Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Invoke aws_iam_session_context data source only when required #3058

Merged
merged 6 commits into from
Jul 5, 2024
Merged

fix: Invoke aws_iam_session_context data source only when required #3058

merged 6 commits into from
Jul 5, 2024

Conversation

krlydm
Copy link
Contributor

@krlydm krlydm commented Jun 4, 2024

Description

Terraform fails to read aws_iam_session_context data resource when you are running your Terraform code inside a private VPC in AWS as IAM has no service endpoint to attach:
https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

Motivation and Context

Since KMS key creation and cluster admin permissions where this data resource referenced are conditional, we can use the same condition for aws_iam_session_context data resource.

Breaking Changes

Not a breaking change.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 5, 2024

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Jul 5, 2024
bryantbiggs
bryantbiggs approved these changes Jul 5, 2024
View reviewed changes
Copy link
Member

@bryantbiggs bryantbiggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@bryantbiggs bryantbiggs changed the title fix: Call aws_iam_session_context data resource only if needed fix: Invoke aws_iam_session_context data source only when required Jul 5, 2024
@bryantbiggs bryantbiggs merged commit f02df92 into terraform-aws-modules:master Jul 5, 2024
19 checks passed
antonbabenko pushed a commit that referenced this pull request Jul 5, 2024
@semantic-release-bot
chore(release): version 20.17.1 [skip ci]
27d649a 
## [20.17.1](v20.17.0...v20.17.1) (2024-07-05)

### Bug Fixes

* Invoke `aws_iam_session_context` data source only when required ([#3058](#3058)) ([f02df92](f02df92))
@antonbabenko
Copy link
Member

This PR is included in version 20.17.1 🎉

@jessebye
Copy link

jessebye commented Jul 5, 2024
edited
Loading

This seems to break our EKS use:

╷
│ Error: Invalid index
│
│   on .terraform/modules/eks/main.tf line 151, in locals:
│  151:       principal_arn = data.aws_iam_session_context.current[0].issuer_arn
│     ├────────────────
│     │ data.aws_iam_session_context.current is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
╷
│ Error: Invalid index
│
│   on .terraform/modules/eks/main.tf line 240, in module "kms":
│  240:   key_administrators        = coalescelist(var.kms_key_administrators, [data.aws_iam_session_context.current[0].issuer_arn])
│     ├────────────────
│     │ data.aws_iam_session_context.current is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
error: Recipe `apply` failed on line 29 with exit code 1

I confirmed pinning the module to 20.16.0 resolves the issue.

bryantbiggs added a commit to bryantbiggs/terraform-aws-eks that referenced this pull request Jul 5, 2024
@bryantbiggs
fix: Revert terraform-aws-modules#3058
2058151
@bryantbiggs bryantbiggs mentioned this pull request Jul 5, 2024
Merged
3 tasks
bryantbiggs added a commit that referenced this pull request Jul 5, 2024
@bryantbiggs
fix: Revert #3058 - fix: Invoke aws_iam_session_context data source o…
93ffdfc 
…nly when required (#3092)

fix: Revert #3058
antonbabenko pushed a commit that referenced this pull request Jul 5, 2024
@semantic-release-bot
chore(release): version 20.17.2 [skip ci]
d7aea4c 
## [20.17.2](v20.17.1...v20.17.2) (2024-07-05)

### Bug Fixes

* Revert [#3058](#3058) - fix: Invoke aws_iam_session_context data source only when required ([#3092](#3092)) ([93ffdfc](93ffdfc))
@zacharyfleck
Copy link

I confirmed pinning the module to 20.16.0 resolves the issue.

Confirming the same. Felt a wave of panic briefly when I got the random error. 🤣 Thanks for the quick resolution though!

@bryantbiggs
Copy link
Member

My apologies - we have reverted the commit

@zacharyfleck
Copy link

Thanks @bryantbiggs! Can also confirm all is good again with 20.17.2.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2024

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bryantbiggs bryantbiggs bryantbiggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@krlydm @antonbabenko @jessebye @zacharyfleck @bryantbiggs