don't use name_prefix for aws_iam_role name, enabled by the iam_role_use_name_prefix attribute in the self_managed_node_group module.
#22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…role_use_name_prefix` attribute (default `true`) in the `self_managed_node_group` module. an `aws_iam_role` resource is (created)[https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/modules/self-managed-node-group/main.tf#L735] by the `self_managed_node_group` module. the `name_prefix` is either (set)[https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/modules/self-managed-node-group/main.tf#L716] to the `iam_role_name` or `name`(+ "-node-group") attributes if the former is not configured. a `name_prefix` will only be used for the IAM role name created by the `self_managed_node_group` module if `iam_role_use_name_prefix` is (true)[https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/modules/self-managed-node-group/main.tf#L739] if a (`name_prefix`)[https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#name_prefix] is used, then a unique ID is generated and appended to the `name_prefix`. the name for an `aws_iam_role` resource is set (here)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/iam/role.go#L193] in `resourceRoleCreate()`. its generated by a call to the (`Name()`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L14] function, passing in the `name` and `name_prefix` attributes of the `aws_iam_role` resource. the `Name()` function (returns)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L15] the (`Generate()`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L108] method called on the results of (`NewNameGenerator()`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L97] which is passed the function arguments (`WithConfiguredName(name)`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L65] and (`WithConfiguredPrefix(namePrefix)`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L74]. this sets `configuredName` and `configuredPrefix` fields for a (`nameGenerator`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L52] object. the `Generate()` method which ultimately creates the name that will be used for the `aws_iam_role` will (return)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L109C11-L110] the `name` if configured, otherwise it (returns)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/create/naming.go#L117] the `name_prefix` with a unique 26 digit ID appended by (PrefixedUniqueId())[https://github.com/hashicorp/terraform-plugin-sdk/blob/main/helper/id/id.go]. this restricts the `name_prefix` length to 38 characters, which is the defined maximum length of a role name set by constant (`roleNameMaxLen`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/iam/role.go#L38] (64) minus the unique ID suffix length (26) i.e. the constant (`roleNamePrefixLen`)[https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/iam/role.go#L39] this change is intended to resolve the below terraform error commonly encountered by CuTE users: ``` ╷ │ Error: expected length of name_prefix to be in the range (1 - 38), got 123-example-test-egressgw-1-node-group- │ │ with module.eks.module.main.module.self_managed_node_group["egressgw_1"].aws_iam_role.this[0], │ on .terraform/modules/eks.main/modules/self-managed-node-group/main.tf line 728, in resource "aws_iam_role" "this": │ 728: name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null │ ╵ make: *** [Makefile:8: apply] Error 1 ``` overall this will allow a longer name to be used for clusters and/or node groups in CuTE configurations, about 53 characters total since "-node-group" is always appended to the node group IAM role name.
clay-moss
changed the title
name_prefix for aws_iam_role name, enabled by the iam_role_use_name_prefix attribute (default true) in the self_managed_node_group module.name_prefix for aws_iam_role name, enabled by the iam_role_use_name_prefix attribute in the self_managed_node_group module.
chancez
reviewed
Dec 8, 2023
eks.tf
Outdated
| @@ -130,6 +130,7 @@ module "main" { | |||
| pre_bootstrap_user_data = g.pre_bootstrap_user_data // The pre-bootstrap user data to use for worker nodes. | |||
| post_bootstrap_user_data = g.post_bootstrap_user_data // The pre-bootstrap user data to use for worker nodes. | |||
| iam_role_additional_policies = g.iam_role_additional_policies | |||
| iam_role_use_name_prefix = false | |||
There was a problem hiding this comment.
Instead of universally setting this to false, I suggest having it configurable by the self_managed_node_groups var and you can set a default if it's unset (null).
There was a problem hiding this comment.
I added a commit with suggested changes @chancez
…le use of [Optional Object Type Attributes](https://developer.hashicorp.com/terraform/language/v1.3.x/expressions/type-constraints#optional-object-type-attributes) with default values - _variables.tf_: make `iam_role_use_name_prefix` an attribute for the `self_managed_node_groups` object variable with type `bool` and default value `false` - _eks.tf_: set `iam_role_use_name_prefix` variable for node groups defined by the `self_managed_node_groups` map in eks cluster module equal to the `iam_role_use_name_prefix` attribute value in the `self_managed_node_groups` object variable
chancez
reviewed
Dec 11, 2023
Co-authored-by: Clayton Moss <[email protected]>
f1ko
approved these changes
Dec 11, 2023
chancez
approved these changes
Dec 11, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
an
aws_iam_roleresource is created by theself_managed_node_groupmodule.the
name_prefixis either set to theiam_role_nameorname(+ "-node-group") attributes if the former is not configured.a
name_prefixwill only be used for the IAM role name created by theself_managed_node_groupmodule ifiam_role_use_name_prefixis trueif a
name_prefixis used, then a unique ID is generated and appended to thename_prefix.the name for an
aws_iam_roleresource is set here inresourceRoleCreate().its generated by a call to the
Name()function, passing in thenameandname_prefixattributes of theaws_iam_roleresource.the
Name()function returns theGenerate()method called on the results ofNewNameGenerator()which is passed the function argumentsWithConfiguredName(name)andWithConfiguredPrefix(namePrefix). this setsconfiguredNameandconfiguredPrefixfields for anameGeneratorobject.the
Generate()method which ultimately creates the name that will be used for theaws_iam_rolewill return thenameif configured, otherwise it returns thename_prefixwith a unique 26 digit ID appended, created by PrefixedUniqueId().this restricts the
name_prefixlength to 38 characters, which is the defined maximum length of a role name set by constantroleNameMaxLen(64) minus the unique ID suffix length (26) i.e. the constantroleNamePrefixLenthis change is intended to resolve the below terraform error commonly encountered by CuTE users:
overall this will allow a longer name to be used for clusters and/or node groups in CuTE configurations, about 53 characters total since "-node-group" is always appended to the node group IAM role name.