Add force_update_version and replace_node_group_on_version_update variables (#151)

aknysh · Nuru · web-flow · commit 6ccf1a9e3010 · 2023-09-26T18:01:54.000-04:00
* Add `force_update_version` and `include_kubernetes_version_in_keepers` variables

* Add `force_update_version` and `include_kubernetes_version_in_keepers` variables

* Add `force_update_version` and `include_kubernetes_version_in_keepers` variables

* Add `force_update_version` and `include_kubernetes_version_in_keepers` variables

* Add `force_update_version` and `replace_node_group_on_version_update` variables

* Update variables.tf

Co-authored-by: Nuru &lt;Nuru@users.noreply.github.com&gt;

* Update variables.tf

Co-authored-by: Nuru &lt;Nuru@users.noreply.github.com&gt;

* Add `force_update_version` and `replace_node_group_on_version_update` variables

---------

Co-authored-by: Nuru &lt;Nuru@users.noreply.github.com&gt;
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -1,13 +1,14 @@
 {
   "extends": [
     "config:base",
-    ":preserveSemverRanges"
+    ":preserveSemverRanges",
+    ":rebaseStalePrs"
   ],
-  "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
+  "baseBranches": ["main"],
   "labels": ["auto-update"],
   "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
-    "ignorePaths": ["**/context.tf", "examples/**"]
+    "ignorePaths": ["**/context.tf"]
   }
 }
diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2019-2022 Cloud Posse, LLC
+   Copyright 2019-2023 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
@@ -351,6 +351,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_enclave_enabled"></a> [enclave\_enabled](#input\_enclave\_enabled) | Set to `true` to enable Nitro Enclaves on the instance. | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_force_update_version"></a> [force\_update\_version](#input\_force\_update\_version) | When updating the Kubernetes version, force Pods to be removed even if PodDisruptionBudget or taint/toleration issues would otherwise prevent them from being removed (and cause the update to fail) | `bool` | `false` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_instance_types"></a> [instance\_types](#input\_instance\_types) | Instance types to use for this node group (up to 20). Defaults to ["t3.medium"].<br>Must be empty if the launch template configured by `launch_template_id` specifies an instance type. | `list(string)` | <pre>[<br>  "t3.medium"<br>]</pre> | no |
 | <a name="input_kubelet_additional_options"></a> [kubelet\_additional\_options](#input\_kubelet\_additional\_options) | Additional flags to pass to kubelet.<br>DO NOT include `--node-labels` or `--node-taints`,<br>use `kubernetes_labels` and `kubernetes_taints` to specify those." | `list(string)` | `[]` | no |
@@ -378,6 +379,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html
 | <a name="input_node_role_policy_arns"></a> [node\_role\_policy\_arns](#input\_node\_role\_policy\_arns) | List of policy ARNs to attach to the worker role this module creates in addition to the default ones | `list(string)` | `[]` | no |
 | <a name="input_placement"></a> [placement](#input\_placement) | Configuration for the [`placement` Configuration Block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#placement) of the launch template.<br>Leave list empty for defaults. Pass list with single object with attributes matching the `placement` block to configure it.<br>Note that this configures the launch template only. Some elements will be ignored by the Auto Scaling Group<br>that actually launches instances. Consult AWS documentation for details. | `list(any)` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| <a name="input_replace_node_group_on_version_update"></a> [replace\_node\_group\_on\_version\_update](#input\_replace\_node\_group\_on\_version\_update) | Force Node Group replacement when updating to a new Kubernetes version. If set to `false` (the default), the Node Groups will be updated in-place | `bool` | `false` | no |
 | <a name="input_resources_to_tag"></a> [resources\_to\_tag](#input\_resources\_to\_tag) | List of auto-launched resource types to tag. Valid types are "instance", "volume", "elastic-gpu", "spot-instances-request", "network-interface". | `list(string)` | <pre>[<br>  "instance",<br>  "volume",<br>  "network-interface"<br>]</pre> | no |
 | <a name="input_ssh_access_security_group_ids"></a> [ssh\_access\_security\_group\_ids](#input\_ssh\_access\_security\_group\_ids) | Set of EC2 Security Group IDs to allow SSH access (port 22) to the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0) | `list(string)` | `[]` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -74,6 +74,7 @@
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_enclave_enabled"></a> [enclave\_enabled](#input\_enclave\_enabled) | Set to `true` to enable Nitro Enclaves on the instance. | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_force_update_version"></a> [force\_update\_version](#input\_force\_update\_version) | When updating the Kubernetes version, force Pods to be removed even if PodDisruptionBudget or taint/toleration issues would otherwise prevent them from being removed (and cause the update to fail) | `bool` | `false` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_instance_types"></a> [instance\_types](#input\_instance\_types) | Instance types to use for this node group (up to 20). Defaults to ["t3.medium"].<br>Must be empty if the launch template configured by `launch_template_id` specifies an instance type. | `list(string)` | <pre>[<br>  "t3.medium"<br>]</pre> | no |
 | <a name="input_kubelet_additional_options"></a> [kubelet\_additional\_options](#input\_kubelet\_additional\_options) | Additional flags to pass to kubelet.<br>DO NOT include `--node-labels` or `--node-taints`,<br>use `kubernetes_labels` and `kubernetes_taints` to specify those." | `list(string)` | `[]` | no |
@@ -101,6 +102,7 @@
 | <a name="input_node_role_policy_arns"></a> [node\_role\_policy\_arns](#input\_node\_role\_policy\_arns) | List of policy ARNs to attach to the worker role this module creates in addition to the default ones | `list(string)` | `[]` | no |
 | <a name="input_placement"></a> [placement](#input\_placement) | Configuration for the [`placement` Configuration Block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#placement) of the launch template.<br>Leave list empty for defaults. Pass list with single object with attributes matching the `placement` block to configure it.<br>Note that this configures the launch template only. Some elements will be ignored by the Auto Scaling Group<br>that actually launches instances. Consult AWS documentation for details. | `list(any)` | `[]` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| <a name="input_replace_node_group_on_version_update"></a> [replace\_node\_group\_on\_version\_update](#input\_replace\_node\_group\_on\_version\_update) | Force Node Group replacement when updating to a new Kubernetes version. If set to `false` (the default), the Node Groups will be updated in-place | `bool` | `false` | no |
 | <a name="input_resources_to_tag"></a> [resources\_to\_tag](#input\_resources\_to\_tag) | List of auto-launched resource types to tag. Valid types are "instance", "volume", "elastic-gpu", "spot-instances-request", "network-interface". | `list(string)` | <pre>[<br>  "instance",<br>  "volume",<br>  "network-interface"<br>]</pre> | no |
 | <a name="input_ssh_access_security_group_ids"></a> [ssh\_access\_security\_group\_ids](#input\_ssh\_access\_security\_group\_ids) | Set of EC2 Security Group IDs to allow SSH access (port 22) to the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0) | `list(string)` | `[]` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -101,7 +101,7 @@ module "https_sg" {
 
