Launch Template

[prasadshivan]

Hi Team,
I am testing the terraform code and I see that there are two launch template being created and the autoscaling group is using the default template which is not encrypting the EBS.

[Zvikan]

Hey @prasadshivan , thank you for raising this issue.
By default, EKS managed node groups are creating its own launch template which does NOT enforce encryption of the root volumes (which you can enable default KMS encryption behavior for EBS following this docs).
It is possible with EKS managed node group to use self-managed launch template (see this).
The SSP TF solution does provide an option to pass that self-managed launch template (that it also creates for you) by adding: create_launch_template = true in your managed node group map, our default launch template sets encryption to enabled

Example:

  managed_node_groups = {
    mg_4 = {
      node_group_name = "managed-ondemand"
      instance_types  = ["m5.large"]
      subnet_ids      = local.private_subnet_ids
      create_launch_template = true
    }
  }

This will pass the id of the self-managed launch template that's being created (see this) to the managed node group configuration.
Hopefully this helps address your question, we also have a README with example, comments and terraform-docs that can show the customizations of the launch template and node group if you need.

[prasadshivan]

Thank you for the explanation @Zvikan , I will go through the documentation again.