chore: Update documentation related to default EKS node group settings and v18.x security group changes (#1760)

Author: bryantbiggs

README.md

@@ -175,11 +175,14 @@ module "eks" {
 
 ℹ️ Only the pertinent attributes are shown for brevity
 
-1. AWS EKS Managed Node Group can provide its own launch template and utilize the latest AWS EKS Optimized AMI (Linux) for the given Kubernetes version:
+1. AWS EKS Managed Node Group can provide its own launch template and utilize the latest AWS EKS Optimized AMI (Linux) for the given Kubernetes version. By default, the module creates a launch template to ensure tags are propagated to instances, etc., so we need to disable it to use the default template provided by the AWS EKS managed node group service:
 
 ```hcl
   eks_managed_node_groups = {
-    default = {}
+    default = {
+      create_launch_template = false
+      launch_template_name   = ""
+    }
   }
 ```
 
@@ -188,6 +191,9 @@ module "eks" {
 ```hcl
   eks_managed_node_groups = {
     bottlerocket_default = {
+      create_launch_template = false
+      launch_template_name   = ""
+
       ami_type = "BOTTLEROCKET_x86_64"
       platform = "bottlerocket"
     }

UPGRADE-18.0.md

@@ -29,6 +29,7 @@ Please consult the `examples` directory for reference example configurations. If
       - The previous iteration used a count over a list of node group definitions which was prone to disruptive updates; this is now replaced with a map/for_each to align with that of the EKS managed node group and Fargate profile behaviors/style
 - The user data configuration supported across the module has been completely revamped. A new `_user_data` internal sub-module has been created to consolidate all user data configuration in one location which provides better support for testability (via the [`examples/user_data`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/user_data) example). The new sub-module supports nearly all possible combinations including the ability to allow users to provide their own user data template which will be rendered by the module. See the `examples/user_data` example project for the full plethora of example configuration possibilities and more details on the logic of the design can be found in the [`modules/_user_data`](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/modules/_user_data_) directory.
 - Resource name changes may cause issues with existing resources. For example, security groups and IAM roles cannot be renamed, they must be recreated. Recreation of these resources may also trigger a recreation of the cluster. To use the legacy (< 18.x) resource naming convention, set `prefix_separator` to "".
+- Security group usage has been overhauled to provide only the bare minimum network connectivity required to launch a bare bones cluster. See the [security group documentation section](https://github.com/terraform-aws-modules/terraform-aws-eks#security-groups) for more details. Users upgrading to v18.x will want to review the rules they have in place today versus the rules provisioned by the v18.x module and ensure to make any necessary adjustments for their specific workload.
 
 ## Additional changes
 

examples/eks_managed_node_group/README.md

@@ -32,13 +32,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 2.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 2.2 |
 
 ## Modules
 
@@ -51,11 +53,13 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Type |
 |------|------|
+| [aws_key_pair.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
 | [aws_kms_key.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_launch_template.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [aws_security_group.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [null_resource.patch](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
 | [aws_iam_policy_document.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

examples/eks_managed_node_group/main.tf

@@ -68,10 +68,25 @@ module "eks" {
 
   eks_managed_node_groups = {
     # Default node group - as provided by AWS EKS
-    default_node_group = {}
+    default_node_group = {
+      # By default, the module creates a launch template to ensure tags are propagated to instances, etc.,
+      # so we need to disable it to use the default template provided by the AWS EKS managed node group service
+      create_launch_template = false
+      launch_template_name   = ""
+
+      # Remote access cannot be specified with a launch template
+      remote_access = {
+        ec2_ssh_key = aws_key_pair.this.key_name
+      }
+    }
 
     # Default node group - as provided by AWS EKS using Bottlerocket
     bottlerocket_default = {
+      # By default, the module creates a launch template to ensure tags are propagated to instances, etc.,
+      # so we need to disable it to use the default template provided by the AWS EKS managed node group service
+      create_launch_template = false
+      launch_template_name   = ""
+
       ami_type = "BOTTLEROCKET_x86_64"
       platform = "bottlerocket"
     }
@@ -122,20 +137,23 @@ module "eks" {
 
     # Use a custom AMI
     custom_ami = {
+      ami_type = "AL2_ARM_64"
       # Current default AMI used by managed node groups - pseudo "custom"
-      ami_id = "ami-0caf35bc73450c396"
+      ami_id = "ami-01dc0aa438e3214c2" # ARM
 
       # This will ensure the boostrap user data is used to join the node
       # By default, EKS managed node groups will not append bootstrap script;
       # this adds it back in using the default template provided by the module
       # Note: this assumes the AMI provided is an EKS optimized AMI derivative
       enable_bootstrap_user_data = true
+
+      instance_types = ["t4g.medium"]
     }
 
     # Complete
     complete = {
       name            = "complete-eks-mng"
-      use_name_prefix = false
+      use_name_prefix = true
 
       subnet_ids = module.vpc.private_subnets
 
@@ -173,10 +191,6 @@ module "eks" {
         }
       ]
 
-      remote_access = {
-        ec2_ssh_key = "my-ssh-key"
-      }
-
       update_config = {
         max_unavailable_percentage = 50 # or set `max_unavailable`
       }
@@ -475,6 +489,7 @@ resource "aws_launch_template" "external" {
     resource_type = "instance"
 
     tags = {
+      Name      = "external_lt"
       CustomTag = "Instance custom tag"
     }
   }
@@ -503,3 +518,14 @@ resource "aws_launch_template" "external" {
     create_before_destroy = true
   }
 }
+
+resource "tls_private_key" "this" {
+  algorithm = "RSA"
+}
+
+resource "aws_key_pair" "this" {
+  key_name_prefix = local.name
+  public_key      = tls_private_key.this.public_key_openssh
+
+  tags = local.tags
+}

examples/eks_managed_node_group/versions.tf

@@ -10,5 +10,9 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.0"
     }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 2.2"
+    }
   }
 }