Nodename

00-locals.tf

@@ -30,7 +30,10 @@ locals {
       apiServer = {
         certSANs = [
           module.elb_k8s_elb.elb_dns_name
-        ]
+        ],
+        extraArgs = {
+          enable-admission-plugins = var.admission_plugins
+        }
       },
       controllerManager = {
         extraArgs = {
@@ -64,6 +67,7 @@ locals {
       kubelet = {
         extraArgs = {
           rotate-server-certificates = true
+          cloud-provider             = "external"
         }
       }
     }

00-variables.tf

@@ -9,6 +9,29 @@ variable "cluster_id" {
   type        = number
 }
 
+variable "iam_instance_profile_controller" {
+  description = "IAM instance profile to attach to the controller instances."
+  type        = string
+  default     = null
+
+}
+
+variable "iam_instance_profile_worker" {
+  description = "IAM instance profile to attach to the worker instances."
+  type        = string
+  default     = null
+}
+
+variable "metadata_options" {
+  description = "Metadata to attach to the instances."
+  type        = map(string)
+  default = {
+    http_endpoint          = "enabled"
+    http_tokens            = "required"
+    instance_metadata_tags = "disabled"
+  }
+}
+
 variable "cluster_architecture" {
   default     = "amd64"
   description = "Cluster architecture. Choose 'arm64' or 'amd64'. If you choose 'arm64', ensure to also override the control_plane.instance_type and worker_groups.instance_type with an ARM64-based instance type like 'm7g.large'."
@@ -142,4 +165,9 @@ variable "config_patch_files" {
   default     = []
   description = "Path to talos config path files that applies to all nodes"
   type        = list(string)
+}
+variable "admission_plugins" {
+  default     = "MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ServiceAccount"
+  description = "List of admission plugins to enable on the API server."
+  type        = string
 }

03-talos.tf

@@ -10,6 +10,8 @@ module "talos_control_plane_nodes" {
   subnet_id                   = element(data.aws_subnets.public.ids, count.index)
   associate_public_ip_address = true
   tags                        = merge(var.tags, local.cluster_required_tags)
+  metadata_options            = var.metadata_options
+  iam_instance_profile        = var.iam_instance_profile_controller
 
   vpc_security_group_ids = [module.cluster_sg.security_group_id]
 
@@ -32,6 +34,8 @@ module "talos_worker_group" {
   subnet_id                   = element(data.aws_subnets.public.ids, tonumber(trimprefix(each.key, "${each.value.name}.")))
   associate_public_ip_address = true
   tags                        = merge(each.value.tags, var.tags, local.cluster_required_tags)
+  metadata_options            = var.metadata_options
+  iam_instance_profile        = var.iam_instance_profile_worker
 
   vpc_security_group_ids = [module.cluster_sg.security_group_id]
 
@@ -45,6 +49,8 @@ module "talos_worker_group" {
 resource "talos_machine_secrets" "this" {}
 
 data "talos_machine_configuration" "controlplane" {
+  for_each = { for index, instance in module.talos_control_plane_nodes : index => instance }
+
   cluster_name       = var.cluster_name
   cluster_endpoint   = "https://${module.elb_k8s_elb.elb_dns_name}"
   machine_type       = "controlplane"
@@ -55,6 +61,18 @@ data "talos_machine_configuration" "controlplane" {
     local.config_patches_common,
     [yamlencode(local.common_config_patch)],
     [yamlencode(local.config_cilium_patch)],
+    [yamlencode(
+      {
+        machine = {
+          kubelet = {
+            extraArgs = {
+              hostname-override = module.talos_control_plane_nodes[for_each].id
+            }
+          }
+        }
+      }
+      )
+    ],
     [for path in var.control_plane.config_patch_files : file(path)]
   )
 }
@@ -72,6 +90,19 @@ data "talos_machine_configuration" "worker_group" {
     local.config_patches_common,
     [yamlencode(local.common_config_patch)],
     [yamlencode(local.config_cilium_patch)],
+    [yamlencode(
+      {
+        machine = {
+          kubelet = {
+            extraArgs = {
+              hostname-override = module.talos_worker_group[each.key].id
+            }
+
+          }
+        }
+      }
+      )
+    ],
     [for path in each.value.config_patch_files : file(path)]
   )
 }

