github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-05-02 05:14:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: Ensure the correct service CIDR and IP family is used in the rendered user data (#2963)

Browse Source 
* fix: Ensuring the correct service CIDR and IP family is used in the rendered user data

* chore: Updates from testing and validating

* chore: Fix example destroy instructions

* fix: Only require `cluster_service_cidr` when `create = true`

* chore: Clean up commented out code and add note on check length
This commit is contained in:
Bryant Biggs
2024-03-12 10:36:19 -04:00
committed by GitHub
parent 907f70cffd
commit aeb9f0c990
55 changed files with 384 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/_user_data/README.md
View File

@@ -9,14 +9,16 @@ See [`examples/user_data/`](https://github.com/terraform-aws-modules/terraform-a
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.0 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | >= 2.0 |
| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
## Modules
@@ -26,6 +28,7 @@ No modules.
| Name | Type |
|------|------|
| [null_resource.validate_cluster_service_cidr](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [cloudinit_config.al2023_eks_managed_node_group](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
| [cloudinit_config.linux_eks_managed_node_group](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
@@ -38,9 +41,10 @@ No modules.
| <a name="input_cloudinit_pre_nodeadm"></a> [cloudinit\_pre\_nodeadm](#input\_cloudinit\_pre\_nodeadm) | Array of cloud-init document parts that are created before the nodeadm document part | <pre>list(object({<br> content = string<br> content_type = optional(string)<br> filename = optional(string)<br> merge_type = optional(string)<br> }))</pre> | `[]` | no |
| <a name="input_cluster_auth_base64"></a> [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no |
| <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no |
| <a name="input_cluster_ip_family"></a> [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no |
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
| <a name="input_cluster_service_cidr"></a> [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no |
| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | [Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
| <a name="input_create"></a> [create](#input\_create) | Determines whether to create user-data or not | `bool` | `true` | no |
| <a name="input_enable_bootstrap_user_data"></a> [enable\_bootstrap\_user\_data](#input\_enable\_bootstrap\_user\_data) | Determines whether the bootstrap configurations are populated within the user data template | `bool` | `false` | no |
| <a name="input_is_eks_managed_node_group"></a> [is\_eks\_managed\_node\_group](#input\_is\_eks\_managed\_node\_group) | Determines whether the user data is used on nodes in an EKS managed node group. Used to determine if user data will be appended or not | `bool` | `true` | no |

29
modules/_user_data/main.tf
View File

@@ -1,3 +1,17 @@
# The `cluster_service_cidr` is required when `create == true`
# This is a hacky way to make that logic work, otherwise Terraform always wants a value
# and supplying any old value like `""` or `null` is not valid and will silently
# fail to join nodes to the cluster
resource "null_resource" "validate_cluster_service_cidr" {
lifecycle {
precondition {
# The length 6 is currently arbitrary, but it's a safe bet that the CIDR will be longer than that
# The main point is that a value needs to be provided when `create = true`
condition = var.create ? length(local.cluster_service_cidr) > 6 : true
error_message = "`cluster_service_cidr` is required when `create = true`."
}
}
}
locals {
template_path = {
@@ -7,6 +21,8 @@ locals {
windows = "${path.module}/../../templates/windows_user_data.tpl"
}
cluster_service_cidr = try(coalesce(var.cluster_service_ipv4_cidr, var.cluster_service_cidr), "")
user_data = base64encode(templatefile(
coalesce(var.user_data_template_path, local.template_path[var.platform]),
{
@@ -18,14 +34,15 @@ locals {
cluster_endpoint = var.cluster_endpoint
cluster_auth_base64 = var.cluster_auth_base64
# Required by AL2023
cluster_service_cidr = var.cluster_service_cidr
cluster_service_cidr = local.cluster_service_cidr
cluster_ip_family = var.cluster_ip_family
# Bottlerocket
cluster_dns_ip = try(cidrhost(local.cluster_service_cidr, 10), "")
# Optional
cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr != null ? var.cluster_service_ipv4_cidr : ""
bootstrap_extra_args = var.bootstrap_extra_args
pre_bootstrap_user_data = var.pre_bootstrap_user_data
post_bootstrap_user_data = var.post_bootstrap_user_data
bootstrap_extra_args = var.bootstrap_extra_args
pre_bootstrap_user_data = var.pre_bootstrap_user_data
post_bootstrap_user_data = var.post_bootstrap_user_data
}
))

