feat: add support for ASG instance refresh for workers

Signed-off-by: Benjamin Ash <[email protected]>

Author: Benjamin Ash

.gitignore

@@ -2,6 +2,7 @@ eks-admin-cluster-role-binding.yaml
 eks-admin-service-account.yaml
 config-map-aws-auth*.yaml
 kubeconfig_*
+.idea
 
 #################################################################
 # Default .gitignore content for all terraform-aws-modules below

README.md

@@ -31,6 +31,9 @@ By default, this module manages the `aws-auth` configmap for you (`manage_aws_au
 
 For windows users, please read the following [doc](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/faq.md#deploying-from-windows-binsh-file-does-not-exist).
 
+Setting `instance_refresh_enabled` to true will recreate your worker nodes without draining them first. It is recommended to install [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) for proper node draining. Find the complete example here [instance_refresh](examples/instance_refresh).
+
+
 ## Usage example
 
 A full example leveraging other community modules is contained in the [examples/basic directory](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/basic).
@@ -145,7 +148,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.35.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.37.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 1.11.1 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.4 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.1 |
@@ -156,7 +159,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.35.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.37.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 1.11.1 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 1.4 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.1 |

examples/instance_refresh/main.tf

@@ -0,0 +1,259 @@
+provider "aws" {
+  region = var.region
+}
+data "aws_caller_identity" "current" {}
+
+data "aws_eks_cluster" "cluster" {
+  name = module.eks.cluster_id
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = module.eks.cluster_id
+}
+
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+  token                  = data.aws_eks_cluster_auth.cluster.token
+  load_config_file       = false
+}
+
+data "aws_availability_zones" "available" {
+}
+
+locals {
+  cluster_name = "test-refresh-${random_string.suffix.result}"
+}
+
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 3.0.0"
+
+  name                 = local.cluster_name
+  cidr                 = "10.0.0.0/16"
+  azs                  = data.aws_availability_zones.available.names
+  public_subnets       = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+  enable_dns_hostnames = true
+}
+
+data "aws_iam_policy_document" "node_term" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeInstances",
+      "autoscaling:DescribeAutoScalingInstances",
+      "autoscaling:DescribeTags",
+    ]
+    resources = [
+      "*",
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "autoscaling:CompleteLifecycleAction",
+    ]
+    resources = [
+      module.eks.workers_asg_arns[0],
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "sqs:DeleteMessage",
+      "sqs:ReceiveMessage"
+    ]
+    resources = [
+      module.node_term_sqs.sqs_queue_arn
+    ]
+  }
+}
+
+resource "aws_iam_policy" "node_term" {
+  name   = "node-term-${local.cluster_name}"
+  policy = data.aws_iam_policy_document.node_term.json
+}
+
+resource "aws_iam_role_policy_attachment" "node_term_policy" {
+  policy_arn = aws_iam_policy.node_term.arn
+  role       = module.eks.worker_iam_role_name
+}
+
+data "aws_iam_policy_document" "node_term_events" {
+  statement {
+    effect = "Allow"
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com",
+        "sqs.amazonaws.com",
+      ]
+    }
+    actions = [
+      "sqs:SendMessage",
+    ]
+    resources = [
+      "arn:aws:sqs:${var.region}:${data.aws_caller_identity.current.account_id}:${local.cluster_name}",
+    ]
+  }
+}
+
+module "node_term_sqs" {
+  source                    = "terraform-aws-modules/sqs/aws"
+  version                   = "~> 3.0.0"
+  name                      = local.cluster_name
+  message_retention_seconds = 300
+  policy                    = data.aws_iam_policy_document.node_term_events.json
+}
+
+resource "aws_cloudwatch_event_rule" "node_term_event_rule" {
+  name        = "${local.cluster_name}-nth-rule"
+  description = "Node termination event rule"
+  event_pattern = jsonencode(
