diff --git a/modules/node_groups/launch_template.tf b/modules/node_groups/launch_template.tf index 6abe358d5a..742b8d9178 100644 --- a/modules/node_groups/launch_template.tf +++ b/modules/node_groups/launch_template.tf @@ -1,5 +1,5 @@ data "cloudinit_config" "workers_userdata" { - for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] } + for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] && length(split("BOTTLEROCKET", v["ami_type"])) == 0 } gzip = false base64_encode = true @@ -38,7 +38,7 @@ resource "aws_launch_template" "workers" { update_default_version = lookup(each.value, "update_default_version", true) block_device_mappings { - device_name = "/dev/xvda" + device_name = length(split("BOTTLEROCKET", each.value["ami_type"])) > 1 ? "/dev/xvdb" : "/dev/xvda" ebs { volume_size = lookup(each.value, "disk_size", null) @@ -81,7 +81,7 @@ resource "aws_launch_template" "workers" { # # (optionally you can use https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/cloudinit_config to render the script, example: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/997#issuecomment-705286151) - user_data = data.cloudinit_config.workers_userdata[each.key].rendered + user_data = length(split("BOTTLEROCKET", each.value["ami_type"])) > 1 ? base64encode(local.bottlerocket_workers_userdata[each.key]) : data.cloudinit_config.workers_userdata[each.key].rendered key_name = lookup(each.value, "key_name", null) diff --git a/modules/node_groups/locals.tf b/modules/node_groups/locals.tf index 0a6c7cbffb..b88561318d 100644 --- a/modules/node_groups/locals.tf +++ b/modules/node_groups/locals.tf @@ -48,4 +48,15 @@ locals { join("-", [var.cluster_name, k]) ) ) } + + bottlerocket_workers_userdata = { + for k, v in local.node_groups_expanded : k => templatefile(format("%s/templates/userdata.toml.tpl", path.module), { + cluster_name = var.cluster_name + endpoint = var.cluster_endpoint + cluster_auth_base64 = var.cluster_auth_base64 + enable_admin_container = lookup(v, "enable_admin_container", false) + enable_control_container = lookup(v, "enable_control_container", true) + additional_userdata = lookup(v, "additional_userdata", "") + }) if v["create_launch_template"] && length(split("BOTTLEROCKET", v["ami_type"])) > 1 + } } diff --git a/modules/node_groups/templates/userdata.toml.tpl b/modules/node_groups/templates/userdata.toml.tpl new file mode 100644 index 0000000000..85019675a6 --- /dev/null +++ b/modules/node_groups/templates/userdata.toml.tpl @@ -0,0 +1,24 @@ +# https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#description-of-settings +[settings.kubernetes] +api-server = "${endpoint}" +cluster-certificate = "${cluster_auth_base64}" +cluster-name = "${cluster_name}" +${additional_userdata} + +# Hardening based on https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md + +# Enable kernel lockdown in "integrity" mode. +# This prevents modifications to the running kernel, even by privileged users. +[settings.kernel] +lockdown = "integrity" + +# The admin host container provides SSH access and runs with "superpowers". +# It is disabled by default, but can be disabled explicitly. +[settings.host-containers.admin] +enabled = ${enable_admin_container} + +# The control host container provides out-of-band access via SSM. +# It is enabled by default, and can be disabled if you do not expect to use SSM. +# This could leave you with no way to access the API and change settings on an existing node! +[settings.host-containers.control] +enabled = ${enable_control_container}