aws_ami substring search can match Windows nodes

[troytop]

There is a dangerously open-ended AMI substring search in eks-worker-nodes.tf.

https://github.com/dsohk/susecap-tf-eks/blob/master/eks/eks-worker-nodes.tf#L92

This search will match on the new amazon-eks-node-v1.11-windows* AMIs and create unusable Windows cluster nodes.

Not sure how specific we want to be, but I've changed my local copy to:

data "aws_ami" "eks-worker" {
  filter {
    name   = "name"
    values = ["amazon-eks-node-1.12-v2019*"]
  }

I'm not sure yet if this works. Still testing.

[troytop]

Can confirm that the amazon-eks-node-1.12-v20190327 AMI does not work with these terraform scripts (should have expected this, as they deploy Kubernetes 1.11), but neither do the amazon-eks-node-1.11-v2019* AMIs.

I was able to get the cluster working using amazon-eks-node-v25 (from Oct. 2018), which is the image that was likely used before AWS added the Windows node AMIs.

With the newer AMIs, the Kubernetes-provisioned ELBs were not able to connect with the backing services (health check failures), possibly because security group rules were not being created correctly. I did not have time to figure out exactly what was going wrong, but we should update the scripts so they work with the latest available 1.11 AMIs as they contain important some security fixes. Kubernetes 1.12 is now available in EKS so we could try updating to those directly (requires a cluster version setting which should be set in variables.tf).

[dsohk]

Thank you Troy! This has been fixed.

See: https://github.com/dsohk/susecap-tf-eks/blob/master/eks/eks-worker-nodes.tf#L92