+    {
+      "source" : [
+        "aws.autoscaling"
+      ],
+      "detail-type" : [
+        "EC2 Instance-terminate Lifecycle Action"
+      ]
+      "resources" : [
+        module.eks.workers_asg_arns[0],
+      ]
+    }
+  )
+}
+
+resource "aws_cloudwatch_event_target" "node_term_event_target" {
+  rule      = aws_cloudwatch_event_rule.node_term_event_rule.name
+  target_id = "ANTHandler"
+  arn       = module.node_term_sqs.sqs_queue_arn
+}
+
+module "node_term_role" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "4.1.0"
+  create_role                   = true
+  role_description              = "IRSA role for ANTH, cluster ${local.cluster_name}"
+  role_name_prefix              = local.cluster_name
+  provider_url                  = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns              = [aws_iam_policy.node_term.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.serviceaccount}"]
+}
+
+resource "null_resource" "helm_install" {
+  provisioner "local-exec" {
+    environment = {
+      USE_SUDO         = "false"
+      HELM_INSTALL_DIR = "${path.root}/bin"
+    }
+    command = <<EOT
+mkdir -p ${path.root}/bin
+curl -fsSL -o ${path.root}/bin/get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+chmod +x ${path.root}/bin/get_helm.sh
+${path.root}/bin/get_helm.sh
+EOT
+  }
+}
+
+resource "null_resource" "helm_add_repo" {
+  depends_on = [
+    null_resource.helm_install,
+  ]
+
+  triggers = {
+    version = var.aws_node_termination_handler_chart_version
+  }
+
+  provisioner "local-exec" {
+    environment = {
+      XDG_CACHE_HOME  = abspath("${path.root}/.cache")
+      XDG_CONFIG_HOME = abspath(path.root)
+      XDG_DATA_HOME   = abspath(path.root)
+    }
+    command = "${path.root}/bin/helm repo add --force-update eks https://aws.github.io/eks-charts"
+  }
+}
+
+resource "null_resource" "helm_install_chart" {
+  depends_on = [
+    module.eks,
+    module.node_term_role,
+    null_resource.helm_add_repo,
+  ]
+
+  triggers = {
+    version  = var.aws_node_termination_handler_chart_version
+    role_arn = module.node_term_role.iam_role_arn
+  }
+
+  provisioner "local-exec" {
+    environment = {
+      KUBECONFIG      = "${path.root}/${module.eks.kubeconfig_filename}"
+      XDG_CACHE_HOME  = abspath("${path.root}/.cache")
+      XDG_CONFIG_HOME = abspath(path.root)
+      XDG_DATA_HOME   = abspath(path.root)
+    }
+    command = <<EOT
+chmod 0600 "$KUBECONFIG"
+${path.root}/bin/helm upgrade --install aws-node-termination-handler \
+  --wait \
+  --namespace ${var.namespace} \
+  --set serviceAccount.name=${var.serviceaccount} \
+  --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=${self.triggers.role_arn} \
+  --set enableSqsTerminationDraining=true \
+  --set queueURL=${module.node_term_sqs.sqs_queue_id} \
+  --set logLevel=DEBUG \
+  --set awsRegion=${var.region} \
+  --version=${self.triggers.version} \
+  eks/aws-node-termination-handler
+EOT
+  }
+}
+
+resource "aws_autoscaling_lifecycle_hook" "node_term" {
+  name                   = "node_term-${local.cluster_name}"
+  autoscaling_group_name = module.eks.workers_asg_names[0]
+  lifecycle_transition   = "autoscaling:EC2_INSTANCE_TERMINATING"
+  heartbeat_timeout      = 300
+  default_result         = "CONTINUE"
+}
+
+module "eks" {
+  source                                = "../.."
+  cluster_name                          = local.cluster_name
+  cluster_version                       = "1.19"
+  subnets                               = module.vpc.public_subnets
+  vpc_id                                = module.vpc.vpc_id
+  enable_irsa                           = true
+  worker_create_initial_lifecycle_hooks = true
+  worker_groups_launch_template = [
+    {
+      name                                 = "refresh"
+      asg_max_size                         = 2
+      asg_desired_capacity                 = 2
+      instance_refresh_enabled             = true
+      instance_refresh_triggers            = ["tag"]
+      public_ip                            = true
+      metadata_http_put_response_hop_limit = 3
+      tags = [
+        {
+          key                 = "aws-node-termination-handler/managed"
+          value               = ""
+          propagate_at_launch = true
+        },
+        {
+          key                 = "foo"
+          value               = "buzz"
+          propagate_at_launch = true
+        },
+      ]
+    },
+  ]
+}
+

