Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tf-modules/gcp/gke: ignore node_config changes #22

Closed
wants to merge 1 commit into from
Closed

tf-modules/gcp/gke: ignore node_config changes #22

wants to merge 1 commit into from

Conversation

darkowlzz
Copy link
Contributor

When using workload identity in GKE, an empty node_config.oauth_scopes is set at provision time. But after the provision, some default scopes are added to the cluster. Reapplying the same config tries to replace the existing scopes with empty scopes. This replacement requires the existing cluster to be deleted and recreated. To avoid cluster recreation between test runs, set a lifecycle rule to ignore any changes in node_config.

Encountered this while testing fluxcd/pkg#665 . Was observing the following when rerunning the tests:

  # module.gke.google_container_cluster.primary must be replaced
-/+ resource "google_container_cluster" "primary" {
      ...

          ~ oauth_scopes      = [ # forces replacement
              - "https://www.googleapis.com/auth/devstorage.read_only",
              - "https://www.googleapis.com/auth/logging.write",
              - "https://www.googleapis.com/auth/monitoring",
              - "https://www.googleapis.com/auth/service.management.readonly",
              - "https://www.googleapis.com/auth/servicecontrol",
              - "https://www.googleapis.com/auth/trace.append",
              + "https://www.googleapis.com/auth/cloud-platform",
            ]
      ...

@darkowlzz
tf-modules/gcp/gke: ignore node_config changes
1a04160 
When using workload identity, an empty node_config.oauth_scopes is set
at provision time. But after the provision, some default scopes are
added to the cluster. Reapplying the same config tries to replace the
existing scopes with empty scopes. This replacement requires the
existing cluster to be deleted and recreated. To avoid cluster
recreation between test runs, set a lifecycle rule to ignore any changes
in node_config.

Signed-off-by: Sunny <[email protected]>
@darkowlzz darkowlzz added the area/terraform Terraform related issues and pull requests label Oct 30, 2023
@darkowlzz darkowlzz mentioned this pull request Oct 30, 2023
Merged
@darkowlzz
Copy link
Contributor Author

After thinking more about the problem and going through the docs, the core issue can be avoided by using null instead of [] when there's a need to not pass any value. Refer fluxcd/pkg#665 (comment).
This change is no longer needed.

@darkowlzz darkowlzz closed this Oct 30, 2023
@darkowlzz darkowlzz deleted the gke-ignore-node-config branch October 30, 2023 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@somtochiama somtochiama Awaiting requested review from somtochiama

Assignees
No one assigned
Labels
area/terraform Terraform related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@darkowlzz