Node metadata (#293)

* Pass node metadata options to EKS nodes * Fixed metadata_options block in EKS node templates * metadata_options var deafults to empty map * metadata_options var fixed type * Allow EBS volume encryption in odc_eks * Fixed odc_eks variables * Encrypt spot volumes in odc_eks * Validate node metadata_options * Fixed typo in metadata_options variable * Updated readme for odc_eks node options * terraform fmt updates
opendatacube · May 1, 2023 · 084da20 · 084da20
1 parent ea02a83
commit 084da20
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 0 deletions.
diff --git a/odc_eks/README.md b/odc_eks/README.md
@@ -147,6 +147,7 @@ module "odc_eks" {
 | max_spot_price                  | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value                                                                                             | string       | "0.40"                                           | No       |
 | volume_size                     | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this.                                                                                         | number       | 20                                               | No       |
 | volume_type                     | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions.                                                                                                      | string       | ""                                               | No       |
+| volume_encrypted                | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided.                                                                                                                       | bool         | null                                               | No       |
 | spot_volume_size                | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this.                                                                                              | number       | 20                                               | No       |
 | extra_kubelet_args              | Additional kubelet command-line arguments                                                                                                                                                                              | string       | "--arg1=value --arg2"                            | No       |
 | extra_bootstrap_args            | Additional bootstrap command-line arguments                                                                                                                                                                              | string       | "--arg1 value --arg2=value --arg3"                            | No       |
@@ -155,6 +156,7 @@ module "odc_eks" {
 | enabled_cluster_log_types       | List of the desired control plane logging to enable, defaults to none                                                                                                                                                  | list(string) | []                                               | No       |
 | enable_custom_cluster_log_group | Create a custom CloudWatch Log Group for the cluster. If you supply `enabled_cluster_log_types` but leave this false, EKS will create a log group automatically with default retention values.                                                                                                                                                  | bool | false                                               | No       |
 | log_retention_period            | Specifies the number of days to retain cluster log event in CloudWatch, if enabled by `enable_custom_cluster_log_group`                                                                                                        | number       | 30                                               | No       |
+| metadata_options                | Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options.                                                                                                      | map(any)       | {}                                               | No       |
 
 ### Outputs
 | Name                   | Description                                                                          | Sensitive   |

diff --git a/odc_eks/main.tf b/odc_eks/main.tf
@@ -98,6 +98,7 @@ module "eks" {
   extra_kubelet_args           = var.extra_kubelet_args
   extra_bootstrap_args         = var.extra_bootstrap_args
   extra_userdata               = var.extra_userdata
+  volume_encrypted             = var.volume_encrypted
   volume_size                  = var.volume_size
   volume_type                  = var.volume_type
   spot_volume_size             = var.spot_volume_size
@@ -109,4 +110,6 @@ module "eks" {
 
   tags            = var.tags
   node_extra_tags = var.node_extra_tags
+
+  metadata_options = var.metadata_options
 }
diff --git a/odc_eks/modules/eks/variables.tf b/odc_eks/modules/eks/variables.tf
@@ -80,6 +80,11 @@ variable "max_spot_price" {
   default = "0.40"
 }
 
+variable "volume_encrypted" {
+  default = null
+  type    = bool
+}
+
 variable "volume_size" {
   default = 20
 }
@@ -168,3 +173,9 @@ variable "node_extra_tags" {
   description = "Additional tags for EKS nodes (e.g. `map('StackName','XYZ')`"
   default     = {}
 }
+
+variable "metadata_options" {
+  description = "Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options"
+  type        = map(any)
+  default     = {}
+}
diff --git a/odc_eks/modules/eks/worker_image.tf b/odc_eks/modules/eks/worker_image.tf
@@ -51,6 +51,14 @@ resource "aws_launch_template" "node" {
   user_data     = base64encode(local.eks-node-userdata)
   instance_type = var.default_worker_instance_type
 
+  metadata_options {
+    http_endpoint               = lookup(var.metadata_options, "http_endpoint", null)
+    http_tokens                 = lookup(var.metadata_options, "http_tokens", null)
+    http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null)
+    http_protocol_ipv6          = lookup(var.metadata_options, "http_protocol_ipv6", null)
+    instance_metadata_tags      = lookup(var.metadata_options, "instance_metadata_tags", null)
+  }
+
   iam_instance_profile {
     name = aws_iam_instance_profile.eks_node.id
   }
@@ -68,6 +76,7 @@ resource "aws_launch_template" "node" {
   block_device_mappings {
     device_name = "/dev/xvda"
     ebs {
+      encrypted   = var.volume_encrypted != null ? var.volume_encrypted : null
       volume_size = var.volume_size
       volume_type = var.volume_type != "" ? var.volume_type : null
     }
@@ -82,6 +91,14 @@ resource "aws_launch_template" "spot" {
   user_data     = base64encode(local.eks-spot-userdata)
   instance_type = var.default_worker_instance_type
 
+  metadata_options {
+    http_endpoint               = lookup(var.metadata_options, "http_endpoint", null)
+    http_tokens                 = lookup(var.metadata_options, "http_tokens", null)
+    http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null)
+    http_protocol_ipv6          = lookup(var.metadata_options, "http_protocol_ipv6", null)
+    instance_metadata_tags      = lookup(var.metadata_options, "instance_metadata_tags", null)
+  }
+
   iam_instance_profile {
     name = aws_iam_instance_profile.eks_node.id
   }
@@ -106,6 +123,7 @@ resource "aws_launch_template" "spot" {
   block_device_mappings {
     device_name = "/dev/xvda"
     ebs {
+      encrypted   = var.volume_encrypted != null ? var.volume_encrypted : null
       volume_size = var.spot_volume_size
       volume_type = var.volume_type != "" ? var.volume_type : null
     }

diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf
@@ -225,6 +225,12 @@ variable "max_spot_price" {
   type    = string
 }
 
+variable "volume_encrypted" {
+  default     = null
+  type        = bool
+  description = "Whether to encrypt the root EBS volume."
+}
+
 variable "volume_size" {
   default = 20
   type    = number
@@ -291,3 +297,15 @@ variable "log_retention_period" {
   description = "Retention period in days of enabled EKS cluster logs"
   default     = 30
 }
+
+variable "metadata_options" {
+  description = "Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options"
+  type        = map(any)
+  default     = {}
+
+  # If http_tokens is required then http_endpoint must be enabled.
+  validation {
+    condition     = lookup(var.metadata_options, "http_tokens", null) != "required" || lookup(var.metadata_options, "http_endpoint", null) == "enabled"
+    error_message = "If http_tokens is required for nodes then http_endpoint must be enabled."
+  }
+}