EKS Managed Node Group - AL2023 - cloudinit_pre_nodeadm does not function per documentation example

[macintoshme]

Description

Referencing: EKS Managed Node Group AL2023 Example

Trying to inject some items into the NodeConfig, however it was not working. I tried the basic example by simply trying to inject a shutdown grace period and found that didn't work.

The launch template shows the NodeConfig.

I see both NodeConfigs in user-data.txt.i on the node.

If your request is for a new feature, please use the Feature request template.

• [x ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 20.37.0

• Terraform version:
  1.12.2

• Provider version(s):

• provider registry.terraform.io/hashicorp/aws v5.100.0
• provider registry.terraform.io/hashicorp/cloudinit v2.3.7
• provider registry.terraform.io/hashicorp/kubernetes v2.37.1
• provider registry.terraform.io/hashicorp/local v2.5.3
• provider registry.terraform.io/hashicorp/null v3.2.4
• provider registry.terraform.io/hashicorp/random v3.7.2
• provider registry.terraform.io/hashicorp/template v2.2.0
• provider registry.terraform.io/hashicorp/time v0.13.1
• provider registry.terraform.io/hashicorp/tls v4.1.0

Reproduction Code [Required]

module "eks" {
  source                          = "terraform-aws-modules/eks/aws"
  version                         = "20.37.0"
  cluster_name                    = local.eks_cluster_name
  cluster_version                 = "1.31"
  subnet_ids                      = data.terraform_remote_state.vpc.outputs.vpc_private_subnet_ids
  vpc_id                          = data.terraform_remote_state.vpc.outputs.vpc_id
  enable_irsa                     = true
  cluster_endpoint_public_access  = false
  cluster_endpoint_private_access = true
  cluster_service_ipv4_cidr       = var.cluster_service_ipv4_cidr
  cluster_enabled_log_types              = ["api", "audit", "authenticator", "controllerManager", "scheduler"]

  prefix_separator                   = ""
  iam_role_name                      = local.eks_cluster_name
  cluster_security_group_name        = local.eks_cluster_name
  cluster_security_group_description = "EKS cluster security group."

  access_entries = local.combined_access_entries

  cluster_encryption_config = {
    provider_key_arn = aws_kms_key.eks.arn
    resources        = ["secrets"]
  }

  kms_key_administrators = var.kms_key_administrators

  eks_managed_node_groups = local.eks_managed_node_groups_per_az_config

}

locals {
  eks_managed_node_groups_per_az_config = [
    for subnet in data.terraform_remote_state.vpc.outputs.vpc_private_subnet_ids :
    {
      name                 = "${var.env_name}-core-group-${trimprefix(subnet, "subnet-")}"
      subnet_ids           = [subnet]
      iam_role_name        = "${var.env_name}-core-group-${trimprefix(subnet, "subnet-")}"
      launch_template_name = "${var.env_name}-core-group-${trimprefix(subnet, "subnet-")}"
      capacity_type        = "ON_DEMAND"
      ami_type             = "AL2023_x86_64_STANDARD"
      instance_types       = ["t3a.large"]
      min_size             = 0
      desired_size         = 1
      max_size             = 10
      key_name             = "al2023-test"

      node_repair_config = {
        enabled = true
      }

      timeouts = {
        "create" : "60m",
        "update" : "60m",
        "delete" : "60m"
      }

      cloudinit_pre_nodeadm = [
        {
          content_type = "application/node.eks.aws"
          content      = <<-EOT
            ---
            apiVersion: node.eks.aws/v1alpha1
            kind: NodeConfig
            spec:
              kubelet:
                config:
                  shutdownGracePeriod: 30s
          EOT
        }
      ]

      tags = {
        "Environment"                                                                    = var.env_name
        "k8s.io/cluster-autoscaler/enabled"                                              = true
        "k8s.io/cluster-autoscaler/${local.eks_cluster_name}"                            = "owned"
        "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/core-asg" = "true"
      }
    }
  ]
}

Steps to reproduce the behavior:

Use cloudinit_pre_nodeadm to apply a NodeConfig.

