Sage-Bionetworks-Workflows · BryanFauble · May 18, 2026
@@ -1,3 +1,10 @@
+locals {
+  # Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD).
+  # Acts as a floor for the Spot Ocean worker AMI lookup. Bump for kernel CVE
+  # remediations (e.g., CVE-2026-31431 → v20260505 or later).
+  eks_min_ami_release_date = "20260505"
+}
+
 resource "spacelift_space" "development" {
   name             = "development"
   parent_space_id  = var.parent_space_id
@@ -59,6 +66,8 @@ module "dpe-sandbox-spacelift-development" {
   ses_email_identities = ["aws-dpe-dev@sagebase.org"]
   # Defines the email address that will be used as the sender of the email alerts
   smtp_from = "aws-dpe-dev@sagebase.org"
+
+  eks_min_ami_release_date = local.eks_min_ami_release_date
 }
 
 module "dpe-sandbox-spacelift-staging" {
@@ -99,6 +108,8 @@ module "dpe-sandbox-spacelift-staging" {
   ssl_hostname           = "staging.sagedpe.org"
   ses_email_identities = []
   smtp_from            = ""
+
+  eks_min_ami_release_date = local.eks_min_ami_release_date
 }
 
 module "dpe-sandbox-spacelift-production" {
@@ -140,6 +151,8 @@ module "dpe-sandbox-spacelift-production" {
   ses_email_identities = ["dpe@sagebase.org"]
   # Defines the email address that will be used as the sender of the email alerts
   smtp_from = "dpe@sagebase.org"
+
+  eks_min_ami_release_date = local.eks_min_ami_release_date
 }
 
 module "snowflake-spacelift-development" {

@@ -19,17 +19,18 @@ locals {
   }
 
   k8s_stack_deployments_variables = {
-    spotinst_account       = var.spotinst_account
-    vpc_cidr_block         = var.vpc_cidr_block
-    cluster_name           = var.cluster_name
-    auto_deploy            = var.auto_deploy
-    auto_prune             = var.auto_prune
-    git_revision           = var.git_branch
-    aws_account_id         = var.aws_account_id
-    enable_cluster_ingress = var.enable_cluster_ingress
-    enable_otel_ingress    = var.enable_otel_ingress
-    ssl_hostname           = var.ssl_hostname
-    smtp_from              = var.smtp_from
+    spotinst_account         = var.spotinst_account
+    vpc_cidr_block           = var.vpc_cidr_block
+    cluster_name             = var.cluster_name
+    auto_deploy              = var.auto_deploy
+    auto_prune               = var.auto_prune
+    git_revision             = var.git_branch
+    aws_account_id           = var.aws_account_id
+    enable_cluster_ingress   = var.enable_cluster_ingress
+    enable_otel_ingress      = var.enable_otel_ingress
+    ssl_hostname             = var.ssl_hostname
+    smtp_from                = var.smtp_from
+    eks_min_ami_release_date = var.eks_min_ami_release_date
   }
 
   # Variables to be passed from the k8s stack to the deployments stack

@@ -175,3 +175,8 @@ variable "smtp_from" {
   type        = string
   default     = ""
 }
+
+variable "eks_min_ami_release_date" {
+  description = "Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD). Acts as a floor for the aws_ami lookup that pins the Spot Ocean image_id."
+  type        = string
+}
@@ -12,6 +12,7 @@ module "sage-aws-eks-autoscaler" {
   spotinst_account       = var.spotinst_account
   single_az              = false
   desired_capacity       = 3
+  min_ami_release_date   = var.eks_min_ami_release_date
 }
 
 module "sage-aws-eks-addons" {

@@ -109,3 +109,8 @@ variable "docker_access_token" {
   type        = string
   default     = ""
 }
+
+variable "eks_min_ami_release_date" {
+  description = "Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD)."
+  type        = string
+}
@@ -14,3 +14,18 @@ data "aws_secretsmanager_secret_version" "secret_credentials" {
   secret_id = data.aws_secretsmanager_secret.spotinst_token.id
 }
 
+data "aws_ami" "eks_worker_al2023" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["amazon-eks-node-al2023-x86_64-standard-${data.aws_eks_cluster.cluster.version}-v${var.min_ami_release_date}*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
@@ -114,6 +114,7 @@ module "ocean-aws-k8s" {
   subnet_ids                       = var.single_az ? [var.private_vpc_subnet_ids[0]] : var.private_vpc_subnet_ids
   worker_instance_profile_arn      = aws_iam_instance_profile.profile.arn
   security_groups                  = [var.node_security_group_id]
+  ami_id                           = data.aws_ami.eks_worker_al2023.id
   is_aggressive_scale_down_enabled = true
   max_scale_down_percentage        = 33
   tags                             = var.tags

@@ -54,3 +54,8 @@ variable "single_az" {
   description = "Single AZ"
   type        = bool
 }
+
+variable "min_ami_release_date" {
+  description = "Minimum AL2023 EKS-optimized AMI release date (YYYYMMDD). Acts as a floor for the aws_ami name-prefix filter; Spot Ocean uses the resolved AMI ID for new node launches."
+  type        = string
+}