v2.4.0

With this release, we end the use of pre-production (version 0.x) Semantic Versions for this module. Earlier releases have been re-released to make upgrading using semantic versions possible.

This release has a change that may trigger an update. The ebs_optimized input was added in v2.2.0 (and v0.27.2) with a default value of false. In this release, we change the default value to true, which is the value recommended by AWS and is the default value for most instance types.

Although this release contains a fix to generate the correct values for the tags (with keys of the form k8s.io/cluster-autoscaler/node-template/taint/$TAINT) that give a hint to the Cluster Auto Scaler about what taints would be applied to nodes when launched (prior to his release, the tag values were invalid), the tags are only effective when applied to the auto scaling group controlling the node group, and even with this release, this module still does not apply the tags to the auto scaling group. See aws/containers-roadmap#608 for more details.

Other changes:

• Add updated documentation for migration to V2.0.0
• Add tags to the output, supersedes and closes #112, closes #111
• Fix the tag value for Auto Scaler tags that indicate taints

For details, see PR #118

v0.28.1

git.io->cloudposse.tools update @dylanbannon (#114)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

🤖 Automatic Updates

chore(deps): update terraform cloudposse/security-group/aws to v1 @renovate (#117)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/security-group/aws (source)	module	major	0.4.3 -> 1.0.1

---

v2.3.0 Requested features, general updates (#110)

Version 2.3.0 is exactly the same as v0.28.0 except for the version number, part of Cloud Posse's conversion to production Semantic Versioning for its Terraform modules.

This version is not recommended, because it includes the ebs_optimized input with a default value of false. The default has been changed to true in v2.4.0.

🚀 Enhancements

Requested features, general updates (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

• Allow ami_type="CUSTOM", resolves #96, thank you @ingledl
• Output ID and name of launch template, resolves #102, supersedes and closes #103, thank you @bwmetcalf
• Allow SSH access to provided ssh_access_security_group_ids whether or not an SSH key is provided, resolves #108, thank you @bcbrockway
• Update test framework, add test for enabled=false, update workflows: general maintenance and conformity

🐛 Bug Fixes

Properly handle launch template changes, ensure SSH egress (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

• Change name of node group when launch template ID changes. Supersedes and closes #106, thank you @woz5999
• Allow all TCP egress to destinations where SSH ingress is allowed because that is required for SSH to work (usually not a problem because usually node groups allow all egress to all destinations)

v0.28.0

🚀 Enhancements

Requested features, general updates (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

• Allow ami_type="CUSTOM", resolves #96, thank you @ingledl
• Output ID and name of launch template, resolves #102, supersedes and closes #103, thank you @bwmetcalf
• Allow SSH access to provided ssh_access_security_group_ids whether or not an SSH key is provided, resolves #108, thank you @bcbrockway
• Update test framework, add test for enabled=false, update workflows: general maintenance and conformity

🐛 Bug Fixes

Properly handled launch template changes, ensure SSH egress (#110)

what && why

Combine feature requests, bug fixes, and general updates into a single PR to reduce number of releases and also expedite requested changes to PRs.

• Change name of node group when launch template ID changes. Supersedes and closes #106, thank you @woz5999
• Allow all TCP egress to destinations where SSH ingress is allowed because that is required for SSH to work (usually not a problem because usually node groups allow all egress to all destinations)

v2.2.0 EBS optimization, tagging network interfaces

This version is not recommended, because it introduces the ebs_optimized input with a default value of false, which is a change from previous behavior and best practice. The default has been changed to true in v2.4.0.

Version 2.2.0 is exactly the same as v0.27.3 except for the version number, part of Cloud Posse's conversion to production Semantic Versioning for its Terraform modules..

