diff --git a/README.md b/README.md
index 87aa8a21c3..21c134522e 100644
--- a/README.md
+++ b/README.md
@@ -175,11 +175,14 @@ module "eks" {
ℹ️ Only the pertinent attributes are shown for brevity
-1. AWS EKS Managed Node Group can provide its own launch template and utilize the latest AWS EKS Optimized AMI (Linux) for the given Kubernetes version:
+1. AWS EKS Managed Node Group can provide its own launch template and utilize the latest AWS EKS Optimized AMI (Linux) for the given Kubernetes version. By default, the module creates a launch template to ensure tags are propagated to instances, etc., so we need to disable it to use the default template provided by the AWS EKS managed node group service:
```hcl
eks_managed_node_groups = {
- default = {}
+ default = {
+ create_launch_template = false
+ launch_template_name = ""
+ }
}
```
@@ -188,6 +191,9 @@ module "eks" {
```hcl
eks_managed_node_groups = {
bottlerocket_default = {
+ create_launch_template = false
+ launch_template_name = ""
+
ami_type = "BOTTLEROCKET_x86_64"
platform = "bottlerocket"
}
diff --git a/UPGRADE-18.0.md b/UPGRADE-18.0.md
index f719fcea45..8c1bd66983 100644
--- a/UPGRADE-18.0.md
+++ b/UPGRADE-18.0.md
@@ -29,6 +29,7 @@ Please consult the `examples` directory for reference example configurations. If
- The previous iteration used a count over a list of node group definitions which was prone to disruptive updates; this is now replaced with a map/for_each to align with that of the EKS managed node group and Fargate profile behaviors/style
- The user data configuration supported across the module has been completely revamped. A new `_user_data` internal sub-module has been created to consolidate all user data configuration in one location which provides better support for testability (via the [`examples/user_data`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/user_data) example). The new sub-module supports nearly all possible combinations including the ability to allow users to provide their own user data template which will be rendered by the module. See the `examples/user_data` example project for the full plethora of example configuration possibilities and more details on the logic of the design can be found in the [`modules/_user_data`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/modules/_user_data_) directory.
- Resource name changes may cause issues with existing resources. For example, security groups and IAM roles cannot be renamed, they must be recreated. Recreation of these resources may also trigger a recreation of the cluster. To use the legacy (< 18.x) resource naming convention, set `prefix_separator` to "".
+- Security group usage has been overhauled to provide only the bare minimum network connectivity required to launch a bare bones cluster. See the [security group documentation section](https://github.com/terraform-aws-modules/terraform-aws-eks#security-groups) for more details. Users upgrading to v18.x will want to review the rules they have in place today versus the rules provisioned by the v18.x module and ensure to make any necessary adjustments for their specific workload.
## Additional changes
diff --git a/examples/eks_managed_node_group/README.md b/examples/eks_managed_node_group/README.md
index b23c13d3f1..6b662257f9 100644
--- a/examples/eks_managed_node_group/README.md
+++ b/examples/eks_managed_node_group/README.md
@@ -32,6 +32,7 @@ Note that this example may create resources which cost money. Run `terraform des
| [terraform](#requirement\_terraform) | >= 0.13.1 |
| [aws](#requirement\_aws) | >= 3.64 |
| [null](#requirement\_null) | >= 3.0 |
+| [tls](#requirement\_tls) | >= 2.2 |
## Providers
@@ -39,6 +40,7 @@ Note that this example may create resources which cost money. Run `terraform des
|------|---------|
| [aws](#provider\_aws) | >= 3.64 |
| [null](#provider\_null) | >= 3.0 |
+| [tls](#provider\_tls) | >= 2.2 |
## Modules
@@ -51,11 +53,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Type |
|------|------|
+| [aws_key_pair.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
| [aws_kms_key.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_launch_template.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
| [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [null_resource.patch](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
| [aws_iam_policy_document.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf
index b45505a198..ce76f94085 100644
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -68,10 +68,25 @@ module "eks" {
eks_managed_node_groups = {
# Default node group - as provided by AWS EKS
- default_node_group = {}
+ default_node_group = {
+ # By default, the module creates a launch template to ensure tags are propagated to instances, etc.,
+ # so we need to disable it to use the default template provided by the AWS EKS managed node group service
+ create_launch_template = false
+ launch_template_name = ""
+
+ # Remote access cannot be specified with a launch template
+ remote_access = {
+ ec2_ssh_key = aws_key_pair.this.key_name
+ }
+ }
# Default node group - as provided by AWS EKS using Bottlerocket
bottlerocket_default = {
+ # By default, the module creates a launch template to ensure tags are propagated to instances, etc.,
+ # so we need to disable it to use the default template provided by the AWS EKS managed node group service
+ create_launch_template = false
+ launch_template_name = ""
+
ami_type = "BOTTLEROCKET_x86_64"
platform = "bottlerocket"
}
@@ -122,20 +137,23 @@ module "eks" {
# Use a custom AMI
custom_ami = {
+ ami_type = "AL2_ARM_64"
# Current default AMI used by managed node groups - pseudo "custom"
- ami_id = "ami-0caf35bc73450c396"
+ ami_id = "ami-01dc0aa438e3214c2" # ARM
# This will ensure the boostrap user data is used to join the node
# By default, EKS managed node groups will not append bootstrap script;
# this adds it back in using the default template provided by the module
# Note: this assumes the AMI provided is an EKS optimized AMI derivative
enable_bootstrap_user_data = true
+
+ instance_types = ["t4g.medium"]
}
# Complete
complete = {
name = "complete-eks-mng"
- use_name_prefix = false
+ use_name_prefix = true
subnet_ids = module.vpc.private_subnets
@@ -173,10 +191,6 @@ module "eks" {
}
]
- remote_access = {
- ec2_ssh_key = "my-ssh-key"
- }
-
update_config = {
max_unavailable_percentage = 50 # or set `max_unavailable`
}
@@ -475,6 +489,7 @@ resource "aws_launch_template" "external" {
resource_type = "instance"
tags = {
+ Name = "external_lt"
CustomTag = "Instance custom tag"
}
}
@@ -503,3 +518,14 @@ resource "aws_launch_template" "external" {
create_before_destroy = true
}
}
+
+resource "tls_private_key" "this" {
+ algorithm = "RSA"
+}
+
+resource "aws_key_pair" "this" {
+ key_name_prefix = local.name
+ public_key = tls_private_key.this.public_key_openssh
+
+ tags = local.tags
+}
diff --git a/examples/eks_managed_node_group/versions.tf b/examples/eks_managed_node_group/versions.tf
index adfd0180d4..883963f7b0 100644
--- a/examples/eks_managed_node_group/versions.tf
+++ b/examples/eks_managed_node_group/versions.tf
@@ -10,5 +10,9 @@ terraform {
source = "hashicorp/null"
version = ">= 3.0"
}
+ tls = {
+ source = "hashicorp/tls"
+ version = ">= 2.2"
+ }
}
}