From 3bfc0f072e908d6f3911c247edaeb429b8e429b2 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 25 May 2024 12:51:21 -0400 Subject: [PATCH] chore: Update EKS version to 1.30 where applicable (#1952) --- .pre-commit-config.yaml | 4 +- docs/cSpell_dict.txt | 2 + patterns/agones-game-controller/main.tf | 6 +- patterns/aws-vpc-cni-network-policy/main.tf | 4 +- patterns/external-secrets/main.tf | 4 +- patterns/fargate-serverless/main.tf | 4 +- patterns/fully-private-cluster/main.tf | 4 +- patterns/ipv6-eks-cluster/main.tf | 4 +- patterns/istio/main.tf | 4 +- patterns/karpenter-mng/eks.tf | 8 +- patterns/karpenter/main.tf | 4 +- patterns/kubecost/main.tf | 4 +- patterns/ml-capacity-block/eks.tf | 4 +- patterns/nvidia-gpu-efa/eks.tf | 4 +- patterns/private-public-ingress/main.tf | 4 +- patterns/privatelink-access/eks.tf | 4 +- patterns/sso-iam-identity-center/main.tf | 4 +- patterns/sso-okta/main.tf | 4 +- patterns/stateful/main.tf | 109 +++++++++--------- patterns/targeted-odcr/eks.tf | 4 +- patterns/tls-with-aws-pca-issuer/main.tf | 4 +- .../client-server-communication/eks.tf | 4 +- patterns/wireguard-with-cilium/eks.tf | 4 +- 23 files changed, 103 insertions(+), 98 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cd3e8a60c5..48586fb8a0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/streetsidesoftware/cspell-cli - rev: v8.8.0 + rev: v8.8.2 hooks: - id: cspell args: [--exclude, 'ADOPTERS.md', --exclude, '.pre-commit-config.yaml', --exclude, '.gitignore', --exclude, '*.drawio', --exclude, 'mkdocs.yml', --exclude, '.helmignore', --exclude, '.github/workflows/*', --exclude, 'patterns/istio-multi-cluster/*', --exclude, 'patterns/blue-green-upgrade/*'] @@ -19,7 +19,7 @@ repos: - id: detect-aws-credentials args: [--allow-missing-credentials] - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.89.1 + rev: v1.90.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/docs/cSpell_dict.txt b/docs/cSpell_dict.txt index c063d9b4da..ddb73f6e2b 100644 --- a/docs/cSpell_dict.txt +++ b/docs/cSpell_dict.txt @@ -34,6 +34,7 @@ cainjector chdir cidrsubnet ciliumnetworkpolicy +cloudinit clusterip clusterissuer clusterrole @@ -111,6 +112,7 @@ mtls nccl netcat nics +nodeadm nodegroup nodeport nvme diff --git a/patterns/agones-game-controller/main.tf b/patterns/agones-game-controller/main.tf index 0223531f02..d3ba20c79b 100644 --- a/patterns/agones-game-controller/main.tf +++ b/patterns/agones-game-controller/main.tf @@ -22,8 +22,6 @@ locals { name = basename(path.cwd) region = "us-west-2" - cluster_version = "1.29" - vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -42,10 +40,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = local.cluster_version + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf index 6e63ed62e7..1189367128 100644 --- a/patterns/aws-vpc-cni-network-policy/main.tf +++ b/patterns/aws-vpc-cni-network-policy/main.tf @@ -49,10 +49,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" # Must be 1.25 or higher + cluster_version = "1.30" # Must be 1.25 or higher cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/external-secrets/main.tf b/patterns/external-secrets/main.tf index 43cce41d64..a008b91ed2 100644 --- a/patterns/external-secrets/main.tf +++ b/patterns/external-secrets/main.tf @@ -58,10 +58,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/fargate-serverless/main.tf b/patterns/fargate-serverless/main.tf index 4bafe93a52..a1f7f3fc09 100644 --- a/patterns/fargate-serverless/main.tf +++ b/patterns/fargate-serverless/main.tf @@ -50,10 +50,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/fully-private-cluster/main.tf b/patterns/fully-private-cluster/main.tf index 98dddfcbd8..83c354f326 100644 --- a/patterns/fully-private-cluster/main.tf +++ b/patterns/fully-private-cluster/main.tf @@ -23,10 +23,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" # EKS Addons cluster_addons = { diff --git a/patterns/ipv6-eks-cluster/main.tf b/patterns/ipv6-eks-cluster/main.tf index 9998b1c25b..b7077b0bed 100644 --- a/patterns/ipv6-eks-cluster/main.tf +++ b/patterns/ipv6-eks-cluster/main.tf @@ -23,10 +23,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # IPV6 diff --git a/patterns/istio/main.tf b/patterns/istio/main.tf index e4ed6f6b65..db4313e8a4 100644 --- a/patterns/istio/main.tf +++ b/patterns/istio/main.tf @@ -52,10 +52,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/karpenter-mng/eks.tf b/patterns/karpenter-mng/eks.tf index cfa30cbfda..f162a59ed4 100644 --- a/patterns/karpenter-mng/eks.tf +++ b/patterns/karpenter-mng/eks.tf @@ -4,10 +4,10 @@ module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.10" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" # Give the Terraform identity admin access to the cluster # which will allow it to deploy resources into the cluster @@ -82,7 +82,7 @@ output "configure_kubectl" { module "karpenter" { source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "~> 20.9" + version = "~> 20.11" cluster_name = module.eks.cluster_name @@ -105,7 +105,7 @@ resource "helm_release" "karpenter" { repository_username = data.aws_ecrpublic_authorization_token.token.user_name repository_password = data.aws_ecrpublic_authorization_token.token.password chart = "karpenter" - version = "0.36.1" + version = "0.36.2" wait = false values = [ diff --git a/patterns/karpenter/main.tf b/patterns/karpenter/main.tf index 5414a6d11b..bd2f0177b5 100644 --- a/patterns/karpenter/main.tf +++ b/patterns/karpenter/main.tf @@ -59,10 +59,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true vpc_id = module.vpc.vpc_id diff --git a/patterns/kubecost/main.tf b/patterns/kubecost/main.tf index d040ed7bb8..e35262aba5 100644 --- a/patterns/kubecost/main.tf +++ b/patterns/kubecost/main.tf @@ -38,10 +38,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/ml-capacity-block/eks.tf b/patterns/ml-capacity-block/eks.tf index 831d3df95e..bdc4509be4 100644 --- a/patterns/ml-capacity-block/eks.tf +++ b/patterns/ml-capacity-block/eks.tf @@ -16,10 +16,10 @@ variable "capacity_reservation_id" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.9" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" # Give the Terraform identity admin access to the cluster # which will allow it to deploy resources into the cluster diff --git a/patterns/nvidia-gpu-efa/eks.tf b/patterns/nvidia-gpu-efa/eks.tf index 9193ce6bb3..c4d968f35d 100644 --- a/patterns/nvidia-gpu-efa/eks.tf +++ b/patterns/nvidia-gpu-efa/eks.tf @@ -4,10 +4,10 @@ module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.9" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" # Give the Terraform identity admin access to the cluster # which will allow it to deploy resources into the cluster diff --git a/patterns/private-public-ingress/main.tf b/patterns/private-public-ingress/main.tf index c589d79a6a..5737a15486 100644 --- a/patterns/private-public-ingress/main.tf +++ b/patterns/private-public-ingress/main.tf @@ -37,10 +37,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/privatelink-access/eks.tf b/patterns/privatelink-access/eks.tf index 6d3e9f342f..93b08b8036 100644 --- a/patterns/privatelink-access/eks.tf +++ b/patterns/privatelink-access/eks.tf @@ -16,10 +16,10 @@ provider "kubernetes" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = false enable_cluster_creator_admin_permissions = true diff --git a/patterns/sso-iam-identity-center/main.tf b/patterns/sso-iam-identity-center/main.tf index 8b520c6b6f..c14b4eec7c 100644 --- a/patterns/sso-iam-identity-center/main.tf +++ b/patterns/sso-iam-identity-center/main.tf @@ -35,10 +35,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # EKS Addons diff --git a/patterns/sso-okta/main.tf b/patterns/sso-okta/main.tf index ad1cc6ae33..73f59d8e68 100644 --- a/patterns/sso-okta/main.tf +++ b/patterns/sso-okta/main.tf @@ -23,10 +23,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # EKS Addons diff --git a/patterns/stateful/main.tf b/patterns/stateful/main.tf index 00acd79924..00e21cb79b 100644 --- a/patterns/stateful/main.tf +++ b/patterns/stateful/main.tf @@ -55,10 +55,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster @@ -112,42 +112,47 @@ module "eks" { # is dedicated to just containerd. You can read more about the practice and why # here https://aws.github.io/aws-eks-best-practices/scalability/docs/data-plane/#use-multiple-ebs-volumes-for-containers # and https://github.com/containerd/containerd/blob/main/docs/ops.md#base-configuration - pre_bootstrap_user_data = <<-EOT - # Wait for second volume to attach before trying to mount paths - TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") - EC2_INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id) - DATA_STATE="unknown" - until [ "$${DATA_STATE}" == "attached" ]; do - DATA_STATE=$(aws ec2 describe-volumes \ - --region ${local.region} \ - --filters \ - Name=attachment.instance-id,Values=$${EC2_INSTANCE_ID} \ - Name=attachment.device,Values=${local.second_volume_name} \ - --query Volumes[].Attachments[].State \ - --output text) - sleep 5 - done - - # Get the volume ID - VOLUME_ID=$(aws ec2 describe-volumes \ - --region ${local.region} \ - --filters \ - Name=attachment.instance-id,Values=$${EC2_INSTANCE_ID} \ - Name=attachment.device,Values=${local.second_volume_name} \ - --query Volumes[].Attachments[].VolumeId \ - --output text | sed 's/-//') - - # Mount the containerd directories to the 2nd volume - SECOND_VOL=$(lsblk -o NAME,SERIAL -d |awk -v id="$${VOLUME_ID}" '$2 ~ id {print $1}') - systemctl stop containerd - mkfs -t ext4 /dev/$${SECOND_VOL} - rm -rf /var/lib/containerd/* - rm -rf /run/containerd/* - - mount /dev/$${SECOND_VOL} /var/lib/containerd/ - mount /dev/$${SECOND_VOL} /run/containerd/ - systemctl start containerd - EOT + cloudinit_pre_nodeadm = [ + { + content_type = "text/x-shellscript" + content = <<-EOT + # Wait for second volume to attach before trying to mount paths + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + EC2_INSTANCE_ID=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/instance-id) + DATA_STATE="unknown" + until [ "$${DATA_STATE}" == "attached" ]; do + DATA_STATE=$(aws ec2 describe-volumes \ + --region ${local.region} \ + --filters \ + Name=attachment.instance-id,Values=$${EC2_INSTANCE_ID} \ + Name=attachment.device,Values=${local.second_volume_name} \ + --query Volumes[].Attachments[].State \ + --output text) + sleep 5 + done + + # Get the volume ID + VOLUME_ID=$(aws ec2 describe-volumes \ + --region ${local.region} \ + --filters \ + Name=attachment.instance-id,Values=$${EC2_INSTANCE_ID} \ + Name=attachment.device,Values=${local.second_volume_name} \ + --query Volumes[].Attachments[].VolumeId \ + --output text | sed 's/-//') + + # Mount the containerd directories to the 2nd volume + SECOND_VOL=$(lsblk -o NAME,SERIAL -d |awk -v id="$${VOLUME_ID}" '$2 ~ id {print $1}') + systemctl stop containerd + mkfs -t ext4 /dev/$${SECOND_VOL} + rm -rf /var/lib/containerd/* + rm -rf /run/containerd/* + + mount /dev/$${SECOND_VOL} /var/lib/containerd/ + mount /dev/$${SECOND_VOL} /run/containerd/ + systemctl start containerd + EOT + } + ] } instance-store = { @@ -172,20 +177,20 @@ module "eks" { } } - # NVMe instance store volumes are automatically enumerated and assigned a device - pre_bootstrap_user_data = <<-EOT - cat <<-EOF > /etc/profile.d/bootstrap.sh - #!/bin/sh - - # Configure NVMe volumes in RAID0 configuration - # https://github.com/awslabs/amazon-eks-ami/blob/056e31f8c7477e893424abce468cb32bbcd1f079/files/bootstrap.sh#L35C121-L35C126 - # Mount will be: /mnt/k8s-disks - export LOCAL_DISKS='raid0' - EOF - - # Source extra environment variables in bootstrap script - sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh - EOT + cloudinit_pre_nodeadm = [ + { + content_type = "application/node.eks.aws" + content = <<-EOT + --- + apiVersion: node.eks.aws/v1alpha1 + kind: NodeConfig + spec: + instance: + localStorage: + strategy: RAID0 + EOT + } + ] } } diff --git a/patterns/targeted-odcr/eks.tf b/patterns/targeted-odcr/eks.tf index 09c3345ccd..f8836f0598 100644 --- a/patterns/targeted-odcr/eks.tf +++ b/patterns/targeted-odcr/eks.tf @@ -13,10 +13,10 @@ variable "capacity_reservation_arns" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.9" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" # Give the Terraform identity admin access to the cluster # which will allow it to deploy resources into the cluster diff --git a/patterns/tls-with-aws-pca-issuer/main.tf b/patterns/tls-with-aws-pca-issuer/main.tf index 5aee9f05e7..84917eaad1 100644 --- a/patterns/tls-with-aws-pca-issuer/main.tf +++ b/patterns/tls-with-aws-pca-issuer/main.tf @@ -52,10 +52,10 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/vpc-lattice/client-server-communication/eks.tf b/patterns/vpc-lattice/client-server-communication/eks.tf index b69631d8d4..5742e972ff 100644 --- a/patterns/vpc-lattice/client-server-communication/eks.tf +++ b/patterns/vpc-lattice/client-server-communication/eks.tf @@ -4,10 +4,10 @@ module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster diff --git a/patterns/wireguard-with-cilium/eks.tf b/patterns/wireguard-with-cilium/eks.tf index 5304a713eb..5fe7b22d0b 100644 --- a/patterns/wireguard-with-cilium/eks.tf +++ b/patterns/wireguard-with-cilium/eks.tf @@ -4,10 +4,10 @@ module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 20.8" + version = "~> 20.11" cluster_name = local.name - cluster_version = "1.29" + cluster_version = "1.30" cluster_endpoint_public_access = true # Give the Terraform identity admin access to the cluster