Fix idempotency with node group remote_access block (#625)

* add kubernetes provider configuration for managed_node_groups example * use dynamic block for remote_access * update changelog
2026-01-17 09:07:20 +01:00 · 2019-12-11 11:50:09 -05:00
parent 7824e8b263
commit 11d8ee8631
3 changed files with 30 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 - Fix deprecated interpolation-only expression (by @angelabad)
 - Updated required version of AWS Provider to >= v2.38.0 for Managed Node Groups (by @wmorgan6796)
 - Updated minimum version of Terraform to avoid a bug (by @dpiddockcmp)
+- Fix idempotency issues for node groups with no remote_access configuration (by @jeffmhastings)

 #### Important notes

--- a/examples/managed_node_groups/main.tf
+++ b/examples/managed_node_groups/main.tf
@@ -23,6 +23,22 @@ provider "template" {
  version = "~> 2.1"
 }

+data "aws_eks_cluster" "cluster" {
+  name = module.eks.cluster_id
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = module.eks.cluster_id
+}
+
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+  load_config_file       = false
+  version                = "~> 1.10"
+}
+
 data "aws_availability_zones" "available" {
 }

--- a/node_groups.tf
+++ b/node_groups.tf
@@ -87,10 +87,19 @@ resource "aws_eks_node_group" "workers" {
  labels          = lookup(each.value, "node_group_k8s_labels", null)
  release_version = lookup(each.value, "ami_release_version", null)

-  # This sometimes breaks idempotency as described in https://github.com/terraform-providers/terraform-provider-aws/issues/11063
-  remote_access {
-    ec2_ssh_key               = lookup(each.value, "key_name", "") != "" ? each.value["key_name"] : null
-    source_security_group_ids = lookup(each.value, "key_name", "") != "" ? lookup(each.value, "source_security_group_ids", []) : null
+  dynamic "remote_access" {
+    for_each = [
+      for node_group in [each.value] : {
+        ec2_ssh_key               = node_group["key_name"]
+        source_security_group_ids = lookup(node_group, "source_security_group_ids", [])
+      }
+      if lookup(node_group, "key_name", "") != ""
+    ]
+
+    content {
+      ec2_ssh_key               = remote_access.value["ec2_ssh_key"]
+      source_security_group_ids = remote_access.value["source_security_group_ids"]
+    }
  }

  version = aws_eks_cluster.this[0].version