 module "eks_cluster" {
   source                       = "cloudposse/eks-cluster/aws"
-  version                      = "2.4.0"
+  version                      = "2.9.0"
   region                       = var.region
   vpc_id                       = module.vpc.vpc_id
   subnet_ids                   = module.subnets.public_subnet_ids
@@ -122,7 +122,7 @@ module "eks_node_group" {
   source = "../../"
 
   subnet_ids         = module.this.enabled ? module.subnets.public_subnet_ids : ["filler_string_for_enabled_is_false"]
-  cluster_name       = module.eks_cluster.eks_cluster_id
+  cluster_name       = module.this.enabled ? module.eks_cluster.eks_cluster_id : "disabled"
   instance_types     = var.instance_types
   desired_size       = var.desired_size
   min_size           = var.min_size
@@ -141,7 +141,6 @@ module "eks_node_group" {
     delete_on_termination = true
   }]
 
-
   ec2_ssh_key_name              = var.ec2_ssh_key_name
   ssh_access_security_group_ids = [module.ssh_source_access.id]
   associated_security_group_ids = [module.ssh_source_access.id, module.https_sg.id]
@@ -155,17 +154,20 @@ module "eks_node_group" {
 
   before_cluster_joining_userdata = [var.before_cluster_joining_userdata]
 