Expected behavior

The NodeConfig gets merged with the existing config as the example implies

Actual behavior

The NodeConfig does not get applied, but is evidently present in userdata on the node

[bryantbiggs]

you are missing platform = "al2023"

[macintoshme]

@bryantbiggs

It looks like platform has be deprecated for ami_type according to documentation.

If you have seen that resolve this though, happy to try it.

[brunopadz]

It looks like platform hasn't been deprecated yet, afaik it's set to be removed in the next major version, v21. So it should still work for now.

But yeah, I can't get cloudinit_pre_nodeadm to work either, even setting platform = al2023.

eks_managed_node_group_defaults = {

    ami_release_version = "1.33.0-20250627" 
    ami_type            = "AL2023_x86_64_STANDARD"
    cluster_version     = "1.33"
    instance_types = ["t3.medium"]
    capacity_type  = "SPOT"
  }

  eks_managed_node_groups = {
    ng-1 = {
      min_size                   = 1
      max_size                   = 1
      desired_size               = 1
      use_custom_launch_template = false
      disk_size                  = 30
    }
    ng-2 = {
      cloudinit_pre_nodeadm = [
        {
          content_type = "application/node.eks.aws"
          content      = <<-EOT
            ---
            apiVersion: node.eks.aws/v1alpha1
            kind: NodeConfig
            spec:
              kubelet:
                config:
                  maxPods: 110
          EOT
        }
      ]
      min_size                   = 1
      max_size                   = 1
      desired_size               = 1
      use_custom_launch_template = false
      disk_size                  = 30
      instance_types             = ["m7i-flex.2xlarge"]
      platform                   = "al2023"

      labels = {
        "ng_name" = "ng-2"
      }
    }
  }

The node is not being configured with the maxPods setting.

[bryantbiggs]

use_custom_launch_template = false

It will never work without the custom launch template, you will need to switch this to true

[brunopadz]

Yeah, that totally makes sense and it did the trick. Thanks @bryantbiggs. :)

[macintoshme]

Injecting platform = "al2023" did not appear to do anything for my situation, the results are two NodeConfigs with the second not being applied.

[root@ip-10-130-4-152 ~]# cat /var/lib/cloud/instances/i-0296e0e614ed06369/user-data.txt.i 
Content-Type: multipart/mixed; boundary="===============0233431031254609790=="
MIME-Version: 1.0
Number-Attachments: 2

--===============0233431031254609790==
Content-Type: application/node.eks.aws
Content-Disposition: attachment; filename="part-001"

---
apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  cluster:
    apiServerEndpoint: <removed>
    certificateAuthority: <removed
    cidr: 10.1.0.0/16
    name: h0714
  kubelet:
    config:
      maxPods: 35
      clusterDNS:
      - 10.1.0.10
    flags:
    - "--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,eks.amazonaws.com/nodegroup-image=ami-07947e1daef0a863a,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=h0714-core-group-048f0953b29063ee8-2025071413451776130000001d,eks.amazonaws.com/sourceLaunchTemplateId=lt-0d96b9bd946d1f868"

--===============0233431031254609790==
Content-Transfer-Encoding: 7bit
Content-Type: application/node.eks.aws
Mime-Version: 1.0
Content-Disposition: attachment; filename="part-002"

---
apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  kubelet:
    config:
      shutdownGracePeriod: 30s

