Fix for remote access and lifecycle issues #30
Conversation
woz5999
requested review from
Makeshift and
adamcrews
and removed request for
a team
|
@Nuru @danjbh This PR has fixes some module issues that make it unusable for users trying to specify an ssh key and additional remote access security groups and also fixes a regression that breaks govcloud support. i went with a preference for maintaining existing behavior and backwards compatibility and not modifying module usage, assuming that would be preferable by the maintainers, but I'm not married to anything specific except that the module should work again. |
main.tf
Outdated
| ) | ||
|
|
||
| security_group_ids = concat( | ||
| list(data.aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id), |
There was a problem hiding this comment.
needed to enable communication with the EKS control plane
There was a problem hiding this comment.
Is this always enough? Could there be more than one or some other security group that needs to be added?
main.tf
Outdated
| @@ -25,6 +25,20 @@ locals { | |||
| id = coalesce(var.launch_template_id, aws_launch_template.default[0].id) | |||
| latest_version = coalesce(var.launch_template_version, aws_launch_template.default[0].latest_version) | |||
| } | |||
|
|
|||
| eks_node_group_resources = merge(aws_eks_node_group.default.*.resources, | |||
There was a problem hiding this comment.
this is some formatting to maintain backward compatibility with outputs.
main.tf
Outdated
| @@ -57,6 +71,14 @@ data "aws_iam_policy_document" "assume_role" { | |||
| } | |||
| } | |||
|
|
|||
| data "aws_subnet" "default" { | |||
| id = var.subnet_ids[0] | |||
There was a problem hiding this comment.
this is to prevent introducing an additional required variable. happy to modify if that's a more preferred route.
There was a problem hiding this comment.
Do not reference this if it is not needed.
| @@ -170,14 +194,6 @@ resource "aws_eks_node_group" "default" { | |||
| version = local.launch_template.latest_version | |||
| } | |||
|
|
|||
| dynamic "remote_access" { | |||
There was a problem hiding this comment.
this block is not supported when using launch templates. currently breaks the entire module if ec2_ssh_key or source_security_group_ids is specified
main.tf
Outdated
| type = "ingress" | ||
|
|
||
| cidr_blocks = [ | ||
| "0.0.0.0/0" |
There was a problem hiding this comment.
this emulates the default behavior of non-launch template node groups that specify a remote_access ssh key but no source security group.
There was a problem hiding this comment.
Thank you for this submission.
We added a lot in v0.11.0. In particular, it should solve your tag problem and restore backward compatibility with v0.8.0. v0.9.0 and v0.10.0 should have been marked pre-releases and giving corresponding semver numbers, but we are using a new automated release system that does not support pre-releases, for which I apologize.
We did not address SSH access when creating a launch template in v0.11.0 because a launch template is not needed for v0.8.0 functionality and because it seems like there are a lot of ways for that to go wrong, plus we did not have a use case or a test for it. If you do not care about propagating tags to instances and EBS volumes, then you do not need a launch template and v0.11.0 should do what you need. Otherwise, please review 0.11 and the comments here, rebase and revise the PR, and point us to any documentation you can to assure us that the security group configuration for the launch template is correct for all the various use cases.
main.tf
Outdated
| ) | ||
|
|
||
| # Tagging an elastic gpu on create is not yet supported in govcloud | ||
| tag_spec = compact(["instance", "volume", join("", data.aws_partition.current.*.partition) == "aws-us-gov" ? "" : "elastic-gpu"]) |
There was a problem hiding this comment.
We do not want to hard code exceptions like this. In v0.11.0 the default is no tagging and users can specify which resources to tag, so this should not longer be an issue for you.
main.tf
Outdated
| @@ -25,6 +25,22 @@ locals { | |||
| id = coalesce(var.launch_template_id, aws_launch_template.default[0].id) | |||
| latest_version = coalesce(var.launch_template_version, aws_launch_template.default[0].latest_version) | |||
| } | |||
|
|
|||
| eks_node_group_resources = [for resource in aws_eks_node_group.default.*.resources : | |||
There was a problem hiding this comment.
Rather than change the structure of the resources output, add a new output for the new info, if it is really needed, which I am not sure about.
There was a problem hiding this comment.
the sg id is needed as an output for users that might want to add rules to it outside the module. i was appending to resources to match prior behavior. happy to put it as its own output.
it's important to have as an output for users that might want to add additional rules outside the module. if you're ok breaking backward compatibility, this can all be updated and users can just provide an sg id to the module to attach to the launch template and bypass most of the logic in this PR
main.tf
Outdated
| ) | ||
|
|
||
| security_group_ids = concat( | ||
| list(data.aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id), |
There was a problem hiding this comment.
Is this always enough? Could there be more than one or some other security group that needs to be added?
main.tf
Outdated
| @@ -57,6 +71,14 @@ data "aws_iam_policy_document" "assume_role" { | |||
| } | |||
| } | |||
|
|
|||
| data "aws_subnet" "default" { | |||
| id = var.subnet_ids[0] | |||
There was a problem hiding this comment.
Do not reference this if it is not needed.
main.tf
Outdated
| data "aws_eks_cluster" "eks_cluster" { | ||
| name = var.cluster_name | ||
| } | ||
|
|
There was a problem hiding this comment.
This is already in v0.11.0 with appropriate conditions, although now you need to add another condition.
main.tf
Outdated
| key_name = var.ec2_ssh_key | ||
| vpc_security_group_ids = local.security_group_ids |
There was a problem hiding this comment.
In case we get the security group list wrong, I do not want to specify it if we do not have to.
| key_name = var.ec2_ssh_key | |
| vpc_security_group_ids = local.security_group_ids | |
| key_name = local.ec2_ssh_key | |
| vpc_security_group_ids = local.ec2_ssh_key != null ? local.security_group_ids : null |
main.tf
Outdated
|
|
||
| dynamic "tag_specifications" { | ||
| for_each = ["instance", "volume", "elastic-gpu"] | ||
| for_each = local.tag_spec |
Co-authored-by: Nuru <Nuru@users.noreply.github.com>
|
@Nuru modified the PR such that it only adds the ability for the users to attach additional security groups to the generated launch template. it also fixes a bug wherein |
|
/test all |
Nuru
added
bugfix
|
/test all |
Nuru
changed the title
what
why
remote_accessis not valid for node groups that specify launch templates. If you specify an ssh key or source security group ids with the current state of the module, it will throw an error and prevent node group creation.