README.md

@@ -93,6 +93,7 @@ module "talos" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_admission_plugins"></a> [admission\_plugins](#input\_admission\_plugins) | List of admission plugins to enable on the API server. | `string` | `"MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ServiceAccount"` | no |
 | <a name="input_allocate_node_cidrs"></a> [allocate\_node\_cidrs](#input\_allocate\_node\_cidrs) | Whether to assign PodCIDRs to Node resources or not. Only needed in case Cilium runs in 'kubernetes' IPAM mode. | `bool` | `true` | no |
 | <a name="input_allow_workload_on_cp_nodes"></a> [allow\_workload\_on\_cp\_nodes](#input\_allow\_workload\_on\_cp\_nodes) | Allow workloads on CP nodes or not. Allowing it means Talos Linux default taints are removed from CP nodes. More details here: https://www.talos.dev/v1.5/talos-guides/howto/workers-on-controlplane/ | `bool` | `false` | no |
 | <a name="input_cluster_architecture"></a> [cluster\_architecture](#input\_cluster\_architecture) | Cluster architecture. Choose 'arm64' or 'amd64'. If you choose 'arm64', ensure to also override the control\_plane.instance\_type and worker\_groups.instance\_type with an ARM64-based instance type like 'm7g.large'. | `string` | `"amd64"` | no |
@@ -102,8 +103,11 @@ module "talos" {
 | <a name="input_control_plane"></a> [control\_plane](#input\_control\_plane) | Info for control plane that will be created | <pre>object({<br/>    instance_type      = optional(string, "m5.large")<br/>    config_patch_files = optional(list(string), [])<br/>    tags               = optional(map(string), {})<br/>  })</pre> | `{}` | no |
 | <a name="input_controlplane_count"></a> [controlplane\_count](#input\_controlplane\_count) | Defines how many controlplane nodes are deployed in the cluster. | `number` | `3` | no |
 | <a name="input_disable_kube_proxy"></a> [disable\_kube\_proxy](#input\_disable\_kube\_proxy) | Whether to deploy Kube-Proxy or not. By default, KP shouldn't be deployed. | `bool` | `true` | no |
+| <a name="input_iam_instance_profile_controller"></a> [iam\_instance\_profile\_controller](#input\_iam\_instance\_profile\_controller) | IAM instance profile to attach to the controller instances. | `string` | `null` | no |
+| <a name="input_iam_instance_profile_worker"></a> [iam\_instance\_profile\_worker](#input\_iam\_instance\_profile\_worker) | IAM instance profile to attach to the worker instances. | `string` | `null` | no |
 | <a name="input_kubernetes_api_allowed_cidr"></a> [kubernetes\_api\_allowed\_cidr](#input\_kubernetes\_api\_allowed\_cidr) | The CIDR from which to allow to access the Kubernetes API | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version to use for the Talos cluster, if not set, the K8s version shipped with the selected Talos version will be used. Check https://www.talos.dev/latest/introduction/support-matrix/. For example '1.29.3'. | `string` | `""` | no |
+| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Metadata to attach to the instances. | `map(string)` | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_tokens": "required",<br/>  "instance_metadata_tags": "disabled"<br/>}</pre> | no |
 | <a name="input_pod_cidr"></a> [pod\_cidr](#input\_pod\_cidr) | The CIDR to use for Pods. Only required in case allocate\_node\_cidrs is set to 'true'. Otherwise, simply configure it inside Cilium's Helm values. | `string` | `"100.64.0.0/14"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region in which to create the Talos Linux cluster. | `string` | n/a | yes |
 | <a name="input_service_cidr"></a> [service\_cidr](#input\_service\_cidr) | The CIDR to use for services. | `string` | `"100.68.0.0/16"` | no |