I got a predicament, where I am trying to spin up our helm repositories with Terraform. The problem is that they are not getting deployed with the EKS Infrastructure. I have tried the depends_on method, as I am ingesting a module, but that doesn't work either. As a result, what am I doing wrong here?
Here is my main.tf
terraform {
required_version = ">= 1.1.5"
required_providers {
aws = ">= 4.12.0"
helm = {
source = "hashicorp/helm"
version = "2.9.0"
}
}
}
data "aws_eks_cluster_auth" "primary" {
name = module.primary.cluster_id
}
data "aws_eks_cluster" "primary" {
name = module.primary.cluster_id
}
terraform {
backend "s3" {
bucket = "impinj-canary-terraform"
key = "terraform-aws-eks-primary.tfstate"
region = "us-west-2"
encrypt = true
}
}
data "aws_iam_account_alias" "current" {}
data "terraform_remote_state" "route53" {
backend = "s3"
config = {
bucket = "impinj-canary-terraform"
key = "route53.tfstate"
region = "us-west-2"
}
}
data "terraform_remote_state" "s3" {
backend = "s3"
config = {
bucket = "impinj-canary-terraform"
key = "s3.tfstate"
region = "us-west-2"
}
}
data "terraform_remote_state" "subnets" {
backend = "s3"
config = {
bucket = "impinj-canary-terraform"
key = "vpc-shared.tfstate"
region = "us-west-2"
}
}
data "aws_vpc" "shared" {
filter {
name = "tag:Name"
values = ["shared"]
}
}
provider "aws" {
alias = "sec"
region = "us-west-2"
}
provider "kubernetes" {
host = data.aws_eks_cluster.primary.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.primary.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.primary.token
exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.primary.cluster_id]
}
}
provider "helm" {
kubernetes {
host = data.aws_eks_cluster.primary.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.primary.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.primary.token
exec {
api_version = "client.authentication.k8s.io/v1beta1"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.primary.cluster_id]
command = "aws"
}
}
}
##################################
# KUBERNETES CLUSTER #
##################################
module "primary" {
source = "../../"
cluster_version = "1.26"
# these must be set to 'true' on initial deployment and then set
# to false so that destroy works properly
create_cni_ipv6_iam_policy = var.create_cni_ipv6_iam_policy
iam_role_attach_cni_policy = var.iam_role_attach_cni_policy
vpc_id = data.aws_vpc.shared.id
subnet_ids = data.terraform_remote_state.subnets.outputs.private_subnets.*.id
instance_types = ["t2.xlarge"]
disk_size = 20
aws_auth_roles = local.aws_auth_roles
cert_manager_hosted_zone = data.terraform_remote_state.route53.outputs.account_zone_id
db_import_bucket_arn = data.terraform_remote_state.s3.outputs.impinjcanary_test_arn
external_dns_hosted_zone = data.terraform_remote_state.route53.outputs.account_zone_id
rf_probe_reporter_bucket_arn = data.terraform_remote_state.s3.outputs.impinjcanary_test_arn
}
###########################
# HELM CHARTS #
###########################
resource "helm_release" "prometheus" {
chart = "prometheus"
name = "prometheus"
repository = "https://prometheus-community.github.io/helm-charts"
namespace = "prometheus"
version = "22.5.0"
replace = true
cleanup_on_fail = true
depends_on = [module.primary]
set {
name = "podSecurityPolicy.enabled"
value = true
}
set {
name = "server.persistentVolume.enabled"
value = false
}
# You can provide a map of value using yamlencode. Don't forget to escape the last element after point in the name
set {
name = "server\\.resources"
value = yamlencode({
limits = {
cpu = "200m"
memory = "50Mi"
}
requests = {
cpu = "100m"
memory = "30Mi"
}
})
}
}
resource "helm_release" "falco_security" {
name = "falcosecurity"
repository = "https://falcosecurity.github.io/charts"
chart = "falcosecurity"
namespace = "falco"
version = "3.1.4"
replace = true
cleanup_on_fail = true
depends_on = [module.primary]
}
I think it has something to do with the provider configuration but I am not sure. Any help would be much appreciated.
Turns out it was the provider configuration, if you want to use the helm provider alongside EKS match it to your kubernetes provider block:
provider "kubernetes" {
host = module.primary.cluster_endpoint
cluster_ca_certificate = base64decode(module.primary.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.primary.token
exec {
api_version = "client.authentication.k8s.io/v1beta1"
command = "aws"
args = ["eks", "get-token", "--cluster-name", module.primary.cluster_name]
}
}
provider "helm" {
kubernetes {
host = module.primary.cluster_endpoint
cluster_ca_certificate = base64decode(module.primary.cluster_certificate_authority_data)
exec {
api_version = "client.authentication.k8s.io/v1beta1"
args = ["eks", "get-token", "--cluster-name", module.primary.cluster_name]
command = "aws"
}
}
}
You need both to use both providers, then use depends_on to make it occur after your EKS Cluster is deployed.