11
modules/_user_data/variables.tf
View File

@@ -40,16 +40,21 @@ variable "cluster_auth_base64" {
default = ""
}
# Currently only used by AL2023 since it can be IPv4 or IPv6
variable "cluster_service_cidr" {
description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
type = string
default = ""
}
# Not used by AL2023
variable "cluster_ip_family" {
description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
type = string
default = "ipv4"
}
# TODO - remove at next breaking change
variable "cluster_service_ipv4_cidr" {
description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
description = "[Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
type = string
default = null
}

6
modules/_user_data/versions.tf
View File

@@ -1,10 +1,14 @@
terraform {
required_version = ">= 1.3"
required_version = ">= 1.3.2"
required_providers {
cloudinit = {
source = "hashicorp/cloudinit"
version = ">= 2.0"
}
null = {
source = "hashicorp/null"
version = ">= 3.0"
}
}
}

2
modules/aws-auth/README.md
View File

@@ -44,7 +44,7 @@ module "eks" {
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
## Providers

2
modules/aws-auth/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.3"
required_version = ">= 1.3.2"
required_providers {
kubernetes = {

4
modules/eks-managed-node-group/README.md
View File

@@ -63,7 +63,7 @@ module "eks_managed_node_group" {
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
## Providers
@@ -114,7 +114,7 @@ module "eks_managed_node_group" {
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `null` | no |
| <a name="input_cluster_primary_security_group_id"></a> [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no |
| <a name="input_cluster_service_cidr"></a> [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no |
| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | [Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version. Defaults to EKS Cluster Kubernetes version | `string` | `null` | no |
| <a name="input_cpu_options"></a> [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | `map(string)` | `{}` | no |
| <a name="input_create"></a> [create](#input\_create) | Determines whether to create EKS managed node group or not | `bool` | `true` | no |

41
modules/eks-managed-node-group/main.tf
View File

@@ -11,12 +11,11 @@ module "user_data" {
create = var.create
platform = var.platform
cluster_name = var.cluster_name
cluster_endpoint = var.cluster_endpoint
cluster_auth_base64 = var.cluster_auth_base64
cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr
cluster_service_cidr = var.cluster_service_cidr
cluster_name = var.cluster_name
cluster_endpoint = var.cluster_endpoint
cluster_auth_base64 = var.cluster_auth_base64
cluster_ip_family = var.cluster_ip_family
cluster_service_cidr = try(coalesce(var.cluster_service_cidr, var.cluster_service_ipv4_cidr), "")
enable_bootstrap_user_data = var.enable_bootstrap_user_data
pre_bootstrap_user_data = var.pre_bootstrap_user_data
@@ -468,13 +467,21 @@ resource "aws_eks_node_group" "this" {
################################################################################
locals {
create_iam_role = var.create && var.create_iam_role
iam_role_name = coalesce(var.iam_role_name, "${var.name}-eks-node-group")
iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
ipv4_cni_policy = { for k, v in {
AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
} : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
ipv6_cni_policy = { for k, v in {
AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
} : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
}
data "aws_iam_policy_document" "assume_role_policy" {
count = var.create && var.create_iam_role ? 1 : 0
count = local.create_iam_role ? 1 : 0
statement {
sid = "EKSNodeAssumeRole"
@@ -488,7 +495,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
}
resource "aws_iam_role" "this" {
count = var.create && var.create_iam_role ? 1 : 0
count = local.create_iam_role ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -504,19 +511,21 @@ resource "aws_iam_role" "this" {
# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
resource "aws_iam_role_policy_attachment" "this" {
for_each = { for k, v in {
AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
AmazonEKS_CNI_IPv6_Policy = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
AmazonEKS_CNI_Policy = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
} : k => v if var.create && var.create_iam_role && v != "" }
for_each = { for k, v in merge(
{
AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
},
local.ipv4_cni_policy,
local.ipv6_cni_policy
) : k => v if local.create_iam_role }
policy_arn = each.value
role = aws_iam_role.this[0].name
}
resource "aws_iam_role_policy_attachment" "additional" {
for_each = { for k, v in var.iam_role_additional_policies : k => v if var.create && var.create_iam_role }
for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role }
policy_arn = each.value
role = aws_iam_role.this[0].name

