chore(deps): update terraform cloudposse/eks-node-group/aws to v3 (#124)

* chore(deps): update terraform cloudposse/eks-node-group/aws to v3 * docs: automated update of terraform docs * fix: create_before_destroy = false otherwise it adds a pet_name. We may want to set this to true later (#138) * major: migrating to ami_release_name instead of having to pass in an ami each time (#139) * major: migrating to ami_release_name instead of having to pass in an ami each time * docs: automated update of terraform docs --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: ami release name and update aws nuke (#140) * fix: ami release name and update aws nuke * docs: automated update of terraform docs --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: aws-nuke to exclude OSPackage * major: remove allow all private ip access (#141) * docs: automated update of terraform docs * chore: run tf fmt * docs: automated update of terraform docs --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Venkat <[email protected]>
GlueOps · Aug 15, 2024 · 9c97b9c · 9c97b9c
1 parent f8998d4
commit 9c97b9c
Show file tree

Hide file tree

Showing 9 changed files with 113 additions and 106 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,8 @@ module "captain" {
   availability_zones = ["us-west-2a", "us-west-2b"]
   node_pools = [
 #    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
+#      "ami_release_version" : "1.28.11-20240807",
+#      "ami_type" : "AL2_x86_64",
 #      "instance_type" : "t3a.large",
 #      "name" : "glueops-platform-node-pool-1",
 #      "node_count" : 4,
@@ -46,7 +47,8 @@ module "captain" {
 #      ]
 #    },
 #    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
+#      "ami_release_version" : "1.28.11-20240807",
+#      "ami_type" : "AL2_x86_64",
 #      "instance_type" : "t3a.small",
 #      "name" : "glueops-platform-node-pool-argocd-app-controller-1",
 #      "node_count" : 2,
@@ -66,7 +68,8 @@ module "captain" {
 #      ]
 #    },
 #    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
+#      "ami_release_version" : "1.28.11-20240807",
+#      "ami_type" : "AL2_x86_64",
 #      "instance_type" : "t3a.medium",
 #      "name" : "clusterwide-node-pool-1",
 #      "node_count" : 2,
@@ -164,7 +167,7 @@ No requirements.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_kubernetes"></a> [kubernetes](#module\_kubernetes) | cloudposse/eks-cluster/aws | 3.0.0 |
-| <a name="module_node_pool"></a> [node\_pool](#module\_node\_pool) | cloudposse/eks-node-group/aws | 2.12.0 |
+| <a name="module_node_pool"></a> [node\_pool](#module\_node\_pool) | cloudposse/eks-node-group/aws | 3.1.0 |
 | <a name="module_subnets"></a> [subnets](#module\_subnets) | cloudposse/dynamic-subnets/aws | 2.4.2 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | cloudposse/vpc/aws | 2.2.0 |
 | <a name="module_vpc_peering_accepter_with_routes"></a> [vpc\_peering\_accepter\_with\_routes](#module\_vpc\_peering\_accepter\_with\_routes) | ./modules/vpc_peering_accepter_with_routes | n/a |
@@ -181,7 +184,6 @@ No requirements.
 | [aws_security_group.captain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_all_within_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.captain_egress_all_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [aws_security_group_rule.captain_ingress_all_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_iam_openid_connect_provider.provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
 | [aws_iam_policy_document.eks_assume_addon_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
@@ -195,7 +197,7 @@ No requirements.
 | <a name="input_eks_version"></a> [eks\_version](#input\_eks\_version) | The version of EKS to deploy | `string` | `"1.27"` | no |
 | <a name="input_iam_role_to_assume"></a> [iam\_role\_to\_assume](#input\_iam\_role\_to\_assume) | The full ARN of the IAM role to assume | `string` | n/a | yes |
 | <a name="input_kube_proxy_version"></a> [kube\_proxy\_version](#input\_kube\_proxy\_version) | You should grab the appropriate version number from: https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html | `string` | `"v1.28.8-eksbuild.5"` | no |