🚀 Enhancements

Support tagging Network Interfaces @mholttech (#107)

what

Add support for tagging Network Interfaces with var.resources_to_tag

why

According to LaunchTemplateTagSpecificationRequest Documentation, Network Interfaces are now supported for tagging on creation.

references

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LaunchTemplateTagSpecificationRequest.html

support for ebs optimization in launch templates @jrowinski3d (#101)

what

• Enabled EBS Optimization in the launch template.

why

• Give the user ability to enable ebs optimization, default will be false. Of course the instance_type will need to be capable of doing so.

references

• closes #123

v0.27.3

🚀 Enhancements

Support tagging Network Interfaces @mholttech (#107)

what

Add support for tagging Network Interfaces with var.resources_to_tag

why

According to LaunchTemplateTagSpecificationRequest Documentation, Network Interfaces are now supported for tagging on creation.

references

• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LaunchTemplateTagSpecificationRequest.html

v0.27.2

This version is not recommended, because it introduces the ebs_optimized input with a default value of false, which is a change from previous behavior and best practice. The default has been changed to true in v2.4.0. We recommend upgrading to v2.4.0 or later rather than upgrading to this version. No special effort is needed to upgrade to this version from v0.25.0 or later, or v2.0.0 or later. See the migration from v1 to v2 documentation for information on how to upgrade safely from earlier versions.

🚀 Enhancements

support for ebs optimization in launch templates @jrowinski3d (#101)

what

• Enabled EBS Optimization in the launch template.

why

• Give the user ability to enable ebs optimization, default will be false. Of course the instance_type will need to be capable of doing so.

references

• closes #123

v2.1.0 Bottlerocket AMIs, bug fixes

Version 2.1.0 is exactly the same as v0.27.1 except for the version number, part of Cloud Posse's conversion to production Semantic Versioning for its Terraform modules.

No special effort is needed to upgrade to this version from v0.25.0 or later, or v2.0.0 or later. See the migration from v1 to v2 documentation for information on how to upgrade safely from earlier versions.

Note: Although this release contains a fix for a bug that caused Terraform to fail when Kubernetes node taints were specified, the fix did not generate the correct values for the tags applied to the Launch Template and Node Group. The tag values were corrected in v2.4.0 of this module, but nevertheless, the tags (with keys of the form k8s.io/cluster-autoscaler/node-template/taint/$TAINT) are only effective when applied to the auto scaling group controlling the node group, and as of v2.4.0 this module still does not apply the tags to the auto scaling group. See aws/containers-roadmap#608 for more details as to why.

🚀 Enhancements

Support bottlerocket ami types @nitrocode (#93)

what

• Support bottlerocket ami types
• Removed unused null and template providers

why

• This will allow us to support bottlerocket ami using an ami_type
• template provider removal will allow OSX M1 to use this module

references

https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html

amiType

    If the node group was deployed using a launch template with a custom AMI, then this is CUSTOM. For node groups that weren't deployed using a launch template, this is the AMI type that was specified in the node group configuration.

    Type: String

    Valid Values: AL2_x86_64 | AL2_x86_64_GPU | AL2_ARM_64 | CUSTOM | BOTTLEROCKET_ARM_64 | BOTTLEROCKET_x86_64

    Required: No

notes

• There is no GPU version of bottlerocket

Here are the following data source checks to verify backwards compatibility.

With a temporary output in ami.tf and examples/complete/outputs.tf

output "ami_regex" {
  value = local.ami_regex[local.ami_kind],
}

And setting after_cluster_joining_userdata = ["ls"] to trigger needing an ami.

ami_type = "AL2_x86_64" and ami_release_version = ["1.21.0-20211013"]

# matches amazon-eks-node-1.21-v20211013 in us-east-2
ami_regex = amazon-eks-node-1.21-v20211013

ami_type = "AL2_x86_64" and no ami_release_version

# matches amazon-eks-node-1.21-v20211013 in us-east-2
ami_regex = amazon-eks-node-1.21-*

ami_type = "BOTTLEROCKET_x86_64" and ami_release_version = ["1.2.0-ccf1b754"]

# matches bottlerocket-aws-k8s-1.21-x86_64-v1.2.0-ccf1b754 in us-east-2
ami_regex = bottlerocket-aws-k8s-1.21-x86_64-v1.2.0-ccf1b754

ami_type = "BOTTLEROCKET_x86_64" and no ami_release_version

# matches bottlerocket-aws-k8s-1.21-x86_64-v1.3.0-395b459c in us-east-2
ami_regex = bottlerocket-aws-k8s-1.21-x86_64-*

ami_type = "BOTTLEROCKET_ARM_64" and ami_release_version = ["1.2.0-ccf1b754"]

# matches bottlerocket-aws-k8s-1.21-aarch64-v1.2.0-ccf1b754 in us-east-2
ami_regex = "bottlerocket-aws-k8s-1.21-aarch64-v1.2.0-ccf1b754"

ami_type = "BOTTLEROCKET_ARM_64" and no ami_release_version

# matches bottlerocket-aws-k8s-1.21-aarch64-v1.3.0-395b459c in us-east-2
ami_regex = "bottlerocket-aws-k8s-1.21-aarch64-*"

🐛 Bug Fixes

• Correctly support enabled=false @nitrocode (#94)
• Fix crash due to autoscaling taint labels @xeivieni (#87) (Fixes crash, but labels are still ineffective, see note above)

v0.27.1

Update READMEs, LICENSE, and GitHub workflows @aknysh (#98)

what

• Update READMEs, LICENSE, and GitHub workflows

why

• Fix typos and formatting
• Keep up to date

🤖 Automatic Updates

chore(deps): update terraform cloudposse/security-group/aws to v0.4.3 @renovate (#99)

This PR contains the following updates:

Package	Type	Update	Change
cloudposse/security-group/aws (source)	module	patch	0.4.2 -> 0.4.3

---

Release Notes

cloudposse/terraform-aws-security-group

v0.4.3

Compare Source

Update recommended inputs and outputs @​Nuru (#​26)

#### what - Update recommended inputs and outputs #### why - Changes based on experience implementing several modules

#### 🚀 Enhancements

Rename the exported `security_group_inputs.tf` file to `security-group-inputs.tf` @​aknysh (#​30)

#### what * Rename the exported `security_group_inputs.tf` file to `security-group-inputs.tf` * Update GitHub workflows and LICENSE #### why * Our naming convention is to use `kebab-case` for all files. Having a file in `snake_case` (after adding it to a repo) together with all the other files in `kebab-case` in the same repo does not look correct * Keep up to date

---

v0.27.0

Support bottlerocket ami types @nitrocode (#93)

what

• Support bottlerocket ami types
• Removed unused null and template providers

why

• This will allow us to support bottlerocket ami using an ami_type
• template provider removal will allow OSX M1 to use this module

references

https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html

amiType

    If the node group was deployed using a launch template with a custom AMI, then this is CUSTOM. For node groups that weren't deployed using a launch template, this is the AMI type that was specified in the node group configuration.

    Type: String

    Valid Values: AL2_x86_64 | AL2_x86_64_GPU | AL2_ARM_64 | CUSTOM | BOTTLEROCKET_ARM_64 | BOTTLEROCKET_x86_64

    Required: No

notes

• There is no GPU version of bottlerocket

Here are the following data source checks to verify backwards compatibility.

With a temporary output in ami.tf and examples/complete/outputs.tf

output "ami_regex" {
  value = local.ami_regex[local.ami_kind],
}

And setting after_cluster_joining_userdata = ["ls"] to trigger needing an ami.

ami_type = "AL2_x86_64" and ami_release_version = ["1.21.0-20211013"]

# matches amazon-eks-node-1.21-v20211013 in us-east-2
ami_regex = amazon-eks-node-1.21-v20211013

ami_type = "AL2_x86_64" and no ami_release_version

# matches amazon-eks-node-1.21-v20211013 in us-east-2
ami_regex = amazon-eks-node-1.21-*

ami_type = "BOTTLEROCKET_x86_64" and ami_release_version = ["1.2.0-ccf1b754"]

# matches bottlerocket-aws-k8s-1.21-x86_64-v1.2.0-ccf1b754 in us-east-2
ami_regex = bottlerocket-aws-k8s-1.21-x86_64-v1.2.0-ccf1b754

ami_type = "BOTTLEROCKET_x86_64" and no ami_release_version

# matches bottlerocket-aws-k8s-1.21-x86_64-v1.3.0-395b459c in us-east-2
ami_regex = bottlerocket-aws-k8s-1.21-x86_64-*

ami_type = "BOTTLEROCKET_ARM_64" and ami_release_version = ["1.2.0-ccf1b754"]

# matches bottlerocket-aws-k8s-1.21-aarch64-v1.2.0-ccf1b754 in us-east-2
ami_regex = "bottlerocket-aws-k8s-1.21-aarch64-v1.2.0-ccf1b754"

ami_type = "BOTTLEROCKET_ARM_64" and no ami_release_version

# matches bottlerocket-aws-k8s-1.21-aarch64-v1.3.0-395b459c in us-east-2
ami_regex = "bottlerocket-aws-k8s-1.21-aarch64-*"