From 36116995189c95574b69370692d912b3078f5f4f Mon Sep 17 00:00:00 2001 From: Rom Gaigi Date: Sun, 6 Feb 2022 14:28:23 +0100 Subject: [PATCH 1/5] add the option to enable Instance Metadata Service Version 2 in worker groups --- modules/worker_groups/locals.tf | 4 ++++ modules/worker_groups/worker_groups.tf | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/modules/worker_groups/locals.tf b/modules/worker_groups/locals.tf index 4a75a51..0903005 100644 --- a/modules/worker_groups/locals.tf +++ b/modules/worker_groups/locals.tf @@ -73,6 +73,10 @@ locals { spot_allocation_strategy = "lowest-price" # Valid options are 'lowest-price' and 'capacity-optimized'. If 'lowest-price', the Auto Scaling group launches instances using the Spot pools with the lowest price, and evenly allocates your instances across the number of Spot pools. If 'capacity-optimized', the Auto Scaling group launches instances using Spot pools that are optimally chosen based on the available Spot capacity. spot_instance_pools = 10 # "Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify." spot_max_price = "" # Maximum price per unit hour that the user is willing to pay for the Spot instances. Default is the on-demand price + http_endpoint = "disabled" # Whether the metadata service is available + http_tokens = "optional" # Whether or not the metadata service requires session tokens + http_put_response_hop_limit = 1 # The desired HTTP PUT response hop limit for instance metadata requests + instance_metadata_tags = "disabled" # Enables or disables access to instance tags from the instance metadata service } # Merge defaults and per-group values to make code cleaner diff --git a/modules/worker_groups/worker_groups.tf b/modules/worker_groups/worker_groups.tf index 2ac2383..539164a 100644 --- a/modules/worker_groups/worker_groups.tf +++ b/modules/worker_groups/worker_groups.tf @@ -206,6 +206,12 @@ resource "aws_launch_template" "worker_groups" { } } + metadata_options { + http_endpoint = each.value["http_endpoint"] + http_tokens = each.value["http_tokens"] + http_put_response_hop_limit = each.value["http_put_response_hop_limit"] + instance_metadata_tags = each.value["instance_metadata_tags"] + } tags = var.tags lifecycle { From 472e3afd9bfa54c0b13464e7720098c79bd46b35 Mon Sep 17 00:00:00 2001 From: Rom Gaigi Date: Tue, 10 May 2022 23:01:44 +0200 Subject: [PATCH 2/5] change list to tolist in the needed modules --- modules/control_plane/outputs.tf | 10 +++++----- modules/worker_groups/worker_groups.tf | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/control_plane/outputs.tf b/modules/control_plane/outputs.tf index caa30cc..a4ec6f9 100644 --- a/modules/control_plane/outputs.tf +++ b/modules/control_plane/outputs.tf @@ -1,26 +1,26 @@ output "cluster_id" { description = "The name/id of the EKS cluster." - value = element(concat(aws_eks_cluster.this.*.id, list("")), 0) + value = element(concat(aws_eks_cluster.this.*.id, tolist("")), 0) } output "cluster_arn" { description = "The Amazon Resource Name (ARN) of the cluster." - value = element(concat(aws_eks_cluster.this.*.arn, list("")), 0) + value = element(concat(aws_eks_cluster.this.*.arn, tolist("")), 0) } output "cluster_certificate_authority_data" { description = "Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster." - value = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, list("")), 0) + value = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, tolist("")), 0) } output "cluster_endpoint" { description = "The endpoint for your EKS Kubernetes API." - value = element(concat(aws_eks_cluster.this.*.endpoint, list("")), 0) + value = element(concat(aws_eks_cluster.this.*.endpoint, tolist("")), 0) } output "cluster_version" { description = "The Kubernetes server version for the EKS cluster." - value = element(concat(aws_eks_cluster.this[*].version, list("")), 0) + value = element(concat(aws_eks_cluster.this[*].version, tolist("")), 0) } output "cluster_security_group_id" { diff --git a/modules/worker_groups/worker_groups.tf b/modules/worker_groups/worker_groups.tf index 539164a..9bd4a34 100644 --- a/modules/worker_groups/worker_groups.tf +++ b/modules/worker_groups/worker_groups.tf @@ -32,7 +32,7 @@ resource "aws_autoscaling_group" "worker_groups" { dynamic "mixed_instances_policy" { iterator = item - for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? list(each.value) : [] + for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? tolist(each.value) : [] content { instances_distribution { @@ -66,7 +66,7 @@ resource "aws_autoscaling_group" "worker_groups" { dynamic "launch_template" { iterator = item - for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? [] : list(each.value) + for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? [] : tolist(each.value) content { id = aws_launch_template.worker_groups[each.key].id @@ -171,7 +171,7 @@ resource "aws_launch_template" "worker_groups" { } dynamic "instance_market_options" { - for_each = lookup(each.value, "market_type", null) == null ? [] : list(lookup(each.value, "market_type", null)) + for_each = lookup(each.value, "market_type", null) == null ? [] : tolist(lookup(each.value, "market_type", null)) content { market_type = instance_market_options.value } From 51b3bfbbfb24ed8f4cdeb5ecc841c294224aaabb Mon Sep 17 00:00:00 2001 From: Rom Gaigi Date: Wed, 11 May 2022 08:20:14 +0200 Subject: [PATCH 3/5] change list to tolist in the needed modules --- modules/control_plane/outputs.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/control_plane/outputs.tf b/modules/control_plane/outputs.tf index a4ec6f9..ac9b40c 100644 --- a/modules/control_plane/outputs.tf +++ b/modules/control_plane/outputs.tf @@ -1,26 +1,26 @@ output "cluster_id" { description = "The name/id of the EKS cluster." - value = element(concat(aws_eks_cluster.this.*.id, tolist("")), 0) + value = element(concat(aws_eks_cluster.this.*.id, [""]), 0) } output "cluster_arn" { description = "The Amazon Resource Name (ARN) of the cluster." - value = element(concat(aws_eks_cluster.this.*.arn, tolist("")), 0) + value = element(concat(aws_eks_cluster.this.*.arn, [""]), 0) } output "cluster_certificate_authority_data" { description = "Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster." - value = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, tolist("")), 0) + value = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, [""]), 0) } output "cluster_endpoint" { description = "The endpoint for your EKS Kubernetes API." - value = element(concat(aws_eks_cluster.this.*.endpoint, tolist("")), 0) + value = element(concat(aws_eks_cluster.this.*.endpoint, [""]), 0) } output "cluster_version" { description = "The Kubernetes server version for the EKS cluster." - value = element(concat(aws_eks_cluster.this[*].version, tolist("")), 0) + value = element(concat(aws_eks_cluster.this[*].version, [""]), 0) } output "cluster_security_group_id" { From 8f666349b4c192feb3e574eb507e6f436925e6ee Mon Sep 17 00:00:00 2001 From: Rom Gaigi Date: Wed, 11 May 2022 09:07:27 +0200 Subject: [PATCH 4/5] change list to tolist in the needed modules --- modules/control_plane/outputs.tf | 18 +++++++++--------- modules/worker_groups/worker_groups.tf | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/control_plane/outputs.tf b/modules/control_plane/outputs.tf index ac9b40c..644b3ca 100644 --- a/modules/control_plane/outputs.tf +++ b/modules/control_plane/outputs.tf @@ -1,26 +1,26 @@ output "cluster_id" { description = "The name/id of the EKS cluster." - value = element(concat(aws_eks_cluster.this.*.id, [""]), 0) + value = element(concat(aws_eks_cluster.this.*.id, tolist([""])), 0) } output "cluster_arn" { description = "The Amazon Resource Name (ARN) of the cluster." - value = element(concat(aws_eks_cluster.this.*.arn, [""]), 0) + value = element(concat(aws_eks_cluster.this.*.arn, tolist([""])), 0) } output "cluster_certificate_authority_data" { description = "Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster." - value = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, [""]), 0) + value = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, tolist([""])), 0) } output "cluster_endpoint" { description = "The endpoint for your EKS Kubernetes API." - value = element(concat(aws_eks_cluster.this.*.endpoint, [""]), 0) + value = element(concat(aws_eks_cluster.this.*.endpoint, tolist([""])), 0) } output "cluster_version" { description = "The Kubernetes server version for the EKS cluster." - value = element(concat(aws_eks_cluster.this[*].version, [""]), 0) + value = element(concat(aws_eks_cluster.this[*].version, tolist([""])), 0) } output "cluster_security_group_id" { @@ -35,7 +35,7 @@ output "cluster_iam_role_arn" { output "cluster_oidc_issuer_url" { description = "The URL on the EKS cluster OIDC Issuer" - value = var.enable_irsa ? flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, [""]))[0] : null + value = var.enable_irsa ? flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, tolist([""])))[0] : null } output "cloudwatch_log_group_name" { @@ -45,15 +45,15 @@ output "cloudwatch_log_group_name" { output "kubeconfig" { description = "kubectl config file contents for this EKS cluster." - value = concat(data.template_file.kubeconfig[*].rendered, [""])[0] + value = concat(data.template_file.kubeconfig[*].rendered, tolist([""]))[0] } output "kubeconfig_filename" { description = "The filename of the generated kubectl config." - value = concat(local_file.kubeconfig.