examples/instance_refresh/outputs.tf

@@ -0,0 +1,34 @@
+output "cluster_endpoint" {
+  description = "Endpoint for EKS control plane."
+  value       = module.eks.cluster_endpoint
+}
+
+output "cluster_security_group_id" {
+  description = "Security group ids attached to the cluster control plane."
+  value       = module.eks.cluster_security_group_id
+}
+
+output "kubectl_config" {
+  description = "kubectl config as generated by the module."
+  value       = module.eks.kubeconfig
+}
+
+output "config_map_aws_auth" {
+  description = "A kubernetes configuration to authenticate to this EKS cluster."
+  value       = module.eks.config_map_aws_auth
+}
+
+output "region" {
+  description = "AWS region."
+  value       = var.region
+}
+
+output "sqs_queue_asg_notification_arn" {
+  description = "SQS queue ASG notification ARN"
+  value       = module.node_term_sqs.sqs_queue_arn
+}
+
+output "sqs_queue_asg_notification_url" {
+  description = "SQS queue ASG notification URL"
+  value       = module.node_term_sqs.sqs_queue_id
+}

examples/instance_refresh/variables.tf

@@ -0,0 +1,18 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+variable "aws_node_termination_handler_chart_version" {
+  description = "Version of the aws-node-termination-handler Helm chart to install."
+  default     = "0.15.0"
+}
+
+variable "namespace" {
+  description = "Namespace for the aws-node-termination-handler."
+  default     = "kube-system"
+}
+
+variable "serviceaccount" {
+  description = "Serviceaccount for the aws-node-termination-handler."
+  default     = "aws-node-termination-handler"
+}

examples/instance_refresh/versions.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws        = ">= 3.22.0"
+    local      = ">= 1.4"
+    null       = ">= 2.1"
+    template   = ">= 2.1"
+    random     = ">= 2.1"
+    kubernetes = "~> 1.11"
+  }
+}

local.tf

@@ -34,7 +34,7 @@ locals {
     asg_max_size                  = "3"                         # Maximum worker capacity in the autoscaling group.
     asg_min_size                  = "1"                         # Minimum worker capacity in the autoscaling group. NOTE: Change in this paramater will affect the asg_desired_capacity, like changing its value to 2 will change asg_desired_capacity value to 2 but bringing back it to 1 will not affect the asg_desired_capacity.
     asg_force_delete              = false                       # Enable forced deletion for the autoscaling group.
-    asg_initial_lifecycle_hooks   = []                          # Initital lifecycle hook for the autoscaling group.
+    asg_initial_lifecycle_hooks   = []                          # Initial lifecycle hook for the autoscaling group.
     asg_recreate_on_change        = false                       # Recreate the autoscaling group when the Launch Template or Launch Configuration change.
     default_cooldown              = null                        # The amount of time, in seconds, after a scaling activity completes before another scaling activity can start.
     health_check_type             = null                        # Controls how health checking is done. Valid values are "EC2" or "ELB".
@@ -96,6 +96,11 @@ locals {
     spot_max_price                           = ""                                                   # Maximum price per unit hour that the user is willing to pay for the Spot instances. Default is the on-demand price
     max_instance_lifetime                    = 0                                                    # Maximum number of seconds instances can run in the ASG. 0 is unlimited.
     elastic_inference_accelerator            = null                                                 # Type of elastic inference accelerator to be attached. Example values are eia1.medium, eia2.large, etc.
+    instance_refresh_enabled                 = false                                                # Enable instance refresh for the worker autoscaling group.
+    instance_refresh_strategy                = "Rolling"                                            # Strategy to use for instance refresh. Default is 'Rolling' which the only valid value.
+    instance_refresh_min_healthy_percentage  = 90                                                   # The amount of capacity in the ASG that must remain healthy during an instance refresh, as a percentage of the ASG's desired capacity.
+    instance_refresh_instance_warmup         = null                                                 # The number of seconds until a newly launched instance is configured and ready to use. Defaults to the ASG's health check grace period.
+    instance_refresh_triggers                = []                                                   # Set of additional property names that will trigger an Instance Refresh. A refresh will always be triggered by a change in any of launch_configuration, launch_template, or mixed_instances_policy.
   }
 
   workers_group_defaults = merge(