Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

alicloud_cs_kubernetes_permissions #6719

Open
gerbil opened this issue Nov 28, 2023 · 0 comments
Open

alicloud_cs_kubernetes_permissions #6719

gerbil opened this issue Nov 28, 2023 · 0 comments

Comments

@gerbil
Copy link

gerbil commented Nov 28, 2023
edited

Terraform Version

1.6.2

Affected Resource(s)

alicloud_cs_kubernetes_permissions

Terraform Configuration Files

resource "alicloud_cs_kubernetes_permissions" "admin" {
  uid      = "386123810581389766"
  permissions {
    cluster          = "c7a3e6bcf0ab442d0b704cfba16fd81d3"
    role_type      = "cluster"
    role_name    = "admin"
    is_custom     = false
    is_ram_role   = true
  } 
}

Expected Behavior

ClusterRoleBinding should be created/updated for a specific cluster ("c7a3e6bcf0ab442d0b704cfba16fd81d3"), but in reality using provider version 1.211+ EVERY CS cluster will receive this update resulting in wrong cluster id in the binding (except "c7a3e6bcf0ab442d0b704cfba16fd81d3" cluster of course).

Actual Behavior

After cluster "ce58abd0cf36e4dd7885fd878403cd68d" got updated permissions, "c7a3e6bcf0ab442d0b704cfba16fd81d3" cluster got "ce58abd0cf36e4dd7885fd878403cd68d" as admin clusterrolebinding cluster parameter.
This is a plan for "c7a3e6bcf0ab442d0b704cfba16fd81d3" that will brake "ce58abd0cf36e4dd7885fd878403cd68d" located in the same account and region.

module.ali_k8s[0].module.rbac.alicloud_cs_kubernetes_permissions.admin["RAM-AliCloudAdmin"] will be updated in-place
~ resource "alicloud_cs_kubernetes_permissions" "admin" {
id = "386123810581389766"
# (1 unchanged attribute hidden)

  - permissions {
      - cluster     = "ce58abd0cf36e4dd7885fd878403cd68d" -> null
      - is_custom   = false -> null
      - is_ram_role = true -> null
      - role_name   = "admin" -> null
      - role_type   = "cluster" -> null
    }
  + permissions {
      + cluster     = "c7a3e6bcf0ab442d0b704cfba16fd81d3"
      + is_custom   = false
      + is_ram_role = true
      + role_name   = "admin"
      + role_type   = "cluster"
    }
}

Steps to Reproduce

  1. Create two CS manager clusters in one region
  2. Update alicloud_cs_kubernetes_permissions for one of the clusters for specific RAM role id (any role you like)
  3. Try the same on second cluster
  4. Check the first cluster rbac - rolebinging will be broken (not sure exactly what's wrong, maybe they will be just deleted)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gerbil