fix: Updates from testing and validating EKS managed node group

bryantbiggs · bryantbiggs · commit 805fd74ad043 · 2025-07-21T14:23:38.000-05:00
diff --git a/README.md b/README.md
diff --git a/docs/compute_resources.md b/docs/compute_resources.md
@@ -73,8 +73,6 @@ Refer to the [EKS Managed Node Group documentation](https://docs.aws.amazon.com/
             kubelet:
               config:
                 shutdownGracePeriod: 30s
-                featureGates:
-                  DisableKubeletCloudCredentialProviders: true
         EOT
         content_type = "application/node.eks.aws"
       }]
diff --git a/examples/eks-managed-node-group/eks-al2023.tf b/examples/eks-managed-node-group/eks-al2023.tf
@@ -42,8 +42,6 @@ module "eks_al2023" {
               kubelet:
                 config:
                   shutdownGracePeriod: 30s
-                  featureGates:
-                    DisableKubeletCloudCredentialProviders: true
           EOT
         }
       ]
diff --git a/examples/self-managed-node-group/eks-al2023.tf b/examples/self-managed-node-group/eks-al2023.tf
@@ -41,8 +41,6 @@ module "eks_al2023" {
               kubelet:
                 config:
                   shutdownGracePeriod: 30s
-                  featureGates:
-                    DisableKubeletCloudCredentialProviders: true
           EOT
         }
       ]
diff --git a/main.tf b/main.tf
@@ -243,7 +243,7 @@ resource "aws_cloudwatch_log_group" "this" {
 locals {
   # This replaces the one time logic from the EKS API with something that can be
   # better controlled by users through Terraform
-  bootstrap_cluster_creator_admin_permissions = {
+  bootstrap_cluster_creator_admin_permissions = { for k, v in {
     cluster_creator = {
       principal_arn = try(data.aws_iam_session_context.current[0].issuer_arn, "")
       type          = "STANDARD"
@@ -257,11 +257,11 @@ locals {
         }
       }
     }
-  }
+  } : k => v if var.enable_cluster_creator_admin_permissions }
 
   # Merge the bootstrap behavior with the entries that users provide
   merged_access_entries = merge(
-    { for k, v in local.bootstrap_cluster_creator_admin_permissions : k => v if var.enable_cluster_creator_admin_permissions },
+    local.bootstrap_cluster_creator_admin_permissions,
     var.access_entries,
   )
 
diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md
@@ -167,12 +167,12 @@ module "eks_managed_node_group" {
 | <a name="input_maintenance_options"></a> [maintenance\_options](#input\_maintenance\_options) | The maintenance options for the instance | <pre>object({<br/>    auto_recovery = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | Maximum number of instances/nodes | `number` | `3` | no |
 | <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options for the instance | <pre>object({<br/>    http_endpoint               = optional(string, "enabled")<br/>    http_protocol_ipv6          = optional(string)<br/>    http_put_response_hop_limit = optional(number, 1)<br/>    http_tokens                 = optional(string, "required")<br/>    instance_metadata_tags      = optional(string)<br/>  })</pre> | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "required"<br/>}</pre> | no |
-| <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum number of instances/nodes | `number` | `0` | no |
+| <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum number of instances/nodes | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the EKS managed node group | `string` | `""` | no |
 | <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | <pre>list(object({<br/>    associate_carrier_ip_address = optional(bool)<br/>    associate_public_ip_address  = optional(bool)<br/>    connection_tracking_specification = optional(object({<br/>      tcp_established_timeout = optional(number)<br/>      udp_stream_timeout      = optional(number)<br/>      udp_timeout             = optional(number)<br/>    }))<br/>    delete_on_termination = optional(bool)<br/>    description           = optional(string)<br/>    device_index          = optional(number)<br/>    ena_srd_specification = optional(object({<br/>      ena_srd_enabled = optional(bool)<br/>      ena_srd_udp_specification = optional(object({<br/>        ena_srd_udp_enabled = optional(bool)<br/>      }))<br/>    }))<br/>    interface_type       = optional(string)<br/>    ipv4_address_count   = optional(number)<br/>    ipv4_addresses       = optional(list(string))<br/>    ipv4_prefix_count    = optional(number)<br/>    ipv4_prefixes        = optional(list(string))<br/>    ipv6_address_count   = optional(number)<br/>    ipv6_addresses       = optional(list(string))<br/>    ipv6_prefix_count    = optional(number)<br/>    ipv6_prefixes        = optional(list(string))<br/>    network_card_index   = optional(number)<br/>    network_interface_id = optional(string)<br/>    primary_ipv6         = optional(bool)<br/>    private_ip_address   = optional(string)<br/>    security_groups      = optional(list(string), [])<br/>    subnet_id            = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_node_repair_config"></a> [node\_repair\_config](#input\_node\_repair\_config) | The node auto repair configuration for the node group | <pre>object({<br/>    enabled = optional(bool, true)<br/>  })</pre> | `null` | no |
 | <a name="input_partition"></a> [partition](#input\_partition) | The AWS partition - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
-| <a name="input_placement"></a> [placement](#input\_placement) | The placement of the instance | <pre>object({<br/>    affinity                = optional(string)<br/>    availability_zone       = optional(string)<br/>    group_name              = optional(string)<br/>    host_id                 = optional(string)<br/>    host_resource_group_arn = optional(string)<br/>    partition_number        = optional(number)<br/>    spread_domain           = optional(string)<br/>    tenancy                 = optional(string)<br/>  })</pre> | `{}` | no |
+| <a name="input_placement"></a> [placement](#input\_placement) | The placement of the instance | <pre>object({<br/>    affinity                = optional(string)<br/>    availability_zone       = optional(string)<br/>    group_name              = optional(string)<br/>    host_id                 = optional(string)<br/>    host_resource_group_arn = optional(string)<br/>    partition_number        = optional(number)<br/>    spread_domain           = optional(string)<br/>    tenancy                 = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_post_bootstrap_user_data"></a> [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
 | <a name="input_pre_bootstrap_user_data"></a> [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
 | <a name="input_private_dns_name_options"></a> [private\_dns\_name\_options](#input\_private\_dns\_name\_options) | The options for the instance hostname. The default values are inherited from the subnet | <pre>object({<br/>    enable_resource_name_dns_aaaa_record = optional(bool)<br/>    enable_resource_name_dns_a_record    = optional(bool)<br/>    hostname_type                        = optional(string)<br/>  })</pre> | `null` | no |
diff --git a/modules/eks-managed-node-group/main.tf b/modules/eks-managed-node-group/main.tf
@@ -305,17 +305,17 @@ resource "aws_launch_template" "this" {
   }
 
   dynamic "placement" {
-    for_each = length(var.placement) > 0 || local.create_placement_group ? [var.placement] : []
+    for_each = var.placement != null || local.create_placement_group ? [var.placement] : []
 
     content {
-      affinity                = placement.value.affinity
-      availability_zone       = placement.value.availability_zone
-      group_name              = try(coalesce(aws_placement_group.this[0].name, placement.value.group_name), null)
-      host_id                 = placement.value.host_id
-      host_resource_group_arn = placement.value.host_resource_group_arn
-      partition_number        = placement.value.partition_number
-      spread_domain           = placement.value.spread_domain
-      tenancy                 = placement.value.tenancy
+      affinity                = try(placement.value.affinity, null)
+      availability_zone       = try(placement.value.availability_zone, null)
+      group_name              = try(aws_placement_group.this[0].name, placement.value.group_name)
+      host_id                 = try(placement.value.host_id, null)
+      host_resource_group_arn = try(placement.value.host_resource_group_arn, null)
+      partition_number        = try(placement.value.partition_number, null)
+      spread_domain           = try(placement.value.spread_domain, null)
+      tenancy                 = try(placement.value.tenancy, null)
     }
   }
 
diff --git a/modules/eks-managed-node-group/variables.tf b/modules/eks-managed-node-group/variables.tf
@@ -391,7 +391,7 @@ variable "placement" {
     spread_domain           = optional(string)
     tenancy                 = optional(string)
   })
-  default = {}
+  default = null
 }
 
 variable "create_placement_group" {
@@ -436,7 +436,7 @@ variable "subnet_ids" {
 variable "min_size" {
   description = "Minimum number of instances/nodes"
   type        = number
-  default     = 0
+  default     = 1
 }
 
 variable "max_size" {
diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md
@@ -163,12 +163,12 @@ module "self_managed_node_group" {
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | The maximum size of the autoscaling group | `number` | `3` | no |
 | <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Customize the metadata options for the instance | <pre>object({<br/>    http_endpoint               = optional(string, "enabled")<br/>    http_protocol_ipv6          = optional(string)<br/>    http_put_response_hop_limit = optional(number, 1)<br/>    http_tokens                 = optional(string, "required")<br/>    instance_metadata_tags      = optional(string)<br/>  })</pre> | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "required"<br/>}</pre> | no |
 | <a name="input_metrics_granularity"></a> [metrics\_granularity](#input\_metrics\_granularity) | The granularity to associate with the metrics to collect. The only valid value is `1Minute` | `string` | `null` | no |
-| <a name="input_min_size"></a> [min\_size](#input\_min\_size) | The minimum size of the autoscaling group | `number` | `0` | no |
+| <a name="input_min_size"></a> [min\_size](#input\_min\_size) | The minimum size of the autoscaling group | `number` | `1` | no |
 | <a name="input_mixed_instances_policy"></a> [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | Configuration block containing settings to define launch targets for Auto Scaling groups | <pre>object({<br/>    instances_distribution = optional(object({<br/>      on_demand_allocation_strategy            = optional(string)<br/>      on_demand_base_capacity                  = optional(number)<br/>      on_demand_percentage_above_base_capacity = optional(number)<br/>      spot_allocation_strategy                 = optional(string)<br/>      spot_instance_pools                      = optional(number)<br/>      spot_max_price                           = optional(string)<br/>    }))<br/>    launch_template = object({<br/>      override = optional(list(object({<br/>        instance_requirements = optional(object({<br/>          accelerator_count = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          accelerator_manufacturers = optional(list(string))<br/>          accelerator_names         = optional(list(string))<br/>          accelerator_total_memory_mib = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          accelerator_types      = optional(list(string))<br/>          allowed_instance_types = optional(list(string))<br/>          bare_metal             = optional(string)<br/>          baseline_ebs_bandwidth_mbps = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          burstable_performance                                   = optional(string)<br/>          cpu_manufacturers                                       = optional(list(string))<br/>          excluded_instance_types                                 = optional(list(string))<br/>          instance_generations                                    = optional(list(string))<br/>          local_storage                                           = optional(string)<br/>          local_storage_types                                     = optional(list(string))<br/>          max_spot_price_as_percentage_of_optimal_on_demand_price = optional(number)<br/>          memory_gib_per_vcpu = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          memory_mib = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          network_bandwidth_gbps = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          network_interface_count = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          on_demand_max_price_percentage_over_lowest_price = optional(number)<br/>          require_hibernate_support                        = optional(bool)<br/>          spot_max_price_percentage_over_lowest_price      = optional(number)<br/>          total_local_storage_gb = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>          vcpu_count = optional(object({<br/>            max = optional(number)<br/>            min = optional(number)<br/>          }))<br/>        }))<br/>        instance_type = optional(string)<br/>        launch_template_specification = optional(object({<br/>          launch_template_id   = optional(string)<br/>          launch_template_name = optional(string)<br/>          version              = optional(string)<br/>        }))<br/>        weighted_capacity = optional(string)<br/>      })))<br/>    })<br/>  })</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the Self managed Node Group | `string` | `""` | no |
 | <a name="input_network_interfaces"></a> [network\_interfaces](#input\_network\_interfaces) | Customize network interfaces to be attached at instance boot time | <pre>list(object({<br/>    associate_carrier_ip_address = optional(bool)<br/>    associate_public_ip_address  = optional(bool)<br/>    connection_tracking_specification = optional(object({<br/>      tcp_established_timeout = optional(number)<br/>      udp_stream_timeout      = optional(number)<br/>      udp_timeout             = optional(number)<br/>    }))<br/>    delete_on_termination = optional(bool)<br/>    description           = optional(string)<br/>    device_index          = optional(number)<br/>    ena_srd_specification = optional(object({<br/>      ena_srd_enabled = optional(bool)<br/>      ena_srd_udp_specification = optional(object({<br/>        ena_srd_udp_enabled = optional(bool)<br/>      }))<br/>    }))<br/>    interface_type       = optional(string)<br/>    ipv4_address_count   = optional(number)<br/>    ipv4_addresses       = optional(list(string))<br/>    ipv4_prefix_count    = optional(number)<br/>    ipv4_prefixes        = optional(list(string))<br/>    ipv6_address_count   = optional(number)<br/>    ipv6_addresses       = optional(list(string))<br/>    ipv6_prefix_count    = optional(number)<br/>    ipv6_prefixes        = optional(list(string))<br/>    network_card_index   = optional(number)<br/>    network_interface_id = optional(string)<br/>    primary_ipv6         = optional(bool)<br/>    private_ip_address   = optional(string)<br/>    security_groups      = optional(list(string), [])<br/>    subnet_id            = optional(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_partition"></a> [partition](#input\_partition) | The AWS partition - pass through value to reduce number of GET requests from data sources | `string` | `""` | no |
-| <a name="input_placement"></a> [placement](#input\_placement) | The placement of the instance | <pre>object({<br/>    affinity                = optional(string)<br/>    availability_zone       = optional(string)<br/>    group_name              = optional(string)<br/>    host_id                 = optional(string)<br/>    host_resource_group_arn = optional(string)<br/>    partition_number        = optional(number)<br/>    spread_domain           = optional(string)<br/>    tenancy                 = optional(string)<br/>  })</pre> | `{}` | no |
+| <a name="input_placement"></a> [placement](#input\_placement) | The placement of the instance | <pre>object({<br/>    affinity                = optional(string)<br/>    availability_zone       = optional(string)<br/>    group_name              = optional(string)<br/>    host_id                 = optional(string)<br/>    host_resource_group_arn = optional(string)<br/>    partition_number        = optional(number)<br/>    spread_domain           = optional(string)<br/>    tenancy                 = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_placement_group"></a> [placement\_group](#input\_placement\_group) | The name of the placement group into which you'll launch your instances | `string` | `null` | no |
 | <a name="input_post_bootstrap_user_data"></a> [post\_bootstrap\_user\_data](#input\_post\_bootstrap\_user\_data) | User data that is appended to the user data script after of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
 | <a name="input_pre_bootstrap_user_data"></a> [pre\_bootstrap\_user\_data](#input\_pre\_bootstrap\_user\_data) | User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `ami_type` = `BOTTLEROCKET_*` | `string` | `""` | no |
diff --git a/modules/self-managed-node-group/main.tf b/modules/self-managed-node-group/main.tf
@@ -428,7 +428,7 @@ resource "aws_launch_template" "this" {
     content {
       affinity                = placement.value.affinity
       availability_zone       = placement.value.availability_zone
-      group_name              = try(coalesce(aws_placement_group.this[0].name, placement.value.group_name), null)
+      group_name              = try(aws_placement_group.this[0].name, placement.value.group_name)
       host_id                 = placement.value.host_id
       host_resource_group_arn = placement.value.host_resource_group_arn
       partition_number        = placement.value.partition_number
diff --git a/modules/self-managed-node-group/variables.tf b/modules/self-managed-node-group/variables.tf
@@ -326,7 +326,7 @@ variable "placement" {
     spread_domain           = optional(string)
     tenancy                 = optional(string)
   })
-  default = {}
+  default = null
 }
 