-| <a name="input_node_pools"></a> [node\_pools](#input\_node\_pools) | node pool configurations:<br>  - name (string): Name of the node pool. MUST BE UNIQUE! Recommended to use YYYYMMDD in the name<br>  - node\_count (number): number of nodes to create in the node pool.<br>  - instance\_type (string): Instance type to use for the nodes. ref: https://instances.vantage.sh/<br>  - ami\_image\_id (string): AMI image ID to use for EKS worker nodes. This varies per region!! ref: https://github.com/awslabs/amazon-eks-ami/releases to find the AMI ID go to the console: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#Images:visibility=public-images;search=amazon-eks-node-1.28-v20230703<br>  - spot (bool): Enable spot instances for the nodes. DO NOT ENABLE IN PROD!<br>  - disk\_size\_gb (number): Disk size in GB for the nodes.<br>  - max\_pods (number): max pods that can be scheduled per node.<br>  - ssh\_key\_pair\_names (list(string)): List of SSH key pair names to associate with the nodes. ref: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#KeyPairs:<br>  - kubernetes\_labels (map(string)): Map of labels to apply to the nodes. ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/<br>  - kubernetes\_taints (list(object)): List of taints to apply to the nodes. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | <pre>list(object({<br>    name               = string<br>    node_count         = number<br>    instance_type      = string<br>    ami_image_id       = string<br>    spot               = bool<br>    disk_size_gb       = number<br>    max_pods           = number<br>    ssh_key_pair_names = list(string)<br>    kubernetes_labels  = map(string)<br>    kubernetes_taints = list(object({<br>      key    = string<br>      value  = string<br>      effect = string<br>    }))<br><br>  }))</pre> | <pre>[<br>  {<br>    "ami_image_id": "ami-0a62f3a52fa691069",<br>    "disk_size_gb": 20,<br>    "instance_type": "t3a.large",<br>    "kubernetes_labels": {},<br>    "kubernetes_taints": [],<br>    "max_pods": 110,<br>    "name": "default-pool",<br>    "node_count": 1,<br>    "spot": false,<br>    "ssh_key_pair_names": []<br>  }<br>]</pre> | no |
+| <a name="input_node_pools"></a> [node\_pools](#input\_node\_pools) | node pool configurations:<br>  - name (string): Name of the node pool. MUST BE UNIQUE! Recommended to use YYYYMMDD in the name<br>  - node\_count (number): number of nodes to create in the node pool.<br>  - instance\_type (string): Instance type to use for the nodes. ref: https://instances.vantage.sh/<br>  - ami\_image\_id (string): AMI image ID to use for EKS worker nodes. This varies per region!! ref: https://github.com/awslabs/amazon-eks-ami/releases to find the AMI ID go to the console: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#Images:visibility=public-images;search=amazon-eks-node-1.28-v20230703<br>  - spot (bool): Enable spot instances for the nodes. DO NOT ENABLE IN PROD!<br>  - disk\_size\_gb (number): Disk size in GB for the nodes.<br>  - max\_pods (number): max pods that can be scheduled per node.<br>  - ssh\_key\_pair\_names (list(string)): List of SSH key pair names to associate with the nodes. ref: https://us-west-2.console.aws.amazon.com/ec2/home?region=us-west-2#KeyPairs:<br>  - kubernetes\_labels (map(string)): Map of labels to apply to the nodes. ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/<br>  - kubernetes\_taints (list(object)): List of taints to apply to the nodes. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | <pre>list(object({<br>    name                = string<br>    node_count          = number<br>    instance_type       = string<br>    ami_release_version = string<br>    ami_type            = string<br>    spot                = bool<br>    disk_size_gb        = number<br>    max_pods            = number<br>    ssh_key_pair_names  = list(string)<br>    kubernetes_labels   = map(string)<br>    kubernetes_taints = list(object({<br>      key    = string<br>      value  = string<br>      effect = string<br>    }))<br><br>  }))</pre> | <pre>[<br>  {<br>    "ami_release_version": "1.29.6-20240807",<br>    "ami_type": "AL2_x86_64",<br>    "disk_size_gb": 20,<br>    "instance_type": "t3a.large",<br>    "kubernetes_labels": {},<br>    "kubernetes_taints": [],<br>    "max_pods": 110,<br>    "name": "default-pool",<br>    "node_count": 1,<br>    "spot": false,<br>    "ssh_key_pair_names": []<br>  }<br>]</pre> | no |
 | <a name="input_peering_configs"></a> [peering\_configs](#input\_peering\_configs) | A list of maps containing VPC peering configuration details | <pre>list(object({<br>    vpc_peering_connection_id = string<br>    destination_cidr_block    = string<br>  }))</pre> | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to deploy into | `string` | n/a | yes |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The CIDR block for the VPC | `string` | `"10.65.0.0/26"` | no |

