Fix variable defaults to accommodate AWS ASGs not launching instances when block device is unecrypted but AMI is encrypted. Also fix change to s3 object attributes in terraform provider.

Author: adamacosta

modules/agent-nodepool/variables.tf

@@ -54,10 +54,8 @@ variable "ssh_authorized_keys" {
 variable "block_device_mappings" {
   description = "Node pool block device mapping configuration"
   type        = map(string)
-
-  default = {
-    "size" = 30
-    type   = "gp2"
+  default     = {
+    size = "30"
   }
 }
 
@@ -70,8 +68,7 @@ variable "extra_cloud_config_config" {
 variable "extra_block_device_mappings" {
   description = "Used to specify additional block device mapping configurations"
   type        = list(map(string))
-  default = [
-  ]
+  default     = []
 }
 
 variable "asg" {

modules/nodepool/variables.tf

@@ -61,18 +61,13 @@ variable "vpc_security_group_ids" {
 }
 
 variable "block_device_mappings" {
-  type = map(string)
-
-  default = {
-    "size" = 30
-    type   = "gp2"
-  }
+  type    = map(string)
+  default = {}
 }
 
 variable "extra_block_device_mappings" {
-  type = list(map(string))
-  default = [
-  ]
+  type    = list(map(string))
+  default = []
 }
 
 variable "asg" {

modules/statestore/main.tf

@@ -50,7 +50,7 @@ data "aws_iam_policy_document" "getter" {
     effect  = "Allow"
     actions = ["s3:GetObject"]
     resources = [
-      "${aws_s3_bucket.bucket.arn}/${aws_s3_object.token.id}",
+      "${aws_s3_bucket.bucket.arn}/${aws_s3_object.token.key}",
     ]
   }
 }

modules/statestore/outputs.tf

@@ -3,7 +3,7 @@ output "bucket" {
 }
 
 output "token_object" {
-  value = aws_s3_object.token.id
+  value = aws_s3_object.token.key
 }
 
 output "kubeconfig_put_policy" {
@@ -13,7 +13,7 @@ output "kubeconfig_put_policy" {
 output "token" {
   value = {
     bucket          = aws_s3_object.token.bucket
-    object          = aws_s3_object.token.id
+    object          = aws_s3_object.token.key
     policy_document = data.aws_iam_policy_document.getter.json
     bucket_arn      = aws_s3_bucket.bucket.arn
   }

variables.tf

@@ -1,5 +1,5 @@
 variable "cluster_name" {
-  description = "Name of the rkegov cluster to create"
+  description = "Name of the rke2 cluster to create"
   type        = string
 }
 
@@ -60,17 +60,15 @@ variable "iam_permissions_boundary" {
 variable "block_device_mappings" {
   description = "Server pool block device mapping configuration"
   type        = map(string)
-  default = {
-    "size"      = 30
-    "encrypted" = false
+  default     = {
+    size = "30"
   }
 }
 
 variable "extra_block_device_mappings" {
   description = "Used to specify additional block device mapping configurations"
   type        = list(map(string))
-  default = [
-  ]
+  default     = []
 }
 
 variable "extra_security_group_ids" {
@@ -141,7 +139,7 @@ variable "metadata_options" {
   default = {
     http_endpoint               = "enabled"
     http_tokens                 = "required" # IMDS-v2
-    http_put_response_hop_limit = 2          # allow pods to use IMDS as well
+    http_put_response_hop_limit = 3          # ACME DNS via cert-manager challenge seems to require 3
     instance_metadata_tags      = "disabled"
   }
   description = "Instance Metadata Options"