5
modules/eks-managed-node-group/variables.tf
View File

@@ -44,16 +44,15 @@ variable "cluster_auth_base64" {
default = ""
}
# Currently only used by AL2023 since it can be IPv4 or IPv6
variable "cluster_service_cidr" {
description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
type = string
default = ""
}
# Not used by AL2023
# TODO - remove at next breaking change
variable "cluster_service_ipv4_cidr" {
description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
description = "[Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
type = string
default = null
}

2
modules/eks-managed-node-group/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.3"
required_version = ">= 1.3.2"
required_providers {
aws = {

2
modules/fargate-profile/README.md
View File

@@ -28,7 +28,7 @@ module "fargate_profile" {
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
## Providers

27
modules/fargate-profile/main.tf
View File

@@ -2,9 +2,17 @@ data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}
locals {
create_iam_role = var.create && var.create_iam_role
iam_role_name = coalesce(var.iam_role_name, var.name, "fargate-profile")
iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
ipv4_cni_policy = { for k, v in {
AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
} : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
ipv6_cni_policy = { for k, v in {
AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
} : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
}
################################################################################
@@ -12,7 +20,7 @@ locals {
################################################################################
data "aws_iam_policy_document" "assume_role_policy" {
count = var.create && var.create_iam_role ? 1 : 0
count = local.create_iam_role ? 1 : 0
statement {
effect = "Allow"
@@ -26,7 +34,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
}
resource "aws_iam_role" "this" {
count = var.create && var.create_iam_role ? 1 : 0
count = local.create_iam_role ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -41,17 +49,20 @@ resource "aws_iam_role" "this" {
}
resource "aws_iam_role_policy_attachment" "this" {
for_each = { for k, v in toset(compact([
"${local.iam_role_policy_prefix}/AmazonEKSFargatePodExecutionRolePolicy",
var.iam_role_attach_cni_policy ? local.cni_policy : "",
])) : k => v if var.create && var.create_iam_role }
for_each = { for k, v in merge(
{
AmazonEKSFargatePodExecutionRolePolicy = "${local.iam_role_policy_prefix}/AmazonEKSFargatePodExecutionRolePolicy"
},
local.ipv4_cni_policy,
local.ipv6_cni_policy
) : k => v if local.create_iam_role }
policy_arn = each.value
role = aws_iam_role.this[0].name
}
resource "aws_iam_role_policy_attachment" "additional" {
for_each = { for k, v in var.iam_role_additional_policies : k => v if var.create && var.create_iam_role }
for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role }
policy_arn = each.value
role = aws_iam_role.this[0].name

15
modules/fargate-profile/migrations.tf Normal file
View File

@@ -0,0 +1,15 @@
################################################################################
# Migrations: v20.8 -> v20.9
################################################################################
# Node IAM role policy attachment
# Commercial partition only - `moved` does now allow multiple moves to same target
moved {
from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
to = aws_iam_role_policy_attachment.this["AmazonEKSFargatePodExecutionRolePolicy"]
}
moved {
from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"]
to = aws_iam_role_policy_attachment.this["AmazonEKS_CNI_Policy"]
}

2
modules/fargate-profile/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.3"
required_version = ">= 1.3.2"
required_providers {
aws = {

2
modules/karpenter/README.md
View File

@@ -84,7 +84,7 @@ module "karpenter" {
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
## Providers