diff --git a/addons.tf b/addons.tf
@@ -64,7 +64,7 @@ resource "aws_eks_addon" "coredns" {
   service_account_role_arn = aws_iam_role.eks_addon_ebs_csi_role.arn
   depends_on               = [module.node_pool]
   count                    = length(var.node_pools) > 0 ? 1 : 0
-  configuration_values = local.coredns_addon_node_tolerations
+  configuration_values     = local.coredns_addon_node_tolerations
 }
 
 
@@ -75,6 +75,6 @@ resource "aws_eks_addon" "kube_proxy" {
   resolve_conflicts_on_create = "OVERWRITE"
   resolve_conflicts_on_update = "OVERWRITE"
 
-  depends_on               = [module.node_pool]
-  count                    = length(var.node_pools) > 0 ? 1 : 0
+  depends_on = [module.node_pool]
+  count      = length(var.node_pools) > 0 ? 1 : 0
 }
diff --git a/docs/.header.md b/docs/.header.md
@@ -25,7 +25,8 @@ module "captain" {
   availability_zones = ["us-west-2a", "us-west-2b"]
   node_pools = [
 #    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
+#      "ami_release_version" : "1.28.11-20240807",
+#      "ami_type" : "AL2_x86_64",
 #      "instance_type" : "t3a.large",
 #      "name" : "glueops-platform-node-pool-1",
 #      "node_count" : 4,
@@ -45,7 +46,8 @@ module "captain" {
 #      ]
 #    },
 #    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
+#      "ami_release_version" : "1.28.11-20240807",
+#      "ami_type" : "AL2_x86_64",
 #      "instance_type" : "t3a.small",
 #      "name" : "glueops-platform-node-pool-argocd-app-controller-1",
 #      "node_count" : 2,
@@ -65,7 +67,8 @@ module "captain" {
 #      ]
 #    },
 #    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
+#      "ami_release_version" : "1.28.11-20240807",
+#      "ami_type" : "AL2_x86_64",
 #      "instance_type" : "t3a.medium",
 #      "name" : "clusterwide-node-pool-1",
 #      "node_count" : 2,

diff --git a/network.tf b/network.tf
@@ -29,15 +29,6 @@ resource "aws_security_group" "captain" {
   vpc_id      = module.vpc.vpc_id
 }
 
-resource "aws_security_group_rule" "captain_ingress_all_private" {
-  type              = "ingress"
-  from_port         = 0
-  to_port           = 65535
-  protocol          = "-1"
-  cidr_blocks       = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-  security_group_id = aws_security_group.captain.id
-}
-
 resource "aws_security_group_rule" "captain_egress_all_ipv4" {
   type              = "egress"
   from_port         = 0

diff --git a/node_pool.tf b/node_pool.tf
@@ -3,18 +3,20 @@ module "node_pool" {
   for_each = { for np in var.node_pools : np.name => np }
   source   = "cloudposse/eks-node-group/aws"
   # Cloud Posse recommends pinning every module to a specific version
-  version           = "2.12.0"
-  ec2_ssh_key_name  = each.value.ssh_key_pair_names
-  instance_types    = [each.value.instance_type]
-  subnet_ids        = module.subnets.public_subnet_ids
-  desired_size      = each.value.node_count
-  min_size          = each.value.node_count
-  max_size          = each.value.node_count + 1
-  cluster_name      = module.kubernetes.eks_cluster_id
-  capacity_type     = each.value.spot ? "SPOT" : "ON_DEMAND"
-  ami_image_id      = [each.value.ami_image_id]
-  kubernetes_labels = each.value.kubernetes_labels
-  kubernetes_taints = each.value.kubernetes_taints
+  version               = "3.1.0"
+  ec2_ssh_key_name      = each.value.ssh_key_pair_names
+  instance_types        = [each.value.instance_type]
+  subnet_ids            = module.subnets.public_subnet_ids
+  desired_size          = each.value.node_count
+  min_size              = each.value.node_count
+  max_size              = each.value.node_count + 1
+  cluster_name          = module.kubernetes.eks_cluster_id
+  capacity_type         = each.value.spot ? "SPOT" : "ON_DEMAND"
+  ami_release_version   = [each.value.ami_release_version]
+  ami_type              = each.value.ami_type
+  kubernetes_labels     = each.value.kubernetes_labels
+  kubernetes_taints     = each.value.kubernetes_taints
+  create_before_destroy = false
 
