【问题标题】:Terraform to prevent forced updated of AWS EKS cluster用于防止强制更新 AWS EKS 集群的 Terraform
【发布时间】:2020-10-01 18:53:31
【问题描述】:

我正在使用 terraform aws eks 注册表模块 https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/12.1.0?tab=inputs

今天对 TF 配置进行了新更改(与 EKS 无关),我看到我的 EKS 工作节点将由于我试图阻止的 AMI 更新而重建。

  # module.kubernetes.module.eks-cluster.aws_launch_configuration.workers[0] must be replaced
+/- resource "aws_launch_configuration" "workers" {
      ~ arn                              = "arn:aws:autoscaling:us-east-2:555065427312:launchConfiguration:6c59fac6-5912-4079-8cc9-268a7f7fc98b:launchConfigurationName/edna-dev-eks-02020061119383942580000000b" -> (known after apply)
        associate_public_ip_address      = false
        ebs_optimized                    = true
        enable_monitoring                = true
        iam_instance_profile             = "edna-dev-eks20200611193836418800000007"
      ~ id                               = "edna-dev-eks-02020061119383942580000000b" -> (known after apply)
      ~ image_id                         = "ami-05fc7ae9bc84e5708" -> "ami-073f227b0cd9507f9" # forces replacement
        instance_type                    = "t3.medium"
      + key_name                         = (known after apply)
      ~ name                             = "edna-dev-eks-02020061119383942580000000b" -> (known after apply)
        name_prefix                      = "edna-dev-eks-0"
        security_groups                  = [
            "sg-09b14dfce82015a63",
        ]

之所以会发生重建,是因为 EKS 获得了集群工作节点的 AMI 更新版本。

这是我的 EKS terraform 配置

###################################################################################
# EKS CLUSTER                                                                     #
#                                                                                 #
# This module contains configuration for EKS cluster running various applications #
###################################################################################

module "eks_label" {
  source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master"
  namespace   = var.project
  environment = var.environment
  attributes  = [var.component]
  name        = "eks"
}

data "aws_eks_cluster" "cluster" {
  name = module.eks-cluster.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks-cluster.cluster_id
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.cluster.token
  load_config_file       = false
  version                = "~> 1.9"
}

module "eks-cluster" {
  source          = "terraform-aws-modules/eks/aws"
  cluster_name    = module.eks_label.id
  cluster_version = "1.16"
  subnets         = var.subnets
  vpc_id          = var.vpc_id

  worker_groups = [
    {
      instance_type = var.cluster_node_type
      asg_max_size  = var.cluster_node_count
    }
  ]

  tags = var.tags
}

如果我尝试在模块配置中添加 lifecycle

lifecycle {
    ignore_changes = [image_id]
}

我得到错误:

➜ terraform plan                                                                   

Error: Reserved block type name in module block

  on modules/kubernetes/main.tf line 45, in module "eks-cluster":
  45:   lifecycle {

The block type name "lifecycle" is reserved for use by Terraform in a future
version.

有什么想法吗?

【问题讨论】:

  • 您为什么关心工作实例是否被新的 AMI 替换?您使用的 EKS 模块会在移除旧 ASG 之前自动处理推出新 ASG,因此 Kubernetes 会自动将 pod 移至新实例。

标签: kubernetes terraform terraform-provider-aws


【解决方案1】:

尝试使用terraform-aws-modules/eks/awsworker_ami_name_filter 变量来专门查找您当前的AMI 怎么样?

例如:

module "eks-cluster" {
  source          = "terraform-aws-modules/eks/aws"
  cluster_name    = module.eks_label.id
  <...snip...>

  worker_ami_name_filter = "amazon-eks-node-1.16-v20200531"
}

您可以使用 AWS Web 控制台或 cli 将 AMI ID 映射到它们的名称:

user@localhost:~$ aws ec2 describe-images --filters "Name=name,Values=amazon-eks-node-1.16*" --region us-east-2 --output json | jq '.Images[] | "\(.Name) \(.ImageId)"'
"amazon-eks-node-1.16-v20200423 ami-01782c0e32657accf"
"amazon-eks-node-1.16-v20200531 ami-05fc7ae9bc84e5708"
"amazon-eks-node-1.16-v20200609 ami-073f227b0cd9507f9"
"amazon-eks-node-1.16-v20200507 ami-0edc51bc2f03c9dc2"

但是您为什么要阻止 Auto Scaling 组使用更新的 AMI?它只会将较新的 AMI 应用于新节点。它不会仅仅为了更新现有节点而终止它们。

【讨论】:

  • 以上答案只是一种解决方法,但问题确实存在,我也面临着它。因为我想添加 asg
猜你喜欢
  • 2021-03-25
  • 2021-03-16
  • 2020-12-09
  • 2021-11-14
  • 1970-01-01
  • 1970-01-01
  • 2021-10-22
  • 2021-07-27
  • 2021-07-20
相关资源
最近更新 更多