Support bottlerocket bootstrapping for node groups

modules/node_groups/launch_template.tf

@@ -1,5 +1,5 @@
 data "cloudinit_config" "workers_userdata" {
-  for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] }
+  for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] && length(split("BOTTLEROCKET", v["ami_type"])) == 0 }
 
   gzip          = false
   base64_encode = true
@@ -24,6 +24,20 @@ data "cloudinit_config" "workers_userdata" {
   }
 }
 
+data "template_file" "bottlerocket_workers_userdata" {
+  for_each = { for k, v in local.node_groups_expanded : k => v if v["create_launch_template"] && length(split("BOTTLEROCKET", v["ami_type"])) > 1 }
+
+  template = file("${path.module}/templates/userdata.toml.tpl")
+  vars = {
+    cluster_name             = var.cluster_name
+    endpoint                 = var.cluster_endpoint
+    cluster_auth_base64      = var.cluster_auth_base64
+    enable_admin_container   = lookup(each.value, "enable_admin_container", false)
+    enable_control_container = lookup(each.value, "enable_control_container", true)
+    additional_userdata      = lookup(each.value, "additional_userdata", "")
+  }
+}
+
 # This is based on the LT that EKS would create if no custom one is specified (aws ec2 describe-launch-template-versions --launch-template-id xxx)
 # there are several more options one could set but you probably dont need to modify them
 # you can take the default and add your custom AMI and/or custom tags
@@ -38,7 +52,7 @@ resource "aws_launch_template" "workers" {
   update_default_version = lookup(each.value, "update_default_version", true)
 
   block_device_mappings {
-    device_name = "/dev/xvda"
+    device_name = length(split("BOTTLEROCKET", each.value["ami_type"])) > 1 ? "/dev/xvdb" : "/dev/xvda"
 
     ebs {
       volume_size           = lookup(each.value, "disk_size", null)
@@ -81,7 +95,7 @@ resource "aws_launch_template" "workers" {
   #
   # (optionally you can use https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/cloudinit_config to render the script, example: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/997#issuecomment-705286151)
 
-  user_data = data.cloudinit_config.workers_userdata[each.key].rendered
+  user_data = length(split("BOTTLEROCKET", each.value["ami_type"])) > 1 ? base64encode(data.template_file.bottlerocket_workers_userdata[each.key].rendered) : data.cloudinit_config.workers_userdata[each.key].rendered
 
   key_name = lookup(each.value, "key_name", null)
 

modules/node_groups/templates/userdata.toml.tpl

@@ -0,0 +1,24 @@
+# https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#description-of-settings
+[settings.kubernetes]
+api-server = "${endpoint}"
+cluster-certificate = "${cluster_auth_base64}"
+cluster-name = "${cluster_name}"
+${additional_userdata}
+
+# Hardening based on https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md
+
+# Enable kernel lockdown in "integrity" mode.
+# This prevents modifications to the running kernel, even by privileged users.
+[settings.kernel]
+lockdown = "integrity"
+
+# The admin host container provides SSH access and runs with "superpowers".
+# It is disabled by default, but can be disabled explicitly.
+[settings.host-containers.admin]
+enabled = ${enable_admin_container}
+
+# The control host container provides out-of-band access via SSM.
+# It is enabled by default, and can be disabled if you do not expect to use SSM.
+# This could leave you with no way to access the API and change settings on an existing node!
+[settings.host-containers.control]
+enabled = ${enable_control_container}