   cluster_autoscaler_enabled = false
   name                       = each.value.name

diff --git a/tests/aws-nuke.yaml b/tests/aws-nuke.yaml
@@ -25,6 +25,10 @@ presets:
       IAMUserAccessKey:
       - "glueops-deployment-svc -> AKIA3COQJC7C2PNUKZV4" #Update `glueops-deployment-svc-account-name` to whatever your IAM user you created is called AND change `ABCDEFGHIJKLMNOPQRST` to whatever the AccessKey ID actually is from when you created it.
 
+resource-types:
+  excludes:
+    # don't nuke OpenSearch Packages, see https://github.com/rebuy-de/aws-nuke/issues/1123
+    - OSPackage
 
 
 regions: #this regions list was last updated on April 2, 2022.

diff --git a/tests/destroy-aws.sh b/tests/destroy-aws.sh
@@ -2,5 +2,5 @@
 
 # reference: https://github.com/GlueOps/scripts-teardown-aws-amazon-web-services
 echo "Preform an AWS Cleanup with AWS Nuke"
-wget https://github.com/rebuy-de/aws-nuke/releases/download/v2.24.2/aws-nuke-v2.24.2-linux-amd64.tar.gz && tar -xvf aws-nuke-v2.24.2-linux-amd64.tar.gz && rm aws-nuke-v2.24.2-linux-amd64.tar.gz && mv aws-nuke-v2.24.2-linux-amd64 aws-nuke
+wget https://github.com/rebuy-de/aws-nuke/releases/download/v2.25.0/aws-nuke-v2.25.0-linux-amd64.tar.gz && tar -xvf aws-nuke-v2.25.0-linux-amd64.tar.gz && rm aws-nuke-v2.25.0-linux-amd64.tar.gz && mv aws-nuke-v2.25.0-linux-amd64 aws-nuke
 ./aws-nuke -c aws-nuke.yaml --no-dry-run --force
diff --git a/tests/main.tf b/tests/main.tf
@@ -1,5 +1,5 @@
 module "captain" {
-  iam_role_to_assume = "arn:aws:iam::761182885829:role/glueops-captain-role" 
+  iam_role_to_assume = "arn:aws:iam::761182885829:role/glueops-captain-role"
   source             = "../"
   eks_version        = "1.28"
   csi_driver_version = "v1.33.0-eksbuild.1"
@@ -9,57 +9,60 @@ module "captain" {
   region             = "us-west-2"
   availability_zones = ["us-west-2a", "us-west-2b"]
   node_pools = [
-#    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
-#      "instance_type" : "t3a.large",
-#      "name" : "glueops-platform-node-pool-1",
-#      "node_count" : 4,
-#      "spot" : false,
-#      "disk_size_gb" : 20,
-#      "max_pods" : 110,
-#      "ssh_key_pair_names" : [],
-#      "kubernetes_labels" : {
-#        "glueops.dev/role" : "glueops-platform"
-#      },
-#      "kubernetes_taints" : [
-#        {
-#          key    = "glueops.dev/role"
-#          value  = "glueops-platform"
-#          effect = "NO_SCHEDULE"
-#        }
-#      ]
-#    },
-#    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
-#      "instance_type" : "t3a.small",
-#      "name" : "glueops-platform-node-pool-argocd-app-controller-1",
-#      "node_count" : 2,
-#      "spot" : false,
-#      "disk_size_gb" : 20,
-#      "max_pods" : 110,
-#      "ssh_key_pair_names" : [],
-#      "kubernetes_labels" : {
-#        "glueops.dev/role" : "glueops-platform-argocd-app-controller"
-#      },
-#      "kubernetes_taints" : [
-#        {
-#          key    = "glueops.dev/role"
-#          value  = "glueops-platform-argocd-app-controller"
-#          effect = "NO_SCHEDULE"
-#        }
-#      ]
-#    },
-#    {
-#      "ami_image_id" : "ami-0a62f3a52fa691069",
-#      "instance_type" : "t3a.medium",
-#      "name" : "clusterwide-node-pool-1",
-#      "node_count" : 2,
-#      "spot" : false,
-#      "disk_size_gb" : 20,
-#      "max_pods" : 110,
-#      "ssh_key_pair_names" : [],
-#      "kubernetes_labels" : {},
-#      "kubernetes_taints" : []
-#    }
+    #    {
+    #      "ami_release_version" : "1.28.11-20240807",
+    #      "ami_type" : "AL2_x86_64",
+    #      "instance_type" : "t3a.large",
+    #      "name" : "glueops-platform-node-pool-1",
+    #      "node_count" : 4,
+    #      "spot" : false,
+    #      "disk_size_gb" : 20,
+    #      "max_pods" : 110,
+    #      "ssh_key_pair_names" : [],
+    #      "kubernetes_labels" : {
+    #        "glueops.dev/role" : "glueops-platform"
+    #      },
+    #      "kubernetes_taints" : [
+    #        {
+    #          key    = "glueops.dev/role"
+    #          value  = "glueops-platform"
+    #          effect = "NO_SCHEDULE"
+    #        }
+    #      ]
+    #    },
+    #    {
+    #      "ami_release_version" : "1.28.11-20240807",
+    #      "ami_type" : "AL2_x86_64",
+    #      "instance_type" : "t3a.small",
+    #      "name" : "glueops-platform-node-pool-argocd-app-controller-1",
+    #      "node_count" : 2,
+    #      "spot" : false,
+    #      "disk_size_gb" : 20,
+    #      "max_pods" : 110,
+    #      "ssh_key_pair_names" : [],
+    #      "kubernetes_labels" : {
+    #        "glueops.dev/role" : "glueops-platform-argocd-app-controller"
+    #      },
+    #      "kubernetes_taints" : [
+    #        {
+    #          key    = "glueops.dev/role"
+    #          value  = "glueops-platform-argocd-app-controller"
+    #          effect = "NO_SCHEDULE"
+    #        }
+    #      ]
+    #    },
+    #    {
+    #      "ami_release_version" : "1.28.11-20240807",
+    #      "ami_type" : "AL2_x86_64",
+    #      "instance_type" : "t3a.medium",
+    #      "name" : "clusterwide-node-pool-1",
+    #      "node_count" : 2,
+    #      "spot" : false,
+    #      "disk_size_gb" : 20,
+    #      "max_pods" : 110,
+    #      "ssh_key_pair_names" : [],
+    #      "kubernetes_labels" : {},
+    #      "kubernetes_taints" : []
+    #    }
   ]
 }
diff --git a/variables.tf b/variables.tf
@@ -70,15 +70,16 @@ variable "eks_version" {
 
