feat: Add support for EKS Auto Mode and EKS Hybrid nodes (#3225)

* feat: Add support for EKS hybrid nodes * feat: Add support for EKS Auto Mode * chore: Update test directory names * chore: Clean up examples and tests * fix: Clean up and last minute changes for GA * chore: Formatting * chore: Bump min required version for new features * fix: Corrects from test/validation on existing clusters * feat: Add policy for custom tags on EKS Auto Mode, validate examples * chore: Expand on `CAM` acronym * chore: Update README to match examples
2026-04-26 02:28:24 +02:00 · 2024-12-04 09:24:21 -06:00
parent 6866b40bec
commit 3b974d33ad
62 changed files with 3896 additions and 441 deletions
--- a/examples/eks-hybrid-nodes/ami/amazon-eks-ubuntu.pkr.hcl
+++ b/examples/eks-hybrid-nodes/ami/amazon-eks-ubuntu.pkr.hcl
@@ -0,0 +1,320 @@
+locals {
+  timestamp = regex_replace(timestamp(), "[- TZ:]", "")
+
+  ami_name = "${var.ami_name_prefix}-${var.eks_version}-amd64-${local.timestamp}"
+
+  tags = {
+    SourceAMI    = "{{ .SourceAMI }}"
+    Name         = local.ami_name
+    Architecture = "amd64"
+  }
+}
+
+data "amazon-parameterstore" "this" {
+  name = "/aws/service/canonical/ubuntu/server-minimal/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id"
+  region = var.region
+}
+
+################################################################################
+# EBS Source
+################################################################################
+
+source "amazon-ebs" "this" {
+
+  # AMI Configuration
+  dynamic "ami_block_device_mappings" {
+    for_each = var.ami_block_device_mappings
+
+    content {
+      delete_on_termination = try(ami_block_device_mappings.value.delete_on_termination, true)
+      device_name           = try(ami_block_device_mappings.value.device_name, null)
+      encrypted             = try(ami_block_device_mappings.value.encrypted, null)
+      iops                  = try(ami_block_device_mappings.value.iops, null)
+      no_device             = try(ami_block_device_mappings.value.no_device, null)
+      snapshot_id           = try(ami_block_device_mappings.value.snapshot_id, null)
+      throughput            = try(ami_block_device_mappings.value.throughput, null)
+      virtual_name          = try(ami_block_device_mappings.value.virtual_name, null)
+      volume_size           = try(ami_block_device_mappings.value.volume_size, 4)
+      volume_type           = try(ami_block_device_mappings.value.volume_type, "gp3")
+      kms_key_id            = try(ami_block_device_mappings.value.kms_key_id, null)
+    }
+  }
+
+  ami_description         = var.ami_description
+  ami_groups              = var.ami_groups
+  ami_name                = local.ami_name
+  ami_org_arns            = var.ami_org_arns
+  ami_ou_arns             = var.ami_ou_arns
+  ami_regions             = var.ami_regions
+  ami_users               = var.ami_users
+  ami_virtualization_type = var.ami_virtualization_type
+  deprecate_at            = var.deprecate_at
+  ena_support             = var.ena_support
+  encrypt_boot            = var.encrypt_boot
+  force_deregister        = var.force_deregister
+  force_delete_snapshot   = var.force_delete_snapshot
+  imds_support            = var.imds_support
+  kms_key_id              = var.kms_key_id
+
+  dynamic "launch_block_device_mappings" {
+    for_each = length(var.launch_block_device_mappings) > 0 ? var.launch_block_device_mappings : var.ami_block_device_mappings
+
+    content {
+      delete_on_termination = try(launch_block_device_mappings.value.delete_on_termination, true)
+      device_name           = try(launch_block_device_mappings.value.device_name, null)
+      encrypted             = try(launch_block_device_mappings.value.encrypted, null)
+      iops                  = try(launch_block_device_mappings.value.iops, null)
+      no_device             = try(launch_block_device_mappings.value.no_device, null)
+      snapshot_id           = try(launch_block_device_mappings.value.snapshot_id, null)
+      throughput            = try(launch_block_device_mappings.value.throughput, null)
+      virtual_name          = try(launch_block_device_mappings.value.virtual_name, null)
+      volume_size           = try(launch_block_device_mappings.value.volume_size, 4)
+      volume_type           = try(launch_block_device_mappings.value.volume_type, "gp3")
+    }
+  }
+
+  region_kms_key_ids     = var.region_kms_key_ids
+  run_volume_tags        = var.run_volume_tags
+  skip_create_ami        = var.skip_create_ami
+  skip_region_validation = var.skip_region_validation
+  skip_save_build_region = var.skip_save_build_region
