Encrypted EBS For Node Group

[xeon0320]

Hi. I'm not sure if this is a bug, or maybe I'm just not understanding it correctly. I'm trying to enable encryption and encrypt the EBS volumes for the Node Groups.

In my Terraform code, I have added:
launch_template_disk_encryption_enabled = true launch_template_disk_encryption_kms_key_id = "ARN of the KMS key"

After terraform apply, I can see the launch template has the encryption flag set to true and the ARN of the key is also visible.

But when I go to the ASG, I can see the ASG is actually using a different launch template.

It seems when I run terraform, the code creates 2 launch templates, and the ASG is not using the one that got updated above.

Am I missing something here?

Thanks.

[Nuru]

@xeon0320 Thank you for reporting this. I have confirmed that this is a bug that has been present since the disk encryption option was added.

• In the beginning, this module did not use a launch template.
• At some point (version 0.8 to 0.11) this module optionally created a launch template if one were needed to use features that were only available via a launch template. The intention was to only create and use a launch template if one were needed (probably so as not to disturb existing clusters), but in order to work around a bug in Terraform, the launch template is always created even if it is not used.
• When the disk encryption flag was added, the setting was added to the launch template, but the flag indicating whether or not to use the launch template was not updated.

This is an easy bug to fix and we will fix it. However, at the moment this module is subject to a code freeze, so it will be a while before the fix is published.

You can work around this bug by forcing the use of the launch template, which you can do by passing before_cluster_joining_userdata. I suggest

  before_cluster_joining_userdata = "# Force use of launch template"

[xeon0320]

@Nuru Thanks for the info. Quick question on the workaround. For the variable before_cluster_joining_userdata, what do I need to put in for the value? Do I just need to copy-paste the example you put above, and just use a comment string as the value? Thanks.

[xeon0320]

@Nuru I've implemented the workaround above and I have a question. After I deploy the node group using that flag, I see the node group is now using the custom launch template (I'm able to specify encryption and custom AMI ID). Under EKS console -> Compute -> NodeGroups, I can see the custom launch template is listed there.

But if I go to EC2 -> Auto Scaling Group, and check the newly created ASG, it's still using the default launch template, and not the custom template that's used in EKS node.

The default and custom launch templates look exactly the same to me, but it's just odd that ASG and Noderoup are using 2 different templates.

Any input on this issue? Thanks.