22
modules/karpenter/main.tf
View File

@@ -530,7 +530,13 @@ locals {
node_iam_role_name = coalesce(var.node_iam_role_name, "Karpenter-${var.cluster_name}")
node_iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${local.partition}:iam::${local.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.node_iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
ipv4_cni_policy = { for k, v in {
AmazonEKS_CNI_Policy = "${local.node_iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
} : k => v if var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
ipv6_cni_policy = { for k, v in {
AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
} : k => v if var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
}
data "aws_iam_policy_document" "node_assume_role" {
@@ -565,12 +571,14 @@ resource "aws_iam_role" "node" {
# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
resource "aws_iam_role_policy_attachment" "node" {
for_each = { for k, v in {
AmazonEKSWorkerNodePolicy = "${local.node_iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
AmazonEC2ContainerRegistryReadOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
AmazonEKS_CNI_IPv6_Policy = var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
AmazonEKS_CNI_Policy = var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
} : k => v if local.create_node_iam_role && v != "" }
for_each = { for k, v in merge(
{
AmazonEKSWorkerNodePolicy = "${local.node_iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
AmazonEC2ContainerRegistryReadOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
},
local.ipv4_cni_policy,
local.ipv6_cni_policy
) : k => v if local.create_node_iam_role }
policy_arn = each.value
role = aws_iam_role.node[0].name

2
modules/karpenter/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.3"
required_version = ">= 1.3.2"
required_providers {
aws = {

2
modules/self-managed-node-group/README.md
View File

@@ -42,7 +42,7 @@ module "self_managed_node_group" {
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
## Providers