--===============0233431031254609790==--
[root@ip-10-130-4-152 ~]# cat /etc/kubernetes/kubelet/config.json
{
    "address": "0.0.0.0",
    "authentication": {
        "x509": {
            "clientCAFile": "/etc/kubernetes/pki/ca.crt"
        },
        "webhook": {
            "enabled": true,
            "cacheTTL": "2m0s"
        },
        "anonymous": {
            "enabled": false
        }
    },
    "authorization": {
        "mode": "Webhook",
        "webhook": {
            "cacheAuthorizedTTL": "5m0s",
            "cacheUnauthorizedTTL": "30s"
        }
    },
    "cgroupDriver": "systemd",
    "cgroupRoot": "/",
    "clusterDNS": [
        "10.1.0.10"
    ],
    "clusterDomain": "cluster.local",
    "containerRuntimeEndpoint": "unix:///run/containerd/containerd.sock",
    "evictionHard": {
        "memory.available": "100Mi",
        "nodefs.available": "10%",
        "nodefs.inodesFree": "5%"
    },
    "featureGates": {
        "RotateKubeletServerCertificate": true
    },
    "hairpinMode": "hairpin-veth",
    "kubeReserved": {
        "cpu": "70m",
        "ephemeral-storage": "1Gi",
        "memory": "640Mi"
    },
    "kubeReservedCgroup": "/runtime",
    "logging": {
        "verbosity": 2
    },
    "maxPods": 35,
    "protectKernelDefaults": true,
    "providerID": "aws:///us-east-1a/i-0296e0e614ed06369",
    "readOnlyPort": 0,
    "serializeImagePulls": false,
    "serverTLSBootstrap": true,
    "systemReservedCgroup": "/system",
    "tlsCipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
    ],
    "kind": "KubeletConfiguration",
    "apiVersion": "kubelet.config.k8s.io/v1beta1"

With the example referenced in the start of this post, I would have expected a shutdownGracePeriod entry.

[bryantbiggs]

we'll need a minimal reproduction without all the loops and what not (not part of the module)

[MauroSoli]

I also encounter some error on the nodeadm-config service side from the cluster version 1.33:

Here is my manage_node config:

# The var.eks_managed_node_group is from this local:
locals {
  # map of EKS01 managed nodes with its instance_type
  eks_uat01_node = { for instance_type in ["medium"] :
    "eks01-node-${instance_type}" => {
      instance_types = ["t3a.${instance_type}"]
      # taints is set to prefer no schedule, so system pods can can on this node
      taints = {
      }

      labels = {
        role     = "worker"
        nodetype = "system-node"
      }

      # Ensure enough capacity to run 2 Karpenter pods
      min_size     = 1
      max_size     = 2
      desired_size = 2
      max_pods     = 30

      update_config = {
        max_unavailable_percentage = 33 # The maximum number of nodes unavailable at once during a version update
      }

      block_device_mappings = {
        xvda = {
          device_name = "/dev/xvda"
          ebs = {
            volume_size           = 20
            volume_type           = "gp3"
            encrypted             = true
            delete_on_termination = true
          }
        }
      }

      enable_monitoring = false
      subnet_ids        = [element(local.aws_subnets_uat, 0)]
    }
  }
}

module "eks_managed_node_group" {
  source  = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
  version = "20.37.1"

  # Retrieve the managed nodes from input variables
  for_each = { for node_group_name, node_group_config in var.eks_managed_node_groups : node_group_name => node_group_config }

  name            = each.key
  cluster_name    = module.eks.cluster_name
  cluster_version = module.eks.cluster_version
  cluster_service_cidr = var.cluster_service_cidr
  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
  vpc_security_group_ids            = [module.eks.node_security_group_id]
  ami_id         = data.aws_ssm_parameter.al2023_image_id.value 
  platform       = "al2023"
  ami_type       = "AL2023_x86_64_STANDARD"
  ami_release_version = "1.33.0-20250704" 
  instance_types = each.value.instance_types
  subnet_ids     = each.value.subnet_ids
  create_launch_template = true

  cloudinit_pre_nodeadm = [
    {
      content_type = "application/node.eks.aws"
      content      = <<-EOT
        ---
        apiVersion: node.eks.aws/v1alpha1
        kind: NodeConfig
        spec:
          kubelet:
            config:
              maxPods: 110 # For instances with less than 30 vCPUs the maximum number is 110
      EOT
    }
  ]

  taints = each.value.taints
  labels = each.value.labels
  # Ensure enough capacity to run 2 Karpenter pods
  min_size              = each.value.min_size
  max_size              = each.value.max_size
  desired_size          = each.value.desired_size
  update_config         = each.value.update_config
  block_device_mappings = each.value.block_device_mappings
  enable_monitoring     = each.value.enable_monitoring

  tags = merge(var.tags)

