Home > Enterprise >  How to use the same IAM role for two node groups in an EKS cluster in Terraform?
How to use the same IAM role for two node groups in an EKS cluster in Terraform?

Time:10-01

CONTEXT: I am trying to setup fluent bit for logging activities in pods in a number of node groups included in a cluster. And so it requires that each node group have an IAM role assigned to it with all the required policies so, fluent bit's daemonset could record and save logs into log groups in cloud watch. Here's the repo of the solution I am following.

WHAT HAVE I TRIED:

  1. create individual node group roles and attach policies by passing inputs into relevant variables of the modules. Like so:
module "eks" {
...
        eks_managed_node_groups = {
            one = {

              create_iam_role          = true
              iam_role_name            = "fluent-bit-logger"
              iam_role_use_name_prefix = true
              iam_role_description     = "Fluent-bit-logging for node group 1"
              iam_role_tags = {
                Name = "fb-ng-2"
              }
            two = {
               (same config, with obvious naming changes)
              }
           }
...
}

  1. The above step worked but I am trying to setup fluent bit through terraform's helm resource and based on the solution I am following I am required to input only one IAM node role or that's what I make of it.

  2. Use the eks_managed_node_group_defaults attribute to create and assign hopefully the same IAM role to both the node groups and this is how I did it.

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "18.26.6"

  cluster_name    = local.cluster_name
  cluster_version = "1.21"

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  eks_managed_node_group_defaults = {
    ami_type = "AL2_x86_64"

    attach_cluster_primary_security_group = true

    # Disabling and using externally provided security groups
    create_security_group = false

    # fluent-bit (IAM-policy-role)
    create_iam_role          = true
    iam_role_name            = "fluent-bit-logger"
    iam_role_use_name_prefix = false
    iam_role_description     = "Fluent-bit-logging - default for node groups"
    iam_role_tags = {
      Name = "fb-ng-default"
      }

WHAT I EXPECT TO GET A message of successful eks cluster module execution (including the expected common node group role for the both node groups within.

THE ERROR I GET

Error: failed creating IAM Role (fluent-bit-logger): EntityAlreadyExists: Role with name fluent-bit-logger already exists.
│   status code: 409, request id: fx11xxax-axex-4xxx-b749-09xx8x8xx17x
│ 
│   with module.eks-cluster.module.eks.module.eks_managed_node_group["two"].aws_iam_role.this[0],
│   on .terraform/modules/eks-cluster.eks/modules/eks-managed-node-group/main.tf line 431, in resource "aws_iam_role" "this":
│  431: resource "aws_iam_role" "this" {

CodePudding user response:

The error message states that you are attempting to create the same role twice, which would cause the AWS API to error. This is consistent with your config given the argument value:

create_iam_role = true

for two different EKS node groups. You would need to change the value to false, manage the role with e.g. aws_iam_role.fluent_bit_logger, and then (best practices) update accordingly:

iam_role_name = aws_iam_role.fluent_bit_logger.name

Otherwise, you could manage the role within the EKS module declaration by using the config you shared in the first part of the question.

Page link:https//www.codepudding.com/Enterprise/561512.html

Prev:Read a line of text and set it as a variable for a batch file
Next:How access to localhost:4200 running on ec2 instance
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding