster.this[0] will be updated in-place
  ~ resource "aws_eks_cluster" "this" {
        id                        = "xx"
        name                      = "xx"
        tags                      = {}
        # (11 unchanged attributes hidden)

      ~ vpc_config {
          ~ public_access_cidrs       = [
              - "0.0.0.0/0",
            ]
            # (6 unchanged attributes hidden)
        }

        # (2 unchanged blocks hidden)
    }

When applying we got:

│ Error: updating EKS Cluster (xx) VPC config: InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: false, and Public Endpoint Restrictions: [0.0.0.0/0]

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@smelchior smelchior changed the title fix: skip public_access_cidrs if var.cluster_endpoint_public_access = false Fix: skip public_access_cidrs if var.cluster_endpoint_public_access = false Dec 6, 2022
@smelchior smelchior changed the title Fix: skip public_access_cidrs if var.cluster_endpoint_public_access = false fix: Skip public_access_cidrs if var.cluster_endpoint_public_access = false Dec 6, 2022
@yafanasiev
Copy link

Just hit this as well, can verify that setting public_access_cidrs to null resolves the issue. Thank you @smelchior!

@bryantbiggs
Copy link
Member

interesting - it looks like our previous default value is causing the issue here. the value is optional and does not have a default https://github.com/hashicorp/terraform-provider-aws/blob/a421ee175fdae8d1d2d5ef71b86d46809b4780fb/internal/service/eks/cluster.go#L257 but I'm guessing that because in prior versions the default value was set to ["0.0.0.0/0"], that we can't unset that value

main.tf Outdated Show resolved Hide resolved
@@ -27,7 +27,7 @@ resource "aws_eks_cluster" "this" {
subnet_ids = coalescelist(var.control_plane_subnet_ids, var.subnet_ids)
endpoint_private_access = var.cluster_endpoint_private_access
endpoint_public_access = var.cluster_endpoint_public_access
public_access_cidrs = var.cluster_endpoint_public_access ? var.cluster_endpoint_public_access_cidrs : []
public_access_cidrs = var.cluster_endpoint_public_access_cidrs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like our default value of ["0.0.0.0/0"] is the correct default and we can't set to an empty array so reverting to the previous setup

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-resourcesvpcconfig.html#cfn-eks-cluster-resourcesvpcconfig-publicaccesscidrs

@bryantbiggs bryantbiggs changed the title fix: Skip public_access_cidrs if var.cluster_endpoint_public_access = false fix: public_access_cidrs require a value even if public endpoint is disabled Dec 6, 2022
@bryantbiggs bryantbiggs merged commit 3f6d915 into terraform-aws-modules:master Dec 6, 2022
antonbabenko pushed a commit that referenced this pull request Dec 6, 2022
### [19.0.2](v19.0.1...v19.0.2) (2022-12-06)

### Bug Fixes

* `public_access_cidrs` require a value even if public endpoint is disabled ([#2320](#2320)) ([3f6d915](3f6d915))
@antonbabenko
Copy link
Member

This PR is included in version 19.0.2 🎉

spr-mweber3 pushed a commit to spring-media/terraform-aws-eks that referenced this pull request Jan 4, 2023
… disabled (terraform-aws-modules#2320)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
spr-mweber3 pushed a commit to spring-media/terraform-aws-eks that referenced this pull request Jan 4, 2023
### [19.0.2](terraform-aws-modules/terraform-aws-eks@v19.0.1...v19.0.2) (2022-12-06)

### Bug Fixes

* `public_access_cidrs` require a value even if public endpoint is disabled ([terraform-aws-modules#2320](terraform-aws-modules#2320)) ([3f6d915](terraform-aws-modules@3f6d915))
@github-actions
Copy link

github-actions bot commented Jan 6, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants