terraform eks ec2 custom ami

0
votes

our ops team pushed hardened ami to aws account , I want to use this ami instead of the aws provided ami

I want to switch from aws provided ami to custom ami ,referencing this repo https://github.com/naumannt/tf-article/tree/master/Article%205 and this file https://github.com/naumannt/tf-article/blob/master/Article%205/modules/eks/worker-nodes.tf

########################################################################################
# Setup AutoScaling Group for worker nodes

# Setup data source to get amazon-provided AMI for EKS nodes
data "aws_ami" "eks-worker" {
  filter {
    name   = "name"
    values = ["amazon-eks-node-v*"]
  }

  most_recent = true
  owners      = ["602401143452"] # Amazon EKS AMI Account ID
-----? change this with my custom ami ---
}

# Is provided in demo code, no idea what it's used for though! TODO: DELETE
# data "aws_region" "current" {}

# EKS currently documents this required userdata for EKS worker nodes to
# properly configure Kubernetes applications on the EC2 instance.
# We utilize a Terraform local here to simplify Base64 encode this
# information and write it into the AutoScaling Launch Configuration.
# More information: https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
locals {
  tf-eks-node-userdata = <<USERDATA
#!/bin/bash
set -o xtrace
/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.tf_eks.endpoint}' --b64-cluster-ca '${aws_eks_cluster.tf_eks.certificate_authority.0.data}' 'example'
USERDATA
}

resource "aws_launch_configuration" "tf_eks" {
  associate_public_ip_address = true
  iam_instance_profile        = "${aws_iam_instance_profile.node.name}"
  image_id                    = "${data.aws_ami.eks-worker.id}"
  instance_type               = "m4.large"
  name_prefix                 = "terraform-eks"
  security_groups             = ["${aws_security_group.tf-eks-node.id}"]
  user_data_base64            = "${base64encode(local.tf-eks-node-userdata)}"
  key_name                    = "${var.keypair-name}"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_lb_target_group" "tf_eks" {
  name = "terraform-eks-nodes"
  port = 31742
  protocol = "HTTP"
  vpc_id = "${var.vpc_id}"
  target_type = "instance"
}

resource "aws_autoscaling_group" "tf_eks" {
  desired_capacity     = "2"
  launch_configuration = "${aws_launch_configuration.tf_eks.id}"
  max_size             = "3"
  min_size             = 1
  name                 = "terraform-tf-eks"
  vpc_zone_identifier  = ["${var.app_subnet_ids}"]
  target_group_arns    = ["${aws_lb_target_group.tf_eks.arn}"]

  tag {
    key                 = "Name"
    value               = "terraform-tf-eks"
    propagate_at_launch = true
  }

  tag {
    key                 = "kubernetes.io/cluster/example"
    value               = "owned"
    propagate_at_launch = true
  }
}

after googling this is what i found ? data.tf 

locals {
  worker_ami_name_filter = var.worker_ami_name_filter != "" ? var.worker_ami_name_filter : "amazon-eks-node-${var.cluster_version}-v*"
}

data "aws_region" "current" {
}

 @@ -19,13 +23,12 @@ data "aws_iam_policy_document" "workers_assume_role_policy" {
data "aws_ami" "eks_worker" {
  filter {
    name   = "name"
    values = ["${var.worker_ami_name_filter_prefix}-${var.cluster_version}-${var.worker_ami_name_filter}"]
    values = [local.worker_ami_name_filter]
  }

  most_recent = true

  # Owner ID of AWS EKS team
  owners = ["602401143452"]
  owners = [var.worker_ami_owner_id]
}

data "aws_iam_policy_document" "cluster_assume_role_policy" {

variable.tf

variable "worker_ami_name_filter" {

  type        = string
  default     = "v*"
  default     = ""
}

variable "worker_ami_name_filter_prefix" {
  description = "Name prefix filter for AWS EKS worker AMI. Default behaviour will get regular EKS-Optimized AMI but could be set to a EKS-Optimized AMI with GPU Support, e.g. \"amazon-eks-gpu-node\", or custom AMI"
variable "worker_ami_owner_id" {
  description = "The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft')."
  type        = string
  default     = "amazon-eks-node"
  default     = "602401143452" // The ID of the owner of the official AWS EKS AMIs.
}

variable "worker_additional_security_group_ids" {

how do i find out the value for worker_ami_owner_id our ops team pushed hardened ami to aws account , I want to use this ami instead of the aws provided ami

1
amazon-web-servicesterraformamazon-amiamazon-eks
If you know the AMI-id, you don't need any of those data block related to AMI. Those are what you use if you need to lookup the AMI at plan/apply time.jordanm
the ami id ec2-->amis> ? this is for fall back if ami id is not found locals { worker_ami_name_filter = var.worker_ami_name_filter != "" ? var.worker_ami_name_filter : "amazon-eks-node-${var.cluster_version}-v*" } ?user17970

1 Answers

1
votes

You do not need to know exact owner user ID. If the account terraform plan/apply will be run from has access to the needed AMIs then you can just provide owner value as "self" instead of canonical one and it will work. For instance:

data "aws_ami" "test" {
  filter {
    name = "name"
    values = ["some_test"]
  }

  owners = ["self"]
}

output "aws_ami_id" {
  value = "${data.aws_ami.test.id}"
}