Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform: update secret iam to depend on secrets #2847

Merged
merged 1 commit into from
Sep 29, 2021
Merged

terraform: update secret iam to depend on secrets #2847

merged 1 commit into from
Sep 29, 2021

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented Sep 29, 2021

Related:

This is a subtle ordering bug that appears to only surface when new
secrets are created. The workaround was to just keep re-running
terraform apply until it worked

The first time I ran terraform apply for k8s-infra-prow-build, there
were secrets to be created, and then iam bindings to be applied on those
secrets. But terraform didn't know about that ordering, because the
iam bindings depended on the same locals that the secrets did, so
terraform tried to create them all in parallel.

This resulted in terraform erroring out on first run, because it was
trying to create iam bindings on secrets that didn't yet exist. When I
reran terraform apply the secrets had been created, so the iam
bindings succeeded.

One way to let terraform know about an ordering like this is to have one
terraform resource use the value of another. Another way would be an
explicit depends_on, but that's described as a last resort, and we're
not out of options here.

@spiffxp
terraform: update secret iam to depend on secrets
c989b63 
This is a subtle ordering bug that appears to only surface when new
secrets are created. The workaround was to just keep re-running
`terraform apply` until it worked

The first time I ran `terraform apply` for k8s-infra-prow-build, there
were secrets to be created, and then iam bindings to be applied on those
secrets. But terraform didn't know about that ordering, because the
iam bindings depended on the same locals that the secrets did, so
terraform tried to create them all in parallel.

This resulted in terraform erroring out on first run, because it was
trying to create iam bindings on secrets that didn't yet exist. When I
reran `terraform apply` the secrets had been created, so the iam
bindings succeeded.

One way to let terraform know about an ordering like this is to have one
terraform resource use the value of another. Another way would be an
explicit `depends_on`, but that's described as a last resort, and we're
not out of options here.
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 29, 2021
@k8s-ci-robot k8s-ci-robot added area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters approved Indicates a PR has been approved by an approver from all required OWNERS files. area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Sep 29, 2021
@spiffxp spiffxp mentioned this pull request Sep 29, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented Sep 29, 2021

/cc @ameukam @rikatz

@spiffxp
Copy link
Member Author

spiffxp commented Sep 29, 2021

/hold
to deploy when around

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 29, 2021
@ameukam
Copy link
Member

ameukam commented Sep 29, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 29, 2021
cpanato
cpanato approved these changes Sep 29, 2021
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cpanato, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@spiffxp
Copy link
Member Author

spiffxp commented Sep 29, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 29, 2021
@k8s-ci-robot k8s-ci-robot merged commit 7406069 into kubernetes:main Sep 29, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Sep 29, 2021
@spiffxp spiffxp deleted the fixup-secret-deps branch September 29, 2021 13:05
@spiffxp spiffxp mentioned this pull request Sep 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

@xmudrii xmudrii Awaiting requested review from xmudrii

@ameukam ameukam Awaiting requested review from ameukam

@rikatz rikatz Awaiting requested review from rikatz

Assignees

@ameukam ameukam

@cpanato cpanato

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra Infrastructure management, infrastructure design, code in infra/ area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
4 participants
@spiffxp @ameukam @k8s-ci-robot @cpanato