-  context = module.this.context
-
   # Ensure ordering of resource creation to eliminate the race conditions when applying the Kubernetes Auth ConfigMap.
   # Do not create Node Group before the EKS cluster is created and the `aws-auth` Kubernetes ConfigMap is applied.
   depends_on = [module.eks_cluster, module.eks_cluster.kubernetes_config_map_id]
 
   create_before_destroy = true
 
+  force_update_version                 = var.force_update_version
+  replace_node_group_on_version_update = var.replace_node_group_on_version_update
+
   node_group_terraform_timeouts = [{
     create = "40m"
     update = null
     delete = "20m"
   }]
+
+  context = module.this.context
 }
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -151,3 +151,15 @@ variable "after_cluster_joining_userdata" {
     error_message = "You may not specify more than one `after_cluster_joining_userdata`."
   }
 }
+
+variable "force_update_version" {
+  type        = bool
+  default     = false
+  description = "When updating the Kubernetes version, force Pods to be removed even if PodDisruptionBudget or taint/toleration issues would otherwise prevent them from being removed (and cause the update to fail)"
+}
+
+variable "replace_node_group_on_version_update" {
+  type        = bool
+  default     = false
+  description = "Force Node Group replacement when updating to a new Kubernetes version. If set to `false` (the default), the Node Groups will be updated in-place"
+}
diff --git a/main.tf b/main.tf
@@ -97,6 +97,8 @@ locals {
       max_size     = var.max_size
       min_size     = var.min_size
     }
+
+    force_update_version = var.force_update_version
   }
 }
 
@@ -106,15 +108,21 @@ resource "random_pet" "cbd" {
   separator = module.label.delimiter
   length    = 1
 
-  keepers = {
-    node_role_arn  = local.ng.node_role_arn
-    subnet_ids     = join(",", local.ng.subnet_ids)
-    instance_types = join(",", local.ng.instance_types)
-    ami_type       = local.ng.ami_type
-    capacity_type  = local.ng.capacity_type
-
-    launch_template_id = local.launch_template_id
-  }
+  keepers = merge(
+    {
+      node_role_arn      = local.ng.node_role_arn
+      subnet_ids         = join(",", local.ng.subnet_ids)
+      instance_types     = join(",", local.ng.instance_types)
+      ami_type           = local.ng.ami_type
+      capacity_type      = local.ng.capacity_type
+      launch_template_id = local.launch_template_id
+    },
+    # If `var.replace_node_group_on_version_update` is set to `true`, the Node Groups will be replaced instead of updated in-place
+    var.replace_node_group_on_version_update && local.ng.version != null ?
+    {
+      version = local.ng.version
+    } : {}
+  )
 }
 
 # Because create_before_destroy is such a dramatic change, we want to make it optional.
@@ -134,14 +142,15 @@ resource "aws_eks_node_group" "default" {
   }
 
   # From here to end of resource should be identical in both node groups
-  cluster_name    = local.ng.cluster_name
-  node_role_arn   = local.ng.node_role_arn
-  subnet_ids      = local.ng.subnet_ids
-  instance_types  = local.ng.instance_types
-  ami_type        = local.ng.ami_type
-  labels          = local.ng.labels
-  release_version = local.ng.release_version
-  version         = local.ng.version
+  cluster_name         = local.ng.cluster_name
+  node_role_arn        = local.ng.node_role_arn
+  subnet_ids           = local.ng.subnet_ids
+  instance_types       = local.ng.instance_types
+  ami_type             = local.ng.ami_type
+  labels               = local.ng.labels
+  release_version      = local.ng.release_version
+  version              = local.ng.version
+  force_update_version = local.ng.force_update_version
 
   capacity_type = local.ng.capacity_type
 
@@ -213,14 +222,15 @@ resource "aws_eks_node_group" "cbd" {
   }
 
   # From here to end of resource should be identical in both node groups
-  cluster_name    = local.ng.cluster_name
-  node_role_arn   = local.ng.node_role_arn
-  subnet_ids      = local.ng.subnet_ids
-  instance_types  = local.ng.instance_types
-  ami_type        = local.ng.ami_type
-  labels          = local.ng.labels
-  release_version = local.ng.release_version
-  version         = local.ng.version
+  cluster_name         = local.ng.cluster_name
+  node_role_arn        = local.ng.node_role_arn
+  subnet_ids           = local.ng.subnet_ids
+  instance_types       = local.ng.instance_types
+  ami_type             = local.ng.ami_type
+  labels               = local.ng.labels
+  release_version      = local.ng.release_version
+  version              = local.ng.version
+  force_update_version = local.ng.force_update_version
 
   capacity_type = local.ng.capacity_type
 
diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go
@@ -4,14 +4,15 @@ import (
 	"encoding/base64"
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 	"sync/atomic"
 	"testing"
 	"time"
 
