feat: Create node group user data from given template

[scalen]

PR o'clock

Closes #1644

Description

Prior to this commit, user data for node groups was generated from a
prescribed template, and user data in other formats (such as the TOML
used to configure Bottlerocket instances, see link) was not supported.

This change allows a node_group to specify its own user data template
file, the template's extra arguments and the user data's mime type;
this in turn supports alternative forms of user data as required by any
given AMI.

https://github.com/bottlerocket-os/bottlerocket#using-user-data

Checklist

• README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation

[daroga0002]

@scalen could you paster here some examples of module configuration to test?

[scalen]

could you paster here some examples of module configuration to test?

@daroga0002 I have copy-pasted the old bottlerocket example, and changed any parameters/templates necessary to match the node_modules configuration: 35948f9

[stevehipwell]

@scalen I was planning on doing this work so I'm very happy to see you've already picked it up. Could you rebase this onto the latest master branch and I'll give it a review?

[scalen]

@stevehipwell I have rebased, so this should be ready for review 🙂

[stevehipwell]

@scalen I'm not sure there is a precedent for complex objects in the node group config so I'd suggest removing the nesting and using user_data_ as a prefix (e.g. user_data_mime_type), there are only 3 variables. This will also make it possible to only override one of the values without having to specifically set the others to their defaults, which wouldn't be as easy to use and could cause outdated defaults to be used if they were ever changed. Other than that this looks really good. How much testing have you done?

[scalen]

@scalen I'm not sure there is a precedent for complex objects in the node group config so I'd suggest removing the nesting and using user_data_ as a prefix (e.g. user_data_mime_type), there are only 3 variables. This will also make it possible to only override one of the values without having to specifically set the others to their defaults, which wouldn't be as easy to use and could cause outdated defaults to be used if they were ever changed.

Fair enough!

How much testing have you done?

I have two BottleRocket node groups deployed using this with different SGs and related K8s taints and labels (with workloads relying on the labels, and others not tolerating the taints, which we have verified); AWS tags for integrating with the autoscaling controller; and common configuration of things like the disk type shared by all node groups with node_groups_defaults. I haven't tested with any variations of configuration, but felt that our motivating case tested most of the pertinent features being touched in this change.

Other than that this looks really good.

🙇🏼

[stevehipwell]

@scalen if you make the changes to the variables I'll review again and then we can see if @daroga0002 can approve running CI. Once this is merged I might take a look at adding the changes in my previous PRs and the changes here for launch template workers.

[scalen]

@stevehipwell Requested changes made in 7135ba9

[stevehipwell]

Looks good to me, @daroga0002 what do you think?

[jaimehrubiks]

Does this modify existing node_groups with user data like these:

  pre_userdata = join("\n\n#----------------\n\n",[
    templatefile("${path.module}/templates/_volume_fg6001.sh", {}),
    templatefile("${path.module}/templates/_volume_fg6002.sh", {}),
  ])

If you don't change anything?

[scalen]

Does this modify existing node_groups with user data like these:

  pre_userdata = join("\n\n#----------------\n\n",[
    templatefile("${path.module}/templates/_volume_fg6001.sh", {}),
    templatefile("${path.module}/templates/_volume_fg6002.sh", {}),
  ])

If you don't change anything?

No, the default behaviour remains the same.

[bryantbiggs]

ah, good ol' userdata again. I think we just need to provide a bring-your-own user_data functionality. something like:

	...
	user_data = var.create_user_data ?  base64encode(local.launch_template_userdata_rendered[count.index]) : var.user_data_base64
	...

thoughts @daroga0002 ?

[stevehipwell]

@bryantbiggs isn't this PR providing a BYO fallback implementation?

[bryantbiggs]

yes, but in a way that is getting very complex and convoluted

[stevehipwell]

@bryantbiggs it's a complex problem that's being solved. The templated solutions currently provided by the input variables have a pretty good UX and for everyone else this PR will allow them to own the full complexity themselves.

[scalen]

yes, but in a way that is getting very complex and convoluted

It is a little convoluted, but by providing the template and additional args separately, it means we can utilise many variables created within the module. If we required the user data to be passed in whole, we may struggle to get some of the same synchronisation that is possible/trivial with the current approach.

[stevehipwell]

@scalen do you not need to provide a variable to customise the block_device_mappings.device_name to support Bottlerocket (and other OSs)?

See #1695 & #1685.

[scalen]

@scalen do you not need to provide a variable to customise the block_device_mappings.device_name to support Bottlerocket (and other OSs)?

See #1695 & #1685.

