search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.45k stars 4.07k forks source link

post_bootstrap_user_data depending on enable_bootstrap_user_data parameter #2725

Closed IgorEulalio closed 1 year ago

IgorEulalio commented 1 year ago

Description

post_bootstrap_user_data depends on the enable_bootstrap_user_data parameter being set to true, whereas pre_bootstrap_user_data doesn't.

⚠️ Note

Before you submit an issue, please perform the following first:

Versions

Reproduction Code [Required]

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "19.16.0"

  cluster_name                   = local.name
  cluster_version                = "1.27"
  cluster_endpoint_public_access = true

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  eks_managed_node_groups = {
    initial = {
      ## $(pwd)/infrastructure/eks/.terraform/modules/eks/modules/eks-managed-node-group/variables.tf
      instance_types = ["t3.large"]

      min_size     = 1
      max_size     = 3
      desired_size = 1

      # pre_bootstrap_user_data = <<-EOT
      #   yum install -y pip
      #   pip install --upgrade pyyaml
      #   touch /tmp/userdata.txt
      # EOT

      # fix CVE-2017-18342
      post_bootstrap_user_data = <<-EOT
        yum install -y pip
        pip install --upgrade pyyaml
        touch /tmp/userdata.txt
      EOT

      iam_role_additional_policies = {
        "ssm_managed_core" = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
      } 
    }
  }

  manage_aws_auth_configmap = true

  # manage_aws_auth_configmap = true

  tags = local.tags

  # set clear dependencies
  depends_on = [module.vpc]
}

Steps to reproduce the behavior:

terraform init && terraform apply

Expected behavior

That could should configure the user_data with those 3 lines in the end of the user data bootstrap script: yum install -y pip pip install --upgrade pyyaml touch /tmp/userdata.txt

Actual behavior

Including post_bootstrap_user_data without enable_bootstrap_user_data set to true doesn't trigger any change in the terraform plan.

Additional context

I'm wondering if we have any motivation to couple post_bootstrap_user_data with enable_bootstrap_user_data. It is weird though, because pre_bootstrap_user_data is executed indepently of enable_bootstrap_user_data value.

Most of the deployments that I've worked in the past were using post bootstrap script instead of pre so we can have minimum time to join of new nodes.

If that makes sense, I'd appreciate opening a PR to fix this behavior: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v19.16.0/templates/linux_user_data.tpl

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

bryantbiggs commented 1 year ago

post_bootstrap_user_data is only applicable on self-managed nodegroups or when using a custom AMI on managed nodegroups. In those scenarios, you need to specify enable_bootstrap_user_data = true, to tell the module that you want to inject the bootstrap command. On managed nodegroups this is provided by EKS as the last step which is why only pre_bootstrap_user_data is applicable

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/user_data.md

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.