diff --git a/odc_eks/README.md b/odc_eks/README.md index c784a300..485103af 100644 --- a/odc_eks/README.md +++ b/odc_eks/README.md @@ -147,6 +147,7 @@ module "odc_eks" { | max_spot_price | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value | string | "0.40" | No | | volume_size | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | | volume_type | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions. | string | "" | No | +| volume_encrypted | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided. | bool | null | No | | spot_volume_size | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | | extra_kubelet_args | Additional kubelet command-line arguments | string | "--arg1=value --arg2" | No | | extra_bootstrap_args | Additional bootstrap command-line arguments | string | "--arg1 value --arg2=value --arg3" | No | @@ -155,6 +156,7 @@ module "odc_eks" { | enabled_cluster_log_types | List of the desired control plane logging to enable, defaults to none | list(string) | [] | No | | enable_custom_cluster_log_group | Create a custom CloudWatch Log Group for the cluster. If you supply `enabled_cluster_log_types` but leave this false, EKS will create a log group automatically with default retention values. | bool | false | No | | log_retention_period | Specifies the number of days to retain cluster log event in CloudWatch, if enabled by `enable_custom_cluster_log_group` | number | 30 | No | +| metadata_options | Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options. | map(any) | {} | No | ### Outputs | Name | Description | Sensitive | diff --git a/odc_eks/main.tf b/odc_eks/main.tf index bd03798c..f56b24dd 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -98,6 +98,7 @@ module "eks" { extra_kubelet_args = var.extra_kubelet_args extra_bootstrap_args = var.extra_bootstrap_args extra_userdata = var.extra_userdata + volume_encrypted = var.volume_encrypted volume_size = var.volume_size volume_type = var.volume_type spot_volume_size = var.spot_volume_size @@ -109,4 +110,6 @@ module "eks" { tags = var.tags node_extra_tags = var.node_extra_tags + + metadata_options = var.metadata_options } diff --git a/odc_eks/modules/eks/variables.tf b/odc_eks/modules/eks/variables.tf index 9ab9bcee..cf042846 100644 --- a/odc_eks/modules/eks/variables.tf +++ b/odc_eks/modules/eks/variables.tf @@ -80,6 +80,11 @@ variable "max_spot_price" { default = "0.40" } +variable "volume_encrypted" { + default = null + type = bool +} + variable "volume_size" { default = 20 } @@ -168,3 +173,9 @@ variable "node_extra_tags" { description = "Additional tags for EKS nodes (e.g. `map('StackName','XYZ')`" default = {} } + +variable "metadata_options" { + description = "Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options" + type = map(any) + default = {} +} \ No newline at end of file diff --git a/odc_eks/modules/eks/worker_image.tf b/odc_eks/modules/eks/worker_image.tf index 88874a03..9fce01b7 100644 --- a/odc_eks/modules/eks/worker_image.tf +++ b/odc_eks/modules/eks/worker_image.tf @@ -51,6 +51,14 @@ resource "aws_launch_template" "node" { user_data = base64encode(local.eks-node-userdata) instance_type = var.default_worker_instance_type + metadata_options { + http_endpoint = lookup(var.metadata_options, "http_endpoint", null) + http_tokens = lookup(var.metadata_options, "http_tokens", null) + http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null) + http_protocol_ipv6 = lookup(var.metadata_options, "http_protocol_ipv6", null) + instance_metadata_tags = lookup(var.metadata_options, "instance_metadata_tags", null) + } + iam_instance_profile { name = aws_iam_instance_profile.eks_node.id } @@ -68,6 +76,7 @@ resource "aws_launch_template" "node" { block_device_mappings { device_name = "/dev/xvda" ebs { + encrypted = var.volume_encrypted != null ? var.volume_encrypted : null volume_size = var.volume_size volume_type = var.volume_type != "" ? var.volume_type : null } @@ -82,6 +91,14 @@ resource "aws_launch_template" "spot" { user_data = base64encode(local.eks-spot-userdata) instance_type = var.default_worker_instance_type + metadata_options { + http_endpoint = lookup(var.metadata_options, "http_endpoint", null) + http_tokens = lookup(var.metadata_options, "http_tokens", null) + http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null) + http_protocol_ipv6 = lookup(var.metadata_options, "http_protocol_ipv6", null) + instance_metadata_tags = lookup(var.metadata_options, "instance_metadata_tags", null) + } + iam_instance_profile { name = aws_iam_instance_profile.eks_node.id } @@ -106,6 +123,7 @@ resource "aws_launch_template" "spot" { block_device_mappings { device_name = "/dev/xvda" ebs { + encrypted = var.volume_encrypted != null ? var.volume_encrypted : null volume_size = var.spot_volume_size volume_type = var.volume_type != "" ? var.volume_type : null } diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index a6338d1f..7613454a 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -225,6 +225,12 @@ variable "max_spot_price" { type = string } +variable "volume_encrypted" { + default = null + type = bool + description = "Whether to encrypt the root EBS volume." +} + variable "volume_size" { default = 20 type = number @@ -291,3 +297,15 @@ variable "log_retention_period" { description = "Retention period in days of enabled EKS cluster logs" default = 30 } + +variable "metadata_options" { + description = "Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options" + type = map(any) + default = {} + + # If http_tokens is required then http_endpoint must be enabled. + validation { + condition = lookup(var.metadata_options, "http_tokens", null) != "required" || lookup(var.metadata_options, "http_endpoint", null) == "enabled" + error_message = "If http_tokens is required for nodes then http_endpoint must be enabled." + } +} \ No newline at end of file