We haven't seen any issues running of this PR branch, but then we haven't specified any significant configuration. I assume the suggestion is to make a more flexible version of this change, to let the user define the volume to configure:

device_name = length(split("BOTTLEROCKET", each.value["ami_type"])) > 1 ? "/dev/xvdb" : "/dev/xvda"

This still means only one volume will be configured, but it seems that will be fine for the Bottlerocket case 🤷🏼

[stevehipwell]

@scalen that is correct; I assume that if you tried to configure the volume that it'd be applied to the wrong Bottlerocket volume (as is discussed in the other PR). A generic way to pass in the block device name would be a good solution, as would adding it in to the Bottlerocket example.

[hi-artem]

@scalen do you not need to provide a variable to customise the block_device_mappings.device_name to support Bottlerocket (and other OSs)?
See #1695 & #1685.

We haven't seen any issues running of this PR branch, but then we haven't specified any significant configuration. I assume the suggestion is to make a more flexible version of this change, to let the user define the volume to configure:

device_name = length(split("BOTTLEROCKET", each.value["ami_type"])) > 1 ? "/dev/xvdb" : "/dev/xvda"

This still means only one volume will be configured, but it seems that will be fine for the Bottlerocket case 🤷🏼

I made the original volume comment on #1695, saying that we shouldn't really care about the xvda volume. For context, xvda contains operating system itself: the active & passive partitions, the bootloader, the dm-verity data and etc. However, I can see the use case where you want to customize both xvda and xvdb. For example, in case you are required to encrypt all your ebs devices.

[scalen]

I made the original volume comment on #1695, saying that we shouldn't really care about the xvda volume. For context, xvda contains operating system itself: the active & passive partitions, the bootloader, the dm-verity data and etc. However, I can see the use case where you want to customize both xvda and xvdb. For example, in case you are required to encrypt all your ebs devices.

I thought of that too, but that is really starting to stray far from the point of the PR, which was to add support for alternative user data formats back to node_groups. Making an extra value configurable in order to slightly extend the existing functionality to behave as one might expect for the specific Bottlerocket case is arguably related; I would also argue, however, that extending the module to support the configuration of multiple distinct volumes is a new feature, which should get its own PR.

[stevehipwell]

@hi-artem @scalen the Bottlerocket OS volume is readonly so I think that if this PR supports changing the device name we're good here. Adding support for additional devices should be a new PR, but I think we need to make sure that the right Bottlerocket (or other OS) device is being configured in this PR.

[scalen]

I think we need to make sure that the right Bottlerocket (or other OS) device is being configured in this PR.

Done, @stevehipwell .

[FrediWeber]

@hi-artem @scalen the Bottlerocket OS volume is readonly so I think that if this PR supports changing the device name we're good here. Adding support for additional devices should be a new PR, but I think we need to make sure that the right Bottlerocket (or other OS) device is being configured in this PR.

Is the Bottlerocket volume RO from an EC2 standpoint? I thought the volume just gets mounted as RO.

[stevehipwell]

@FrediWeber that's worth exploring. I guess the block_device variable could be made block_devices and take a list and then the mapping be dynamically looped which would support all potential cases? @scalen thoughts?

[FrediWeber]

We just configured a launch template for a classic ASG and needed to configure both block devices to be encrypted and use a custom KMS key to be compliant with our regulations. I think it would be beneficial if we could encrypt all block devices on the Bottlerocket instances.

[scalen]

We just configured a launch template for a classic ASG and needed to configure both block devices to be encrypted and use a custom KMS key to be compliant with our regulations. I think it would be beneficial if we could encrypt all block devices on the Bottlerocket instances.

@FrediWeber that's worth exploring. I guess the block_device variable could be made block_devices and take a list and then the mapping be dynamically looped which would support all potential cases? @scalen thoughts?

I think this does sound like a very valuable feature, and is (like the feature being implemented in this PR) replicating a greater configurability from the workers_group elements of the parent module.

However, as far as I can see, the ability to specify multiple device mappings is not really related to the ability to specify non-cloudinit user data... Other than both are features that are related to the deploying of Bottlerocket nodes.

I think it would be more valuable to get this PR approved and merged, thereby unblocking the use of Bottlerocket nodes, then follow it with another PR introducing support for multiple device mappings, to increase security/support regulatory compliance where applicable. That may just be my preference for focused, modular PRs, though 🤷🏼.

[idan-gur]

What is the blockage on this PR?

[stevehipwell]

@daroga0002 @antonbabenko could you approve the workflow even if you don't have time to review yet?

[daroga0002]

@daroga0002 @antonbabenko could you approve the workflow even if you don't have time to review yet?

I dont have permissions and @antonbabenko is on re:Invent so probably he will be back next week.

I am a little stuck in last 2 weeks by some work, but I will try soon perform a review pending PRs.

[scalen]

Tests from before rebase to fix formatting: https://github.com/terraform-aws-modules/terraform-aws-eks/runs/4397905746

[lucasreed]

Checking in to see if this is in the pipeline for reviewing. Would love to see this released!

[antonbabenko]

This issue has been resolved in version 18.0.0 🎉

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.