  # This module need that network works properly
  depends_on = [helm_release.aws_vpc_cni]
}

From the managed-node nodeadm-config service, here is the error (Name is missing in cluster) :

# journalctl -u nodeadm-config --no-pager
Jul 15 10:57:02 localhost systemd[1]: Starting nodeadm-config.service - EKS Nodeadm Config...
Jul 15 10:57:03 localhost nodeadm[1430]: {"level":"info","ts":1752577023.0009427,"caller":"init/init.go:51","msg":"Checking user is root.."}
Jul 15 10:57:03 localhost nodeadm[1430]: {"level":"info","ts":1752577023.0013041,"caller":"init/init.go:59","msg":"Loading configuration..","configSource":"imds://user-data"}Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.0355098,"caller":"init/init.go:68","msg":"Loaded configuration","config":{"metadata":{"creationTimestamp":null},"spec":{"cluster":{},"containerd":{},"instance":{"localStorage":{}},"kubelet":{"config":{"maxPods":110}}},"status":{"instance":{},"default":{}}}}Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.035881,"caller":"init/init.go:70","msg":"Enriching configuration.."}
Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.0359063,"caller":"init/init.go:152","msg":"Fetching kubelet version.."}
Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.037536,"caller":"kubelet/version.go:30","msg":"Reading kubelet version from file","path":"/etc/eks/kubelet-version.txt"}Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.0384462,"caller":"init/init.go:158","msg":"Fetched kubelet version","version":"v1.33.0"}
Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.038489,"caller":"init/init.go:159","msg":"Fetching instance details.."}
Jul 15 10:57:04 localhost nodeadm[1430]: SDK 2025/07/15 10:57:04 DEBUG attempting waiter request, attempt count: 1
Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.3966331,"caller":"init/init.go:176","msg":"Instance details populated","details":{"id":"i-01edbed420324507b","region":"eu-central-1","type":"t3a.medium","availabilityZone":"eu-central-1a","mac":"02:67:0f:fd:90:ff","privateDnsName":"ip-10-215-7-220.eu-central-1.compute.internal"}}Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.3967547,"caller":"init/init.go:177","msg":"Fetching default options..."}Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.3970683,"caller":"init/init.go:181","msg":"Default options populated","defaults":{"sandboxImage":"localhost/kubernetes/pause"}}
Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"info","ts":1752577024.3970852,"caller":"init/init.go:75","msg":"Validating configuration.."}Jul 15 10:57:04 localhost nodeadm[1430]: {"level":"fatal","ts":1752577024.3970997,"caller":"nodeadm/main.go:36","msg":"Command failed","error":"Name is missing in cluster configuration","stacktrace":"main.main\n\t/workdir/cmd/nodeadm/main.go:36\nruntime.main\n\t/root/sdk/go1.24.4/src/runtime/proc.go:283"}Jul 15 10:57:04 localhost systemd[1]: nodeadm-config.service: Main process exited, code=exited, status=1/FAILUREJul 15 10:57:04 localhost systemd[1]: nodeadm-config.service: Failed with result 'exit-code'.
Jul 15 10:57:04 localhost systemd[1]: Failed to start nodeadm-config.service - EKS Nodeadm Config.

Following the official example, the NodeConfig.cluster configuration should't be a requirement, am I doing something wrong?

[bryantbiggs]

Again, we'll need a minimal reproduction that is deployable and without all the wrapping/looping logic

[MauroSoli]

I resolved by setting the vars enable_bootstrap_user_data, cluster_endpoint, cluster_auth_base64, 'cause with AL2023 it's a requirement for those who use the eks-managed-node-group module directly.

