Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Entry for Windows managed node groups #2994

Closed
1 task done
rwe-dtroup opened this issue Mar 28, 2024 · 5 comments
Closed
1 task done

Access Entry for Windows managed node groups #2994

rwe-dtroup opened this issue Mar 28, 2024 · 5 comments
Labels
stale

Comments

@rwe-dtroup
Copy link

Description

When creating a Windows node group using the eks-managed-node-group sub module when Access Management control is set to API or API_AND_CONFIG_MAP, the access entry is created as EC2_LINUX.

This is true when using a custom launch template and ami_id.

AWS have confirmed this is the case and the entry for the managed node groups access entry would need to be configured manually/by code and not allow EKS to create this entry automatically.

  • ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]: 20.8.4

  • Terraform version: 1.7.5

  • Provider version(s):

provider registry.terraform.io/hashicorp/aws v5.42.0
provider registry.terraform.io/hashicorp/cloudinit v2.3.3
provider registry.terraform.io/hashicorp/kubernetes v2.20.0
provider registry.terraform.io/hashicorp/null v3.2.2
provider registry.terraform.io/hashicorp/template v2.2.0
provider registry.terraform.io/hashicorp/time v0.9.2
provider registry.terraform.io/hashicorp/tls v4.0.5

Reproduction Code [Required]

module "eks" {

source = "../.."
....

eks_managed_node_groups = {
windows_2022 = {
      name           = "windows-2022"
      platform       = "windows"
      ami_id         = ami-12345678910111213
      instance_types = ["m6i.large"]
      scaling_config = {
        min_size     = 1
        max_size     = 1
        desired_size = 1
      }
      taints = {
        windows-taint = {
          key    = "windows-node"
          value  = "true"
          effect = "NO_SCHEDULE"
        }
      }
      block_device_mappings = {
        sda1 = {
          device_name = "/dev/sda1",
          ebs         = { volume_size = 100 }
        }
      }
    }
....
}

Steps to reproduce the behavior:

Terraform apply with the above Windows eks managed node group

Expected behavior

An IAM access entries with type EC2_WINDOWS

Actual behavior

An IAM access entries with type EC2_LINUX

Terminal Output Screenshot(s)

image

Additional context

This is a know issue when using custom templates, as confirmed by AWS support.
Adding an access entry object as part of the base module may fix this issue
@bryantbiggs
Copy link
Member

I think your configuration is incorrect. I can see at least two errors in what you have provided:

  1. You are specifying an ami_id which means MNG will not automatically inject the bootstrap user data - you would need to enable this with enable_bootstrap_user_data = true. However, I would recommend not specifying the AMI ID unless you absolutely need a custom AMI
  2. You have not provided the AMI type - this is related to 1. By not specifying the AMI type, MNG does not know what type of nodegroup you are creating and I suspect its defaulting to thinking its Linux based. See below for an example that I believe should work:
module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 20.8"

  # Add in other required arguments and values ...

  eks_managed_node_groups = {
    windows_2022 = {
      platform = "windows"
      ami_type = "WINDOWS_CORE_2022_x86_64"

      instance_types = ["m6i.large"]

      scaling_config = {
        min_size     = 1
        max_size     = 1
        desired_size = 1
      }

      taints = {
        windows-taint = {
          key    = "windows-node"
          value  = "true"
          effect = "NO_SCHEDULE"
        }
      }

      block_device_mappings = {
        sda1 = {
          device_name = "/dev/sda1",
          ebs         = { volume_size = 100 }
        }
      }
    }
  }
}

@rwe-dtroup
Copy link
Author

We have to set a specific AMI as only approved ami's can run in our environment

@bryantbiggs
Copy link
Member

ok, if thats the case you would still need to set enable_bootstrap_user_data = true since MNG will not supply that. I will check on the access entry portion, thank you!

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

@github-actions github-actions bot added the stale label Apr 28, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 9, 2024

This issue was automatically closed because of stale in 10 days

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @rwe-dtroup