docs: Add Bottlerocket example (terraform-aws-modules#1296)

Signed-off-by: Andrey Devyatkin <[email protected]>

examples/bottlerocket/README.md

@@ -0,0 +1,7 @@
+# AWS Bottlerocket based nodes
+
+This is a minimalistic example that shows how to use functionality of this module to deploy
+nodes based on [AWS Bottlerocket container OS](https://github.com/bottlerocket-os/bottlerocket)
+
+Example is minimalistic by purpose - it shows what knobs to turn to make Bottlerocket work.
+Do not use default VPC for your workloads deployment.

examples/bottlerocket/data.tf

@@ -0,0 +1,22 @@
+data "aws_ami" "bottlerocket_ami" {
+  most_recent = true
+  owners      = ["amazon"]
+  filter {
+    name   = "name"
+    values = ["bottlerocket-aws-k8s-${var.k8s_version}-x86_64-*"]
+  }
+}
+
+data "aws_region" "current" {}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnet_ids" "default" {
+  vpc_id = data.aws_vpc.default.id
+}
+
+data "aws_iam_policy" "ssm" {
+  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}

examples/bottlerocket/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  required_version = ">= 0.13.0"
+}
+
+resource "tls_private_key" "nodes" {
+  algorithm = "RSA"
+}
+
+resource "aws_key_pair" "nodes" {
+  key_name   = "bottlerocket-nodes"
+  public_key = tls_private_key.nodes.public_key_openssh
+}
+
+module "eks" {
+  source          = "../.."
+  cluster_name    = "bottlerocket"
+  cluster_version = var.k8s_version
+  subnets         = data.aws_subnet_ids.default.ids
+
+  vpc_id = data.aws_vpc.default.id
+
+  write_kubeconfig = false
+  manage_aws_auth  = false
+
+  worker_groups_launch_template = [
+    {
+      name = "bottlerocket-nodes"
+      # passing bottlerocket ami id
+      ami_id               = data.aws_ami.bottlerocket_ami.id
+      instance_type        = "t3a.small"
+      asg_desired_capacity = 2
+      key_name             = aws_key_pair.nodes.key_name
+
+      # Since we are using default VPC there is no NAT gateway so we need to
+      # attach public ip to nodes so they can reach k8s API server
+      # do not repeat this at home (i.e. production)
+      public_ip = true
+
+      # This section overrides default userdata template to pass bottlerocket
+      # specific user data
+      userdata_template_file = "${path.module}/userdata.toml"
+      # we are using this section to pass additional arguments for
+      # userdata template rendering
+      userdata_template_extra_args = {
+        enable_admin_container   = var.enable_admin_container
+        enable_control_container = var.enable_control_container
+        aws_region               = data.aws_region.current.name
+      }
+      # example of k8s/kubelet configuration via additional_userdata
+      additional_userdata = <<EOT
+[settings.kubernetes.node-labels]
+ingress = "allowed"
+EOT
+    }
+  ]
+}
+
+# SSM policy for bottlerocket control container access
+# https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-EKS.md#enabling-ssm
+resource "aws_iam_policy_attachment" "ssm" {
+  name       = "ssm"
+  roles      = [module.eks.worker_iam_role_name]
+  policy_arn = data.aws_iam_policy.ssm.arn
+}

examples/bottlerocket/userdata.toml

@@ -0,0 +1,24 @@
+# https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#description-of-settings
+[settings.kubernetes]
+api-server = "${endpoint}"
+cluster-certificate = "${cluster_auth_base64}"
+cluster-name = "${cluster_name}"
+${additional_userdata}
+
+# Hardening based on https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md
+
+# Enable kernel lockdown in "integrity" mode.
+# This prevents modifications to the running kernel, even by privileged users.
+[settings.kernel]
+lockdown = "integrity"
+
+# The admin host container provides SSH access and runs with "superpowers".
+# It is disabled by default, but can be disabled explicitly.
+[settings.host-containers.admin]
+enabled = ${enable_admin_container}
+
+# The control host container provides out-of-band access via SSM.
+# It is enabled by default, and can be disabled if you do not expect to use SSM.
+# This could leave you with no way to access the API and change settings on an existing node!
+[settings.host-containers.control]
+enabled = ${enable_control_container}

examples/bottlerocket/variables.tf

@@ -0,0 +1,17 @@
+variable "k8s_version" {
+  description = "k8s cluster version"
+  default     = "1.20"
+  type        = string
+}
+
+variable "enable_admin_container" {
+  description = "Enable/disable admin container"
+  default     = false
+  type        = bool
+}
+
+variable "enable_control_container" {
+  description = "Enable/disable control container"
+  default     = true
+  type        = bool
+}