+  sriov_support          = var.sriov_support
+  snapshot_groups        = var.snapshot_groups
+  snapshot_tags          = var.snapshot_tags
+  snapshot_users         = var.snapshot_users
+  tags                   = merge(local.tags, var.tags)
+
+  # Access Configuration
+  access_key = var.access_key
+
+  dynamic "assume_role" {
+    for_each = length(var.assume_role) > 0 ? [var.assume_role] : []
+
+    content {
+      duration_seconds    = try(assume_role.value.duration_seconds, null)
+      external_id         = try(assume_role.value.external_id, null)
+      policy              = try(assume_role.value.policy, null)
+      policy_arns         = try(assume_role.value.policy_arns, null)
+      role_arn            = try(assume_role.value.role_arn, null)
+      session_name        = try(assume_role.value.session_name, null)
+      tag                 = try(assume_role.value.tag, null)
+      transitive_tag_keys = try(assume_role.value.transitive_tag_keys, null)
+    }
+  }
+
+  dynamic "aws_polling" {
+    for_each = length(var.aws_polling) > 0 ? [var.aws_polling] : []
+
+    content {
+      delay_seconds = try(aws_polling.value.delay_seconds, null)
+      max_attempts  = try(aws_polling.value.max_attempts, null)
+    }
+  }
+
+  custom_endpoint_ec2           = var.custom_endpoint_ec2
+  decode_authorization_messages = var.decode_authorization_messages
+  insecure_skip_tls_verify      = var.insecure_skip_tls_verify
+  max_retries                   = var.max_retries
+  mfa_code                      = var.mfa_code
+  profile                       = var.profile
+  region                        = var.region
+  secret_key                    = var.secret_key
+  shared_credentials_file       = var.shared_credentials_file
+  skip_credential_validation    = var.skip_credential_validation
+  skip_metadata_api_check       = var.skip_metadata_api_check
+  token                         = var.token
+
+  # Communicator
+  communicator                 = var.communicator
+  pause_before_connecting      = var.pause_before_connecting
+  ssh_agent_auth               = var.ssh_agent_auth
+  ssh_bastion_agent_auth       = var.ssh_bastion_agent_auth
+  ssh_bastion_certificate_file = var.ssh_bastion_certificate_file
+  ssh_bastion_host             = var.ssh_bastion_host
+  ssh_bastion_interactive      = var.ssh_bastion_interactive
+  ssh_bastion_password         = var.ssh_bastion_password
+  ssh_bastion_port             = var.ssh_bastion_port
+  ssh_bastion_private_key_file = var.ssh_bastion_private_key_file
+  ssh_bastion_username         = var.ssh_bastion_username
+  ssh_ciphers                  = var.ssh_ciphers
+  ssh_certificate_file         = var.ssh_certificate_file
+  ssh_clear_authorized_keys    = var.ssh_clear_authorized_keys
+  ssh_disable_agent_forwarding = var.ssh_disable_agent_forwarding
+  ssh_file_transfer_method     = var.ssh_file_transfer_method
+  ssh_handshake_attempts       = var.ssh_handshake_attempts
+  ssh_host                     = var.ssh_host
+  ssh_interface                = var.ssh_interface # "public_dns"
+  ssh_keep_alive_interval      = var.ssh_keep_alive_interval
+  ssh_key_exchange_algorithms  = var.ssh_key_exchange_algorithms
+  ssh_keypair_name             = var.ssh_keypair_name
+  ssh_local_tunnels            = var.ssh_local_tunnels
+  ssh_password                 = var.ssh_password
+  ssh_port                     = var.ssh_port
+  ssh_private_key_file         = var.ssh_private_key_file
+  ssh_proxy_host               = var.ssh_proxy_host
+  ssh_proxy_password           = var.ssh_proxy_password
+  ssh_proxy_port               = var.ssh_proxy_port
+  ssh_proxy_username           = var.ssh_proxy_username
+  ssh_pty                      = var.ssh_pty
+  ssh_read_write_timeout       = var.ssh_read_write_timeout
+  ssh_remote_tunnels           = var.ssh_remote_tunnels
+  ssh_timeout                  = var.ssh_timeout
+  ssh_username                 = var.ssh_username
+  temporary_key_pair_bits      = var.temporary_key_pair_bits
+  temporary_key_pair_type      = var.temporary_key_pair_type
+
+  # Run Configuration
+  associate_public_ip_address     = var.associate_public_ip_address
+  capacity_reservation_preference = var.capacity_reservation_preference
+  capacity_reservation_group_arn  = var.capacity_reservation_group_arn
+  capacity_reservation_id         = var.capacity_reservation_id
+  disable_stop_instance           = var.disable_stop_instance
+  ebs_optimized                   = var.ebs_optimized
+  enable_nitro_enclave            = var.enable_nitro_enclave
+  enable_unlimited_credits        = var.enable_unlimited_credits
