custom template

samuelberston · Nov 27, 2024 · 0af183f · 0af183f
1 parent 60e3664
commit 0af183f
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 11 deletions.
diff --git a/terraform/eks.tf b/terraform/eks.tf
@@ -73,11 +73,6 @@ module "eks" {
       launch_template_tags = {
         Name = "eks-managed-node-group-template"
       }
-
-      # Proper user data configuration
-      enable_bootstrap_user_data = true
-      bootstrap_extra_args      = "--container-runtime containerd"
-      user_data_template_path   = "templates/userdata.tpl"  # Add this
 
       # Additional launch template configurations
       launch_template_description = "EKS managed node group launch template"
@@ -94,14 +89,20 @@ module "eks" {
         }
       }
 
+      # Add these variables for the userdata template
+      enable_bootstrap_user_data = true
+      user_data_template_path = "templates/userdata.tpl"
+      userdata_template_vars = {
+        cluster_name         = module.eks.cluster_name
+        cluster_endpoint     = module.eks.cluster_endpoint
+        cluster_auth_base64  = module.eks.cluster_certificate_authority_data
+        bootstrap_extra_args = "--container-runtime containerd --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=normal'"
+      }
+
       # Add instance profile configuration
       create_iam_instance_profile = true
       iam_instance_profile_arn    = aws_iam_instance_profile.eks_node_group.arn
 
-      # Ensure proper instance profile association
-      enable_bootstrap_user_data = true
-      bootstrap_extra_args       = "--container-runtime containerd"
-
       # Add required tags
       tags = {
         "k8s.io/cluster-autoscaler/enabled" = "true"

diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -18,6 +18,43 @@ resource "aws_iam_role" "eks_admin" {
   })
 }
 
+# Add ECR permissions to the admin role
+resource "aws_iam_role_policy" "eks_admin_ecr" {
+  name = "eks-admin-ecr"
+  role = aws_iam_role.eks_admin.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr:GetAuthorizationToken",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetRepositoryPolicy",
+          "ecr:DescribeRepositories",
+          "ecr:ListImages",
+          "ecr:DescribeImages",
+          "ecr:BatchGetImage",
+          "ecr:InitiateLayerUpload",
+          "ecr:UploadLayerPart",
+          "ecr:CompleteLayerUpload",
+          "ecr:PutImage"
+        ]
+        Resource = [
+          "arn:aws:ecr:us-west-1:${data.aws_caller_identity.current.account_id}:repository/auth-service"
+        ]
+      },
+      {
+        Effect = "Allow"
+        Action = "ecr:GetAuthorizationToken",
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 # KMS permissions for the admin role
 resource "aws_iam_role_policy" "eks_admin_kms" {
   name = "eks-admin-kms"

diff --git a/terraform/templates/userdata.tpl b/terraform/templates/userdata.tpl
@@ -6,9 +6,13 @@ Content-Type: text/x-shellscript; charset="us-ascii"
 
 #!/bin/bash
 set -ex
+
+# Enable debug logging for bootstrap script
+export AWS_LOG_LEVEL=debug
+
 /etc/eks/bootstrap.sh ${cluster_name} \
-  --b64-cluster-ca ${cluster_auth_base64} \
-  --apiserver-endpoint ${cluster_endpoint} \
+  --b64-cluster-ca '${cluster_auth_base64}' \
+  --apiserver-endpoint '${cluster_endpoint}' \
   ${bootstrap_extra_args}
 
 --==BOUNDARY==--