Skip to content

Allow customization of EKS AMI

Stan Hurequested to merge
sh-add-fips-ami-support into main

What does this MR do?

The default AMI used by EKS may need to be swapped with a hardened kernel. This commit makes it possible to specify eks_ami_id to do this.

When a custom AMI is used, a launch template must be used.

Example use with FIPS Omnibus and EKS AMIs (generated via https://github.com/awslabs/amazon-eks-ami/pull/898):

environment.tf:

module "gitlab_ref_arch_aws" {
  source = "../../modules/gitlab_ref_arch_aws"

  prefix = var.prefix
  ami_id = var.fips ? data.aws_ami.ubuntu_18_04_fips[0].id : null
  eks_ami_id = var.eks_ami_id
  ssh_public_key_file = file(var.ssh_public_key_file)

  create_network = true
  subnet_pub_count = 3
  elb_internal_create = true
  <snip>

variables.tf:

<snip>
variable "fips" {
  default = true
}

variable "eks_ami_id" {
  default = "ami-0a25e760cd00b027e"
}

data.tf:

data "aws_ami" "ubuntu_18_04_fips" {
  count = 1

  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu-pro-fips/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["aws-marketplace"]
}

Related issues

Author's checklist

When ready for review, the Author applies the workflowready for review label and mention @gl-quality/get-maintainers:

  • Merge request:
    • Corresponding Issue raised and reviewed by the GET maintainers team.
    • Merge Request Title and Description are up to date, accurate, and descriptive
    • MR targeting the appropriate branch
    • MR has a green pipeline
    • MR has no new security alerts in the widget from the Secret Detection and IaC Scan (SAST) jobs.
  • Code:
    • Check the area changed works as expected. Consider testing it in different environment sizes (1k,3k,10k,etc.).
    • Documentation created/updated in the same MR.
    • If this MR adds an optional configuration - check that all permutations continue to work.
    • For Terraform changes: setup a previous version environment, then run a terraform plan with your new changes and ensure nothing will be destroyed. If anything will be destroyed and this can't be avoided please add a comment to the current MR.
  • Create any follow-up issue(s) to support the new feature across other supported cloud providers or advanced configurations. Create 1 issue for each provider/configuration. Contact the Quality Enablement team if unsure.
Edited by Grant Young

Merge request reports