Skip to content

Releases: cloudposse/terraform-aws-eks-node-group

v2.7.0

14 Mar 17:26
04cddc1
Compare
Choose a tag to compare
Conditionnaly disable default eks security group @xeivieni (#141)

what

Adds the possibility to remove association of the default eks security groups to the launch template

why

  • The default security group contains very wide rules (all ports inbound on itself)
  • Using the module it gets associated to all nodes by default
  • In some cases users may need to explicitly whitelist part of the traffic instead of allowing everything

references

v2.6.2

28 Feb 15:01
31d0b8a
Compare
Choose a tag to compare

🚀 Enhancements

Prevent unexpected privileges escalation @gillg (#136)

what

The current variable input_metadata_http_put_response_hop_limit condition, prevent to protect users of this module, to be protected against privileges escalation.
The first intent of IMDSv2 is to prevent containers beeing able to assume an EC2 instance profile. It's not a bad idea at all to prevent that. The good practice then is to use the module cloudposse/eks-iam-role/aws to create a kubernetes service account mapped with IAM permissions throug an OIDC IdP.

references

v2.6.1

18 Nov 17:04
ea8401e
Compare
Choose a tag to compare

🚀 Enhancements

Add instance, volume, network-interface as resource tag defaults @nitrocode (#132)

what

  • Add instance, volume, network-interface as resource tag defaults

why

  • Reasonable tagging defaults

references

v2.6.0

02 Aug 18:27
c611f2d
Compare
Choose a tag to compare
Detailed monitoring @IkePCampbell (#126)

What did I do

  • Add detailed monitoring flag to the launch template of EC2 nodes

Why did I do this

  • Some compliance tools will flag nodes used by this module because they don't have detailed monitoring. This also allows metrics to be reported every minute as opposed to five minute intervals

Helpful references

v2.5.0 IPv6 support, non-breaking changes expected

08 Jun 19:44
b7ba5d2
Compare
Choose a tag to compare

Upgrading to this version, if you have node_role_cni_policy_enabled set to true (the default), will cause a new IAM policy to be created and your existing node group IAM role to have its permissions updated. This will cause a transient interruption in the ability of the node to manage its network interface, but it should heal itself with no interruption to existing services. It may cause a short (some seconds) delay in being able to deploy new Pods.

references

details

Add support for IPv6 @Nuru (#121)

what

  • Update node group IAM role permissions to support IPv6

why

  • Previous permissions, using AWS managed policy AmazonEKS_CNI_Policy, are insufficient to enable proper functioning of the node when using IPv6

v2.4.0

23 May 02:49
0d9d6a2
Compare
Choose a tag to compare

With this release, we end the use of pre-production (version 0.x) Semantic Versions for this module. Earlier releases have been re-released to make upgrading using semantic versions possible.

This release has a change that may trigger an update. The ebs_optimized input was added in v2.2.0 (and v0.27.2) with a default value of false. In this release, we change the default value to true, which is the value recommended by AWS and is the default value for most instance types.

Although this release contains a fix to generate the correct values for the tags (with keys of the form k8s.io/cluster-autoscaler/node-template/taint/$TAINT) that give a hint to the Cluster Auto Scaler about what taints would be applied to nodes when launched (prior to his release, the tag values were invalid), the tags are only effective when applied to the auto scaling group controlling the node group, and even with this release, this module still does not apply the tags to the auto scaling group. See aws/containers-roadmap#608 for more details.

Other changes:

  • Add updated documentation for migration to V2.0.0
  • Add tags to the output, supersedes and closes #112, closes #111
  • Fix the tag value for Auto Scaler tags that indicate taints

For details, see PR #118

v0.28.1

21 May 22:59
bc1d647
Compare
Choose a tag to compare
git.io->cloudposse.tools update @dylanbannon (#114)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

  • DEV-143

🤖 Automatic Updates

chore(deps): update terraform cloudposse/security-group/aws to v1 @renovate (#117)

This PR contains the following updates:

Package Type Update Change
cloudposse/security-group/aws (source) module major 0.4.3 -> 1.0.1

v2.3.0 Requested features, general updates (#110)

23 May 02:54
5641f58
Compare
Choose a tag to compare

Version 2.3.0 is exactly the same as v0.28.0 except for the version number, part of Cloud Posse's conversion to production Semantic Versioning for its Terraform modules.

This version is not recommended, because it includes the ebs_optimized input with a default value of false. The default has been changed to true in v2.4.0.

🚀 Enhancements

Requested features, general updates (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

  • Allow ami_type="CUSTOM", resolves #96, thank you @ingledl
  • Output ID and name of launch template, resolves #102, supersedes and closes #103, thank you @bwmetcalf
  • Allow SSH access to provided ssh_access_security_group_ids whether or not an SSH key is provided, resolves #108, thank you @bcbrockway
  • Update test framework, add test for enabled=false, update workflows: general maintenance and conformity

🐛 Bug Fixes

Properly handle launch template changes, ensure SSH egress (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

  • Change name of node group when launch template ID changes. Supersedes and closes #106, thank you @woz5999
  • Allow all TCP egress to destinations where SSH ingress is allowed because that is required for SSH to work (usually not a problem because usually node groups allow all egress to all destinations)

v0.28.0

02 Mar 18:28
5641f58
Compare
Choose a tag to compare

🚀 Enhancements

Requested features, general updates (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

  • Allow ami_type="CUSTOM", resolves #96, thank you @ingledl
  • Output ID and name of launch template, resolves #102, supersedes and closes #103, thank you @bwmetcalf
  • Allow SSH access to provided ssh_access_security_group_ids whether or not an SSH key is provided, resolves #108, thank you @bcbrockway
  • Update test framework, add test for enabled=false, update workflows: general maintenance and conformity

🐛 Bug Fixes

Properly handled launch template changes, ensure SSH egress (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

  • Change name of node group when launch template ID changes. Supersedes and closes #106, thank you @woz5999
  • Allow all TCP egress to destinations where SSH ingress is allowed because that is required for SSH to work (usually not a problem because usually node groups allow all egress to all destinations)

v2.2.0 EBS optimization, tagging network interfaces

23 May 03:05
8d41552
Compare
Choose a tag to compare

This version is not recommended, because it introduces the ebs_optimized input with a default value of false, which is a change from previous behavior and best practice. The default has been changed to true in v2.4.0.

Version 2.2.0 is exactly the same as v0.27.3 except for the version number, part of Cloud Posse's conversion to production Semantic Versioning for its Terraform modules..

🚀 Enhancements

Support tagging Network Interfaces @mholttech (#107)

what

Add support for tagging Network Interfaces with var.resources_to_tag

why

According to LaunchTemplateTagSpecificationRequest Documentation, Network Interfaces are now supported for tagging on creation.

references

support for ebs optimization in launch templates @jrowinski3d (#101)

what

  • Enabled EBS Optimization in the launch template.

why

  • Give the user ability to enable ebs optimization, default will be false. Of course the instance_type will need to be capable of doing so.

references