[macintoshme]

Stripped loop:

module "eks" {
  source                          = "terraform-aws-modules/eks/aws"
  version                         = "20.37.0"
  cluster_name                    = local.eks_cluster_name
  cluster_version                 = "1.31"
  subnet_ids                      = data.terraform_remote_state.vpc.outputs.vpc_private_subnet_ids
  vpc_id                          = data.terraform_remote_state.vpc.outputs.vpc_id
  enable_irsa                     = true
  cluster_endpoint_public_access  = false
  cluster_endpoint_private_access = true
  cluster_service_ipv4_cidr       = var.cluster_service_ipv4_cidr
  cluster_enabled_log_types              = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  cloudwatch_log_group_retention_in_days = var.cluster_log_retention


  kms_key_administrators = var.kms_key_administrators

  eks_managed_node_groups = {
  
    node_group_1 = {
      name                 = "${var.env_name}-core-group-blah"
      subnet_ids           = data.terraform_remote_state.vpc.outputs.vpc_private_subnet_ids
      iam_role_name        = "${var.env_name}-core-group-blah"
      launch_template_name = "${var.env_name}-core-group-blah"
      capacity_type        = "ON_DEMAND"
      platform             = "al2023"
      ami_type             = "AL2023_x86_64_STANDARD"
      instance_types       = ["t3a.large"]
      min_size             = 0
      desired_size         = 1
      max_size             = 10
      key_name             = "al2023-test"

      node_repair_config = {
        enabled = true
      }

      timeouts = {
        "create" : "60m",
        "update" : "60m",
        "delete" : "60m"
      }

      cloudinit_pre_nodeadm = [
        {
          content_type = "application/node.eks.aws"
          content      = <<-EOT
            ---
            apiVersion: node.eks.aws/v1alpha1
            kind: NodeConfig
            spec:
              kubelet:
                config:
                  shutdownGracePeriod: 30s
          EOT
        }
      ]

      tags = {
        "Environment"                                                                    = var.env_name
        "k8s.io/cluster-autoscaler/enabled"                                              = true
        "k8s.io/cluster-autoscaler/${local.eks_cluster_name}"                            = "owned"
        "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/core-asg" = "true"
      }
    }
  }
}

[root@ip-10-130-4-212 ~]# cat /etc/kubernetes/kubelet/config.json
{
    "address": "0.0.0.0",
    "authentication": {
        "x509": {
            "clientCAFile": "/etc/kubernetes/pki/ca.crt"
        },
        "webhook": {
            "enabled": true,
            "cacheTTL": "2m0s"
        },
        "anonymous": {
            "enabled": false
        }
    },
    "authorization": {
        "mode": "Webhook",
        "webhook": {
            "cacheAuthorizedTTL": "5m0s",
            "cacheUnauthorizedTTL": "30s"
        }
    },
    "cgroupDriver": "systemd",
    "cgroupRoot": "/",
    "clusterDNS": [
        "10.1.0.10"
    ],
    "clusterDomain": "cluster.local",
    "containerRuntimeEndpoint": "unix:///run/containerd/containerd.sock",
    "evictionHard": {
        "memory.available": "100Mi",
        "nodefs.available": "10%",
        "nodefs.inodesFree": "5%"
    },
    "featureGates": {
        "RotateKubeletServerCertificate": true
    },
    "hairpinMode": "hairpin-veth",
    "kubeReserved": {
        "cpu": "70m",
        "ephemeral-storage": "1Gi",
        "memory": "640Mi"
    },
    "kubeReservedCgroup": "/runtime",
    "logging": {
        "verbosity": 2
    },
    "maxPods": 35,
    "protectKernelDefaults": true,
    "providerID": "aws:///us-east-1a/i-0d5f77346c2bad99d",
    "readOnlyPort": 0,
    "serializeImagePulls": false,
    "serverTLSBootstrap": true,
    "systemReservedCgroup": "/system",
    "tlsCipherSuites": [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384"
    ],
    "kind": "KubeletConfiguration",
    "apiVersion": "kubelet.config.k8s.io/v1beta1"

[root@ip-10-130-4-212 ~]# cat /var/lib/cloud/instance/user-data.txt.i 
Content-Type: multipart/mixed; boundary="===============8066021514008649935=="
MIME-Version: 1.0
Number-Attachments: 2