 variable "node_pools" {
   type = list(object({
-    name               = string
-    node_count         = number
-    instance_type      = string
-    ami_image_id       = string
-    spot               = bool
-    disk_size_gb       = number
-    max_pods           = number
-    ssh_key_pair_names = list(string)
-    kubernetes_labels  = map(string)
+    name                = string
+    node_count          = number
+    instance_type       = string
+    ami_release_version = string
+    ami_type            = string
+    spot                = bool
+    disk_size_gb        = number
+    max_pods            = number
+    ssh_key_pair_names  = list(string)
+    kubernetes_labels   = map(string)
     kubernetes_taints = list(object({
       key    = string
       value  = string
@@ -87,16 +88,17 @@ variable "node_pools" {
 
   }))
   default = [{
-    name               = "default-pool"
-    node_count         = 1
-    instance_type      = "t3a.large"
-    ami_image_id       = "ami-0a62f3a52fa691069"
-    spot               = false
-    disk_size_gb       = 20
-    max_pods           = 110
-    ssh_key_pair_names = []
-    kubernetes_labels  = {}
-    kubernetes_taints  = []
+    name                = "default-pool"
+    node_count          = 1
+    instance_type       = "t3a.large"
+    ami_release_version = "1.29.6-20240807"
+    ami_type            = "AL2_x86_64"
+    spot                = false
+    disk_size_gb        = 20
+    max_pods            = 110
+    ssh_key_pair_names  = []
+    kubernetes_labels   = {}
+    kubernetes_taints   = []
   }]
   description = <<-DESC
   node pool configurations: