search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.48k stars 4.09k forks source link

eks managed node groups, option to auto-attach AmazonSSMManagedInstanceCore for ssm agent connectivity #3213

Closed dylan-shipwell closed 1 week ago

dylan-shipwell commented 1 week ago

suggestion: add a default option selection for eks_managed_node_groups's that auto-enrolls eks_managed_node_groups with a policy attachment of arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore, to enable ssm-agent and therefore aws ec2 console instance "connection" default functionality.

module "eks" {
  # ...
  eks_managed_node_groups = {
    example = {
      # ... 
      iam_role_additional_policies = merge(
        ((!var.eks_cluster_managed_node_group_enable_ssm) ? ({}) : ({
          "ssm-agent" = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
        }))
      )
    }
  }
  # ...
}

aws docs, https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/install-ssm-agent-on-amazon-eks-worker-nodes-by-using-kubernetes-daemonset.html linking to, https://github.com/awslabs/amazon-eks-ami/releases/tag/v20210621 suggest this feature is included in eks ami's since 2021-06

## Is your request related to a new offering from AWS? yes, ami's not included ssm-agent client software by default, which requires specific iam actions. iam and ssm have been supported in terraform for at last 1yr.
Is this functionality available in the [AWS provider for Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)? See [CHANGELOG.md](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md), too. - No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider - Yes ✅: please list the AWS provider version which introduced this functionality
## Is your request related to a problem? Please describe. troubleshooting and instance connectivity, what is the default recommendation for getting a root shell session on any node on an eks cluster managed by aws-terraform-modules (using eks managed node groups backend). ## Describe the solution you'd like. enable ssm-agent, which needs a specific iam action granted to the instance iam role to enable bi-directional communication between aws ssm and eks cluster instances. ## Describe alternatives you've considered. - none - ec2 user data injected static ssh authorized_keys (?), not thoroughly considered. ## Additional context - none
bryantbiggs commented 1 week ago

thanks for the suggestion - additional policies can be attached by users as needed, but I don't think this should be baked into the module