Import MKS Cluster using Terraform

Prerequisite

This script assumes that you have already created the necessary IAM resources to create MKS related resources through Kosmos.

For more details refer:

TF script sample to import existing MKS cluster to Kosmos

Variables

Please note that this script IS NOT A MODULE TO BE IMPORTED, but is meant to be a reference only!, therefore the variables explanation are meant on how this var will be used instead.

  1. mks_cluster_name: The MKS cluster name to be imported towards Kosmos
  2. fleet_name: Kosmos fleet where the MKS cluster will be imported towards
  3. mks_cluster_subnets: List of subnets where the actual MKS cluster resides in
  4. mks_service_role: Name of the service role to access MKS data (name not ARN!)
  5. mks_kosmos_operator_role_arn: ARN of Kosmos' operator role to access MKS data
  6. mks_region: Region where the to be imported MKS cluster resides

Introduction

This Terraform script imports an existing MKS cluster into a Kosmos fleet using the Kosmos provider. This is triggered by setting the value of kosmos_mksClusters.this.imported to True.

SPC mimics the EKS API for portability with AWS.

User who runs this script must have required permission on SPC since it will create a new role for Kosmos Operator in SPC to import and configure the MKS cluster into a Kosmos fleet.

Variables and Local

NameExplainationType
kosmos_access_key (required)Kosmos Access keyString
spc_region (required)Region where MKS cluster is deployedString
imported_cluster_name (required)Name of the MKS clusterString
oidc_provider_arn (required)arn for existing OIDC providerString
fleet_name (required)Kosmos fleet where MKS will be improted into. For now, you must first create the fleet manuallyString
kosmos_role_arn (optional)Existing Kosmos Service Role ARN, if empty will auto create a new role and policyString

Adding delay on the creation of kosmos_mksClusters resource

There’s an issue from AWS provider where the required resource (role_policy_attachment) is created but not yet ready which results in race condtion when creating kosmos_mksClusters. The error thrown indicated that Kosmos is not authorized to assume the newly created role using the AWS AssumeRoleWithWebIdentity. This issue happens when we are importing existing MKS cluster using kosmos_mksClusters while also creating a new role, policy, and role_policy_attachment.

To overcome this we added a 5s delay in between the creation of role_policy_attachment and kosmos_mksClusters.

How to run

  1. Run python scop2aws.py to generate temporary credentials using SCOP
  2. Run terraform init to initialize the working directory and download Terraform providers and modules
  3. Run terraform plan -var="kosmos_access_key=(kosmos_access_key)" to preview the changes to be made by Terraform and read thoroughly on resources to be created
  4. Run terraform apply -var="kosmos_access_key=(kosmos_access_key)" -var="oidc_provider_arn=(oidc_provider_arn)" -var="fleet_name=(fleet_name)" -var="imported_cluster_name=(imported_cluster_name)" -var="spc_region=(spc_region)" and type yes when prompted
  5. To destroy all the resources, run terraform destroy -var="kosmos_access_key=(kosmos_access_key)" -var="oidc_provider_arn=(oidc_provider_arn)" -var="fleet_name=(fleet_name)" -var="imported_cluster_name=(imported_cluster_name) -var="spc_region=(spc_region)""

Download Resources

For complete examples and the latest updates, refer to:

Edit this page on GitHub

← Create MKS Cluster using Terraform
MKS Cluster Module - Reference Guide →