Description

Currently, it is impossible to create an application in a single tf stack (IAM role, service account, pod association, and deployment). The deployment will fail waiting to stabalize since the pod is created before the association is in place (assuming cluster has spare room and schedules quickly).

Effectively what is being ignored terraform-aws-modules/terraform-aws-eks-pod-identity#8.

Without this, one must manually scale down the deployment and scale it back up to get a new pod and thus a new identity assocation check. Alternatively resort to ineffecient time_sleep which also reduces reliability.

Affected Resource(s) and/or Data Source(s)

aws_eks_pod_identity_association

Potential Terraform Configuration

resource "aws_eks_pod_identity_association" "application" {
  // whatever verbage AWS would use, seems reasonable to make this
  // the default, but an option would be great
  wait_for_ready = true
}

resource "kubernetes_deployment_v1" "application" {
  // either
  template {
    spec {
      service_account_name = aws_eks_pod_identity_association.application.service_account_ready
    }
  }

  // or
  depends_on = [
    aws_eks_pod_identity_association.application,
  ]

  // or
  triggers = {
    "association_id" = aws_eks_pod_identity_association.application.association_id
  }
}

References

No response

Would you like to implement a fix?

None