+  iam_instance_profile            = var.iam_instance_profile
+  instance_type                   = var.instance_type
+  fleet_tags                      = var.fleet_tags
+  pause_before_ssm                = var.pause_before_ssm
+
+  dynamic "placement" {
+    for_each = length(var.placement) > 0 ? [var.placement] : []
+
+    content {
+      host_resource_group_arn = try(placement.value.host_resource_group_arn, null)
+      tenancy                 = try(placement.value.tenancy, null)
+    }
+  }
+
+  run_tags           = merge(local.tags, var.run_tags)
+  security_group_ids = var.security_group_ids
+
+  dynamic "security_group_filter" {
+    for_each = length(var.security_group_filter) > 0 ? var.security_group_filter : []
+
+    content {
+      filters = try(security_group_filter.value.filters, null)
+    }
+  }
+
+  session_manager_port    = var.session_manager_port
+  shutdown_behavior       = var.shutdown_behavior
+  skip_profile_validation = var.skip_profile_validation
+  source_ami              = data.amazon-parameterstore.this.value
+
+  dynamic "subnet_filter" {
+    for_each = length(var.subnet_filter) > 0 ? [var.subnet_filter] : []
+
+    content {
+      filters   = try(subnet_filter.value.filters, null)
+      most_free = try(subnet_filter.value.most_free, null)
+      random    = try(subnet_filter.value.random, null)
+    }
+  }
+
+  subnet_id = var.subnet_id
+
+  dynamic "temporary_iam_instance_profile_policy_document" {
+    for_each = length(var.temporary_iam_instance_profile_policy_document) > 0 ? [var.temporary_iam_instance_profile_policy_document] : []
+
+    content {
+      dynamic "Statement" {
+        for_each = temporary_iam_instance_profile_policy_document.value
+
+        content {
+          Action   = try(Statement.value.Action, [])
+          Effect   = try(Statement.value.Effect, "Allow")
+          Resource = try(Statement.value.Resource, ["*"])
+        }
+      }
+      Version = "2012-10-17"
+    }
+  }
+
+  temporary_security_group_source_cidrs     = var.temporary_security_group_source_cidrs
+  temporary_security_group_source_public_ip = var.temporary_security_group_source_public_ip
+  user_data                                 = var.user_data
+  user_data_file                            = var.user_data_file
+
+  dynamic "vpc_filter" {
+    for_each = length(var.vpc_filter) > 0 ? var.vpc_filter : []
+
+    content {
+      filters = try(vpc_filter.value.filters, null)
+    }
+  }
+
+  vpc_id = var.vpc_id
+
+  dynamic "metadata_options" {
+    for_each = length(var.metadata_options) > 0 ? [var.metadata_options] : []
+
+    content {
+      http_endpoint               = try(metadata_options.value.http_endpoint, null)
+      http_put_response_hop_limit = try(metadata_options.value.http_put_response_hop_limit, null)
+      http_tokens                 = try(metadata_options.value.http_tokens, null)
+      instance_metadata_tags      = try(metadata_options.value.instance_metadata_tags, null)
+    }
+  }
+}
+
+################################################################################
+# Build
+################################################################################
+
+build {
+  sources = ["source.amazon-ebs.this"]
+
+  provisioner "shell" {
+    execute_command = "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
+
+    env = {
+      DEBIAN_FRONTEND = "noninteractive"
+    }
+
+    expect_disconnect = true
+
+    inline = [
+      "cloud-init status --wait",
+      "apt update",
+      "apt upgrade -y",
+      "apt install iptables conntrack -y",
+      "systemctl reboot",
+    ]
+
+    pause_after = "15s"
+  }
+
+  provisioner "shell" {
+    execute_command = "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
+
+    env = {
+      DEBIAN_FRONTEND = "noninteractive"
+    }
+
+    inline = [
+
+      "snap install aws-cli --classic",
+      "snap switch --channel=candidate amazon-ssm-agent",
+      "curl -OL 'https://hybrid-assets.eks.amazonaws.com/releases/latest/bin/linux/amd64/nodeadm'",
+      "mv nodeadm /usr/bin/nodeadm",
+      "chmod +x /usr/bin/nodeadm",
+      "nodeadm install ${var.eks_version} --credential-provider ${var.credential_provider}",
+    ]
+  }
+
+  provisioner "shell" {
+    execute_command = "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
+
+    env = {
+      DEBIAN_FRONTEND = "noninteractive"
+    }
+
+    inline = [
+      "apt --purge autoremove -y",
+      "cloud-init clean --logs --machine-id",
+      "mkdir -p /etc/amazon/ssm",
+      "cp $(find / -name '*seelog.xml.template') /etc/amazon/ssm/seelog.xml",
+    ]
+  }
+}