Nuru
commented
3 years ago @xeon0320 Thank you for reporting this. I have confirmed that this is a bug that has been present since the disk encryption option was added.
- In the beginning, this module did not use a launch template.
- At some point (version 0.8 to 0.11) this module optionally created a launch template if one were needed to use features that were only available via a launch template. The intention was to only create and use a launch template if one were needed (probably so as not to disturb existing clusters), but in order to work around a bug in Terraform, the launch template is always created even if it is not used.
- When the disk encryption flag was added, the setting was added to the launch template, but the flag indicating whether or not to use the launch template was not updated.
This is an easy bug to fix and we will fix it. However, at the moment this module is subject to a code freeze, so it will be a while before the fix is published.
You can work around this bug by forcing the use of the launch template, which you can do by passing before_cluster_joining_userdata. I suggest
before_cluster_joining_userdata = "# Force use of launch template"
xeon0320
Hi. I'm not sure if this is a bug, or maybe I'm just not understanding it correctly. I'm trying to enable encryption and encrypt the EBS volumes for the Node Groups.
In my Terraform code, I have added:
launch_template_disk_encryption_enabled = true launch_template_disk_encryption_kms_key_id = "ARN of the KMS key"After terraform apply, I can see the launch template has the encryption flag set to true and the ARN of the key is also visible.
But when I go to the ASG, I can see the ASG is actually using a different launch template.
It seems when I run terraform, the code creates 2 launch templates, and the ASG is not using the one that got updated above.
Am I missing something here?
Thanks.