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/gruntwork-io/terratest/modules/terraform"
-	test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
+	testStructure "github.com/gruntwork-io/terratest/modules/test-structure"
 	"github.com/stretchr/testify/assert"
 
 	corev1 "k8s.io/api/core/v1"
@@ -59,7 +60,7 @@ func newClientset(cluster *eks.Cluster) (*kubernetes.Clientset, error) {
 
 func cleanup(t *testing.T, terraformOptions *terraform.Options, tempTestFolder string) {
 	terraform.Destroy(t, terraformOptions)
-	os.RemoveAll(tempTestFolder)
+	_ = os.RemoveAll(tempTestFolder)
 }
 
 // Test the Terraform module in examples/complete using Terratest.
@@ -72,7 +73,7 @@ func TestExamplesComplete(t *testing.T) {
 	terraformFolderRelativeToRoot := "examples/complete"
 	varFiles := []string{"fixtures.us-east-2.tfvars"}
 
-	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
+	tempTestFolder := testStructure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
 
 	terraformOptions := &terraform.Options{
 		// The path to where our Terraform code is located
@@ -193,7 +194,7 @@ func TestExamplesCompleteDisabled(t *testing.T) {
 	terraformFolderRelativeToRoot := "examples/complete"
 	varFiles := []string{"fixtures.us-east-2.tfvars"}
 
-	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
+	tempTestFolder := testStructure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
 
 	terraformOptions := &terraform.Options{
 		// The path to where our Terraform code is located
@@ -203,19 +204,19 @@ func TestExamplesCompleteDisabled(t *testing.T) {
 		VarFiles: varFiles,
 		Vars: map[string]interface{}{
 			"attributes": attributes,
-			"enabled":    "false",
+			"enabled":    false,
 		},
 	}
 
 	// At the end of the test, run `terraform destroy` to clean up any resources that were created
 	defer cleanup(t, terraformOptions, tempTestFolder)
 
 	// This will run `terraform init` and `terraform apply` and fail the test if there are any errors
-	terraform.InitAndApply(t, terraformOptions)
-
-	// Get all the output and lookup a field. Pass if the field is missing or empty.
-	example := terraform.OutputAll(t, terraformOptions)["eks_node_group_arn"]
+	results := terraform.InitAndApply(t, terraformOptions)
 
-	// Verify we're getting back the outputs we expect
-	assert.Empty(t, example, "When disabled, module should have no outputs.")
+	// Should complete successfully without creating or changing any resources.
+	// Extract the "Resources:" section of the output to make the error message more readable.
+	re := regexp.MustCompile(`Resources: [^.]+\.`)
+	match := re.FindString(results)
+	assert.Equal(t, "Resources: 0 added, 0 changed, 0 destroyed.", match, "Re-applying the same configuration should not change any resources")
 }
diff --git a/variables.tf b/variables.tf
@@ -450,3 +450,15 @@ variable "detailed_monitoring_enabled" {
   default     = false
   description = "The launched EC2 instance will have detailed monitoring enabled. Defaults to false"
 }
+
+variable "force_update_version" {
+  type        = bool
+  default     = false
+  description = "When updating the Kubernetes version, force Pods to be removed even if PodDisruptionBudget or taint/toleration issues would otherwise prevent them from being removed (and cause the update to fail)"
+}
+
+variable "replace_node_group_on_version_update" {
+  type        = bool
+  default     = false
+  description = "Force Node Group replacement when updating to a new Kubernetes version. If set to `false` (the default), the Node Groups will be updated in-place"
+}

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,14 @@`
`1`	`1`	`{`
`2`	`2`	`"extends": [`
`3`	`3`	`"config:base",`
`4`		`- ":preserveSemverRanges"`
	`4`	`+ ":preserveSemverRanges",`
	`5`	`+ ":rebaseStalePrs"`
`5`	`6`	`],`
`6`		`- "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],`
	`7`	`+ "baseBranches": ["main"],`
`7`	`8`	`"labels": ["auto-update"],`
`8`	`9`	`"dependencyDashboardAutoclose": true,`
`9`	`10`	`"enabledManagers": ["terraform"],`
`10`	`11`	`"terraform": {`
`11`		`- "ignorePaths": ["/context.tf", "examples/"]`
	`12`	`+ "ignorePaths": ["**/context.tf"]`
`12`	`13`	`}`
`13`	`14`	`}`