--===============8066021514008649935==
Content-Type: application/node.eks.aws
Content-Disposition: attachment; filename="part-001"

---
apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  cluster:
    apiServerEndpoint: https://277BDC0E7CF9248447D81FC5073483C3.gr7.us-east-1.eks.amazonaws.com
    certificateAuthority: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJQzBHNHBDV1RSZWd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBM01UUXhNek0wTVRKYUZ3MHpOVEEzTVRJeE16TTVNVEphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNtUS80VEVuN2Nrd2xuVWxRd1NJcGx2VkFrT3VVV3RRQmw5MzdXbDQ0MWtUSkpjbmZDQTdrSDRKZmkKaDZDdWREc2ppYUJsM3RVYldOZFpGbW1SMkh4cUpEaGtyL2FRRmFwa1dHN2Z6ZklQR0NBUEtOWitwNnhza3hvZAp1dzBYTEVydFVrNkZOZy9md3p5UWFUNjBVSnlSSEdXdTh5L2FPNWtBOEhRUVFJdkJ2WFhCVWozZG01dHF2RjhZClRzNy95djdvNG9vcmlrSHByV0xlVE94NjNlSlB3UTR0VHN0R3ZGdUxtSHovRTZkWTJUM3pnRVg4QWE3UWpHODAKcnVXRHF6emk4VTY1U0FpL3lrZ291dEkrajdCM2kzaEd3SVdRNUNDS3R2V3VKM3h0TXhYczNhTlhxQmtyWUl4RQpNeDNjQzNjQWhjY1I5QXorNGpBeFpnbkR4THNSQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTeUdLd1labWRjdXgvY3liODFBc1NSVEpSb01UQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQTFCNlpnOUVEaQpVdk5sb2xtVlRZRXdBQ1Q1MXdrUkF0Skk2dUVSeGhScTFmZk44UzB2N1ZpRGJyQ2MrdDFEc29raWEvNGZPU2RSCmYwRHZXd0VGOEhRYXNxd0M2OE5DL2dOQURVT1c0eTRZMWE5emFRWFhHbkxWQzZOVjY5cHRJQUN5TGxhcXRjYkwKUlFTUXJiNTE5QVlnTmxrS1N4ZitUaU1ha1BlMDNNaXlPeWVaSThIZkRIVUJFS2JHQ1kyNUFmY0N1OUVlVTgvRApnSWU5Zlh3ZUszZGoyUzFkTDZTaHhQLzlxL21PbHd1K1Z5NUxreDhwSDF1d3JWTnliTzliZERmck03MXpRcmZaCnRyclR2bnFQSWw5Q3c2emY4L1V4aEpqeVRBbVNQeHhwdEVveWwvTCtyYVFaWGMzSFlUWVd0WWg4Tll6dHE4R1QKaWVrODNwWnJkYS9wCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    cidr: 10.1.0.0/16
    name: h0714
  kubelet:
    config:
      maxPods: 35
      clusterDNS:
      - 10.1.0.10
    flags:
    - "--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,eks.amazonaws.com/nodegroup-image=ami-0cfd8c9a873d73514,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=h0714-core-group-blah-20250716051254356800000007,eks.amazonaws.com/sourceLaunchTemplateId=lt-01a45f36cb71b5006"

--===============8066021514008649935==
Content-Transfer-Encoding: 7bit
Content-Type: application/node.eks.aws
Mime-Version: 1.0
Content-Disposition: attachment; filename="part-002"

---
apiVersion: node.eks.aws/v1alpha1
kind: NodeConfig
spec:
  kubelet:
    config:
      shutdownGracePeriod: 30s

--===============8066021514008649935==--

[bryantbiggs]

so that looks like its working as intended from the module perspective. I would submit an issue here https://github.com/awslabs/amazon-eks-ami - they won't need any of the Terraform, just the snippet of the rendered user data that is passed to the nodes from the node group and the resulting kubelet config (last two snippets in post directly above)