49
modules/self-managed-node-group/main.tf
View File

@@ -27,6 +27,7 @@ module "user_data" {
cluster_name = var.cluster_name
cluster_endpoint = var.cluster_endpoint
cluster_auth_base64 = var.cluster_auth_base64
cluster_ip_family = var.cluster_ip_family
cluster_service_cidr = var.cluster_service_cidr
enable_bootstrap_user_data = true
@@ -41,12 +42,14 @@ module "user_data" {
################################################################################
data "aws_ec2_instance_type" "this" {
count = var.create && var.enable_efa_support && local.instance_type_provided ? 1 : 0
count = local.enable_efa_support ? 1 : 0
instance_type = var.instance_type
}
locals {
enable_efa_support = var.create && var.enable_efa_support && local.instance_type_provided
instance_type_provided = var.instance_type != ""
num_network_cards = try(data.aws_ec2_instance_type.this[0].maximum_network_cards, 0)
@@ -60,7 +63,7 @@ locals {
}
]
network_interfaces = var.enable_efa_support && local.instance_type_provided ? local.efa_network_interfaces : var.network_interfaces
network_interfaces = local.enable_efa_support ? local.efa_network_interfaces : var.network_interfaces
}
################################################################################
@@ -71,7 +74,7 @@ locals {
launch_template_name = coalesce(var.launch_template_name, "${var.name}-node-group")
security_group_ids = compact(concat([var.cluster_primary_security_group_id], var.vpc_security_group_ids))
placement = var.create && var.enable_efa_support ? { group_name = aws_placement_group.this[0].name } : var.placement
placement = local.enable_efa_support ? { group_name = aws_placement_group.this[0].name } : var.placement
}
resource "aws_launch_template" "this" {
@@ -695,7 +698,7 @@ resource "aws_autoscaling_group" "this" {
target_group_arns = var.target_group_arns
termination_policies = var.termination_policies
vpc_zone_identifier = var.enable_efa_support ? data.aws_subnets.efa[0].ids : var.subnet_ids
vpc_zone_identifier = local.enable_efa_support ? data.aws_subnets.efa[0].ids : var.subnet_ids
wait_for_capacity_timeout = var.wait_for_capacity_timeout
wait_for_elb_capacity = var.wait_for_elb_capacity
@@ -734,13 +737,21 @@ resource "aws_autoscaling_group" "this" {
################################################################################
locals {
create_iam_instance_profile = var.create && var.create_iam_instance_profile
iam_role_name = coalesce(var.iam_role_name, "${var.name}-node-group")
iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
ipv4_cni_policy = { for k, v in {
AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
} : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
ipv6_cni_policy = { for k, v in {
AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
} : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
}
data "aws_iam_policy_document" "assume_role_policy" {
count = var.create && var.create_iam_instance_profile ? 1 : 0
count = local.create_iam_instance_profile ? 1 : 0
statement {
sid = "EKSNodeAssumeRole"
@@ -754,7 +765,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
}
resource "aws_iam_role" "this" {
count = var.create && var.create_iam_instance_profile ? 1 : 0
count = local.create_iam_instance_profile ? 1 : 0
name = var.iam_role_use_name_prefix ? null : local.iam_role_name
name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -770,26 +781,28 @@ resource "aws_iam_role" "this" {
# Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
resource "aws_iam_role_policy_attachment" "this" {
for_each = { for k, v in {
AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
AmazonEKS_CNI_IPv6_Policy = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
AmazonEKS_CNI_Policy = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
} : k => v if var.create && var.create_iam_instance_profile && v != "" }
for_each = { for k, v in merge(
{
AmazonEKSWorkerNodePolicy = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
},
local.ipv4_cni_policy,
local.ipv6_cni_policy
) : k => v if local.create_iam_instance_profile }
policy_arn = each.value
role = aws_iam_role.this[0].name
}
resource "aws_iam_role_policy_attachment" "additional" {
for_each = { for k, v in var.iam_role_additional_policies : k => v if var.create && var.create_iam_instance_profile }
for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_instance_profile }
policy_arn = each.value
role = aws_iam_role.this[0].name
}
resource "aws_iam_instance_profile" "this" {
count = var.create && var.create_iam_instance_profile ? 1 : 0
count = local.create_iam_instance_profile ? 1 : 0
role = aws_iam_role.this[0].name
@@ -809,7 +822,7 @@ resource "aws_iam_instance_profile" "this" {
################################################################################
resource "aws_placement_group" "this" {
count = var.create && var.enable_efa_support ? 1 : 0
count = local.enable_efa_support ? 1 : 0
name = "${var.cluster_name}-${var.name}"
strategy = "cluster"
@@ -828,7 +841,7 @@ resource "aws_placement_group" "this" {
# Find the availability zones supported by the instance type
data "aws_ec2_instance_type_offerings" "this" {
count = var.create && var.enable_efa_support ? 1 : 0
count = local.enable_efa_support ? 1 : 0
filter {
name = "instance-type"
@@ -841,7 +854,7 @@ data "aws_ec2_instance_type_offerings" "this" {
# Reverse the lookup to find one of the subnets provided based on the availability
# availability zone ID of the queried instance type (supported)
data "aws_subnets" "efa" {
count = var.create && var.enable_efa_support ? 1 : 0
count = local.enable_efa_support ? 1 : 0
filter {
name = "subnet-id"

13
modules/self-managed-node-group/variables.tf
View File

@@ -38,13 +38,18 @@ variable "cluster_auth_base64" {
default = ""
}
# Currently only used by AL2023 since it can be IPv4 or IPv6
variable "cluster_service_cidr" {
description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
type = string
default = ""
}
variable "cluster_ip_family" {
description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
type = string
default = "ipv4"
}
variable "pre_bootstrap_user_data" {
description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
type = string
@@ -546,12 +551,6 @@ variable "create_iam_instance_profile" {
default = true
}
variable "cluster_ip_family" {
description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
type = string
default = "ipv4"
}
variable "iam_instance_profile_arn" {
description = "Amazon Resource Name (ARN) of an existing IAM instance profile that provides permissions for the node group. Required if `create_iam_instance_profile` = `false`"
type = string

2
modules/self-managed-node-group/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.3"
required_version = ">= 1.3.2"
required_providers {
aws = {