Skip to content

Commit

Permalink
resource/aws_eks_node_group: Ensure testing and documentation include…
Browse files Browse the repository at this point in the history 
…s necessary IAM Role permissions depends_on configuration (#11010)

Closes #10934
Reference: ENIs currently stuck in-use in main testing account us-west-2
Reference: #5904
Reference: #4426

Otherwise, EC2 ENIs managed by EKS can be left dangling on destroy. In the future, we can help reduce the need for explicit Terraform dependencies such as these via supporting the management of attached IAM Role policies directly in the aws_iam_role resource (e.g. #5904).

Output from acceptance testing:

```
--- PASS: TestAccAWSEksNodeGroup_Version (1449.66s)
--- PASS: TestAccAWSEksNodeGroup_AmiType (1462.03s)
--- PASS: TestAccAWSEksNodeGroup_DiskSize (1510.26s)
--- PASS: TestAccAWSEksNodeGroup_ReleaseVersion (1575.37s)
--- PASS: TestAccAWSEksNodeGroup_RemoteAccess_SourceSecurityGroupIds (1584.41s)
--- PASS: TestAccAWSEksNodeGroup_RemoteAccess_Ec2SshKey (1597.61s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_MinSize (1624.95s)
--- PASS: TestAccAWSEksNodeGroup_basic (1644.52s)
--- PASS: TestAccAWSEksNodeGroup_InstanceTypes (1646.77s)
--- PASS: TestAccAWSEksNodeGroup_disappears (1652.94s)
--- PASS: TestAccAWSEksNodeGroup_Labels (1655.54s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_DesiredSize (1702.82s)
--- PASS: TestAccAWSEksNodeGroup_ScalingConfig_MaxSize (1764.88s)
--- PASS: TestAccAWSEksNodeGroup_Tags (1768.71s)
```
  • Loading branch information
@bflad
bflad authored Nov 25, 2019
1 parent 4a4d5ef commit 5bdaac0
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 0 deletions.
72 changes: 72 additions & 0 deletions aws/resource_aws_eks_node_group_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -754,6 +754,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, amiType)
}
Expand All @@ -772,6 +778,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, diskSize)
}
Expand All @@ -790,6 +802,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, instanceType1)
}
Expand All @@ -811,6 +829,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, labelKey1, labelValue1)
}
Expand All @@ -833,6 +857,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, labelKey1, labelValue1, labelKey2, labelValue2)
}
Expand All @@ -851,6 +881,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, releaseVersion)
}
Expand All @@ -877,6 +913,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName)
}
Expand Down Expand Up @@ -904,6 +946,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName)
}
Expand All @@ -921,6 +969,12 @@ resource "aws_eks_node_group" "test" {
max_size = %[3]d
min_size = %[4]d
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, desiredSize, maxSize, minSize)
}
Expand All @@ -942,6 +996,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, tagKey1, tagValue1)
}
Expand All @@ -964,6 +1024,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, tagKey1, tagValue1, tagKey2, tagValue2)
}
Expand All @@ -982,6 +1048,12 @@ resource "aws_eks_node_group" "test" {
max_size = 1
min_size = 1
}
depends_on = [
"aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy",
"aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy",
"aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly",
]
}
`, rName, version)
}
8 changes: 8 additions & 0 deletions website/docs/r/eks_node_group.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ resource "aws_eks_node_group" "example" {
max_size = 1
min_size = 1
}
# Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
# Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
depends_on = [
aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly,
]
}
```

Expand Down

0 comments on commit 5bdaac0

Please sign in to comment.