 variable "create_placement_group" {
@@ -548,7 +548,7 @@ variable "subnet_ids" {
 variable "min_size" {
   description = "The minimum size of the autoscaling group"
   type        = number
-  default     = 0
+  default     = 1
 }
 
 variable "max_size" {
diff --git a/node_groups.tf b/node_groups.tf
diff --git a/tests/eks-managed-node-group/main.tf b/tests/eks-managed-node-group/main.tf
diff --git a/tests/self-managed-node-group/main.tf b/tests/self-managed-node-group/main.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,6 @@ module "eks_al2023" {`
`42`	`42`	`kubelet:`
`43`	`43`	`config:`
`44`	`44`	`shutdownGracePeriod: 30s`
`45`		`- featureGates:`
`46`		`- DisableKubeletCloudCredentialProviders: true`
`47`	`45`	`EOT`
`48`	`46`	`}`
`49`	`47`	`]`
Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,6 @@ module "eks_al2023" {`
`41`	`41`	`kubelet:`
`42`	`42`	`config:`
`43`	`43`	`shutdownGracePeriod: 30s`
`44`		`- featureGates:`
`45`		`- DisableKubeletCloudCredentialProviders: true`
`46`	`44`	`EOT`
`47`	`45`	`}`
`48`	`46`	`]`
Original file line number	Diff line number	Diff line change
`@@ -243,7 +243,7 @@ resource "aws_cloudwatch_log_group" "this" {`
`243`	`243`	`locals {`
`244`	`244`	`# This replaces the one time logic from the EKS API with something that can be`
`245`	`245`	`# better controlled by users through Terraform`
`246`		`- bootstrap_cluster_creator_admin_permissions = {`
	`246`	`+ bootstrap_cluster_creator_admin_permissions = { for k, v in {`
`247`	`247`	`cluster_creator = {`
`248`	`248`	`principal_arn = try(data.aws_iam_session_context.current[0].issuer_arn, "")`
`249`	`249`	`type = "STANDARD"`
`@@ -257,11 +257,11 @@ locals {`
`257`	`257`	`}`
`258`	`258`	`}`
`259`	`259`	`}`
`260`		`- }`
	`260`	`+ } : k => v if var.enable_cluster_creator_admin_permissions }`
`261`	`261`
`262`	`262`	`# Merge the bootstrap behavior with the entries that users provide`
`263`	`263`	`merged_access_entries = merge(`
`264`		`- { for k, v in local.bootstrap_cluster_creator_admin_permissions : k => v if var.enable_cluster_creator_admin_permissions },`
	`264`	`+ local.bootstrap_cluster_creator_admin_permissions,`
`265`	`265`	`var.access_entries,`
`266`	`266`	`)`
`267`	`267`