*.filename, [""])[0] + value = concat(local_file.kubeconfig.*.filename, tolist([""]))[0] } output "oidc_provider_arn" { description = "The ARN of the OIDC Provider if `enable_irsa = true`." - value = var.enable_irsa ? concat(aws_iam_openid_connect_provider.oidc_provider[*].arn, [""])[0] : null + value = var.enable_irsa ? concat(aws_iam_openid_connect_provider.oidc_provider[*].arn, tolist([""]))[0] : null } diff --git a/modules/worker_groups/worker_groups.tf b/modules/worker_groups/worker_groups.tf index 9bd4a34..4677741 100644 --- a/modules/worker_groups/worker_groups.tf +++ b/modules/worker_groups/worker_groups.tf @@ -32,7 +32,7 @@ resource "aws_autoscaling_group" "worker_groups" { dynamic "mixed_instances_policy" { iterator = item - for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? tolist(each.value) : [] + for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? tolist([each.value]) : [] content { instances_distribution { @@ -66,7 +66,7 @@ resource "aws_autoscaling_group" "worker_groups" { dynamic "launch_template" { iterator = item - for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? [] : tolist(each.value) + for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? [] : tolist([each.value]) content { id = aws_launch_template.worker_groups[each.key].id @@ -171,7 +171,7 @@ resource "aws_launch_template" "worker_groups" { } dynamic "instance_market_options" { - for_each = lookup(each.value, "market_type", null) == null ? [] : tolist(lookup(each.value, "market_type", null)) + for_each = lookup(each.value, "market_type", null) == null ? [] : list(lookup(each.value, "market_type", null)) content { market_type = instance_market_options.value } From d0139bf404ee631081ddddd86b2490f04ce64f7d Mon Sep 17 00:00:00 2001 From: "romg@pecan.ai" Date: Wed, 15 Mar 2023 08:38:10 +0100 Subject: [PATCH 5/5] change ami owner id --- README.md | 2 +- modules/worker_groups/README.md | 2 +- modules/worker_groups/variables.tf | 2 +- variables.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 693e4ff..7eab61c 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ No provider. | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_owner\_id | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"602401143452"` | no | -| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"801119661308"` | no | +| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"402743460324"` | no | | worker\_create\_initial\_lifecycle\_hooks | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no | | worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no | | worker\_groups | A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers\_group\_defaults for valid keys. | `any` | `[]` | no | diff --git a/modules/worker_groups/README.md b/modules/worker_groups/README.md index 35f87e5..c3e3579 100644 --- a/modules/worker_groups/README.md +++ b/modules/worker_groups/README.md @@ -33,7 +33,7 @@ This submodule is designed for use by both the parent `eks` module and by the us | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_owner\_id | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"602401143452"` | no | -| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"801119661308"` | no | +| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"402743460324"` | no | | worker\_create\_initial\_lifecycle\_hooks | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no | | worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no | | worker\_groups | Map of map of worker groups to create. See documentation above for more details. | `any` | `{}` | no | diff --git a/modules/worker_groups/variables.tf b/modules/worker_groups/variables.tf index b487059..f6c0ea0 100644 --- a/modules/worker_groups/variables.tf +++ b/modules/worker_groups/variables.tf @@ -88,7 +88,7 @@ variable "worker_ami_owner_id" { variable "worker_ami_owner_id_windows" { description = "The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft')." type = string - default = "801119661308" // The ID of the owner of the official AWS EKS Windows AMIs. + default = "402743460324" // The ID of the owner of the official AWS EKS Windows AMIs. } variable "manage_worker_iam_resources" { diff --git a/variables.tf b/variables.tf index 53f40fe..46a9e13 100644 --- a/variables.tf +++ b/variables.tf @@ -135,7 +135,7 @@ variable "worker_ami_owner_id" { variable "worker_ami_owner_id_windows" { description = "The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft')." type = string - default = "801119661308" // The ID of the owner of the official AWS EKS Windows AMIs. + default = "402743460324" // The ID of the owner of the official AWS EKS Windows AMIs. } variable "worker_additional_security_group_ids" {