Remove of autoscaling IAM policy related stuff (#716)

* Disable management of autoscaling IAM policy by default * remove completely * update changelog notes * fix pre-commit stuff * misc updates * fmt * fix changelog * Removal of tags and update docs * Change after updating terraform-docs * Add second tag
2026-03-21 08:59:02 +01:00 · 2020-02-04 19:34:17 +01:00
parent 92b5c2ad3f
commit 626a393ab9
12 changed files with 87 additions and 155 deletions
--- a/docs/autoscaling.md
+++ b/docs/autoscaling.md
@@ -1,12 +1,72 @@
 # Autoscaling

-Autoscaling of worker nodes can be easily enabled by setting the `autoscaling_enabled` variable to `true` for a worker group in the `worker_groups` map.
-This will add the required tags to the autoscaling group for the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler).
-One should also set `protect_from_scale_in` to `true` for such worker groups, to ensure that cluster-autoscaler is solely responsible for scaling events.
+To enable worker node autoscaling you will need to do a few things:

-You will also need to install the cluster-autoscaler into your cluster. The easiest way to do this is with [helm](https://helm.sh/).
+- Add the [required tags](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws#auto-discovery-setup) to the worker group
+- Install the cluster-autoscaler
+- Give the cluster-autoscaler access via an IAM policy

-The [helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler) for the cluster-autoscaler requires some specific settings to work in an EKS cluster. These settings are supplied via YAML values file when installing the helm chart. Here is an example values file:
+It's probably easiest to follow the example in [examples/irsa](../examples/irsa), this will install the cluster-autoscaler using [Helm](https://helm.sh/) and use IRSA to attach a policy.
+
+If you don't want to use IRSA then you will need to attach the IAM policy to the worker node IAM role or add AWS credentials to the cluster-autoscaler environment variables. Here is some example terraform code for the policy:
+
+```hcl
+resource "aws_iam_role_policy_attachment" "workers_autoscaling" {
+  policy_arn = aws_iam_policy.worker_autoscaling.arn
+  role       = module.my_cluster.worker_iam_role_name[0]
+}
+
+resource "aws_iam_policy" "worker_autoscaling" {
+  name_prefix = "eks-worker-autoscaling-${module.my_cluster.cluster_id}"
+  description = "EKS worker node autoscaling policy for cluster ${module.my_cluster.cluster_id}"
+  policy      = data.aws_iam_policy_document.worker_autoscaling.json
+  path        = var.iam_path
+}
+
+data "aws_iam_policy_document" "worker_autoscaling" {
+  statement {
+    sid    = "eksWorkerAutoscalingAll"
+    effect = "Allow"
+
+    actions = [
+      "autoscaling:DescribeAutoScalingGroups",
+      "autoscaling:DescribeAutoScalingInstances",
+      "autoscaling:DescribeLaunchConfigurations",
+      "autoscaling:DescribeTags",
+      "ec2:DescribeLaunchTemplateVersions",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "eksWorkerAutoscalingOwn"
+    effect = "Allow"
+
+    actions = [
+      "autoscaling:SetDesiredCapacity",
+      "autoscaling:TerminateInstanceInAutoScalingGroup",
+      "autoscaling:UpdateAutoScalingGroup",
+    ]
+
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.my_cluster.cluster_id}"
+      values   = ["owned"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
+      values   = ["true"]
+    }
+  }
+}
+```
+
+And example values for the [helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler):

 ```yaml
 rbac:
@@ -26,10 +86,6 @@ To install the chart, simply run helm with the `--values` option:
 helm install stable/cluster-autoscaler --values=path/to/your/values-file.yaml
 ```

-`NOTE`
+## Notes

 There is a variable `asg_desired_capacity` given in the `local.tf` file, currently it can be used to change the desired worker(s) capacity in the autoscaling group but currently it is being ignored in terraform to reduce the [complexities](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/510#issuecomment-531700442) and the feature of scaling up and down the cluster nodes is being handled by the cluster autoscaler.
-
-## See More
-
-[Using AutoScalingGroup MixedInstancesPolicy](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#using-autoscalinggroup-mixedinstancespolicy)
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -56,7 +56,7 @@ The safest and easiest option is to set `asg_min_size` and `asg_max_size` to 0 o

 The module is configured to ignore this value. Unfortunately Terraform does not support variables within the `lifecycle` block.

-The setting is ignored to allow the cluster autoscaler to work correctly and so that terraform applys do not accidentally remove running workers.
+The setting is ignored to allow the cluster autoscaler to work correctly and so that terraform apply does not accidentally remove running workers.

 You can change the desired count via the CLI or console if you're not using the cluster autoscaler.

--- a/docs/spot-instances.md
+++ b/docs/spot-instances.md
@@ -32,7 +32,6 @@ Example worker group configuration that uses an ASG with launch configuration fo
      name                = "on-demand-1"
      instance_type       = "m4.xlarge"
      asg_max_size        = 1
-      autoscaling_enabled = true
      kubelet_extra_args  = "--node-labels=kubernetes.io/lifecycle=normal"
      suspended_processes = ["AZRebalance"]
    },
@@ -41,7 +40,6 @@ Example worker group configuration that uses an ASG with launch configuration fo
      spot_price          = "0.199"
      instance_type       = "c4.xlarge"
      asg_max_size        = 20
-      autoscaling_enabled = true
      kubelet_extra_args  = "--node-labels=kubernetes.io/lifecycle=spot"
      suspended_processes = ["AZRebalance"]
    },
@@ -50,7 +48,6 @@ Example worker group configuration that uses an ASG with launch configuration fo
      spot_price          = "0.20"
      instance_type       = "m4.xlarge"
      asg_max_size        = 20
-      autoscaling_enabled = true
      kubelet_extra_args  = "--node-labels=kubernetes.io/lifecycle=spot"
      suspended_processes = ["AZRebalance"]
    }
@@ -67,7 +64,6 @@ Launch Template support is a recent addition to both AWS and this module. It mig
      name                = "on-demand-1"
      instance_type       = "m4.xlarge"
      asg_max_size        = 10
-      autoscaling_enabled = true
      kubelet_extra_args  = "--node-labels=spot=false"
      suspended_processes = ["AZRebalance"]
    }