Change the addons to all use latest, doesn't seem to be any reason no…

…t to, especially since it is more likely to cause a conflict during upgrade.
SCT-Engineering · May 28, 2024 · 3d29344 · 3d29344
1 parent a076e13
commit 3d29344
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 150 deletions.
diff --git a/main.tf b/main.tf
@@ -100,15 +100,15 @@ module "cluster" {
       most_recent = true
     }
     vpc-cni = {
-      most_recent              = false
+      most_recent              = true
       service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn
     }
     aws-ebs-csi-driver = {
-      most_recent              = false
+      most_recent              = true
       service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
     }
     aws-efs-csi-driver = {
-      most_recent              = false
+      most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
   }
@@ -119,11 +119,6 @@ module "cluster" {
 
   node_security_group_enable_recommended_rules = false
 
-  # node_security_group_additional_rules = merge(
-  #   local.ingress_rules,
-  #   local.egress_rules,
-  # )
-
   node_security_group_additional_rules = local.node_security_group_additional_rules
 
   eks_managed_node_groups = {

diff --git a/sg_ports.tf b/sg_ports.tf
@@ -1,139 +1,14 @@
-# locals {
-#   istio_ports = [
-#     {
-#       description = "Envoy admin port / outbound"
-#       from_port   = 15000
-#       to_port     = 15001
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Debug port"
-#       from_port   = 15004
-#       to_port     = 15004
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Envoy inbound"
-#       from_port   = 15006
-#       to_port     = 15006
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "HBONE mTLS tunnel port / secure networks XDS and CA services (Plaintext)"
-#       from_port   = 15008
-#       to_port     = 15010
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "XDS and CA services (TLS and mTLS)"
-#       from_port   = 15012
-#       to_port     = 15012
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Control plane monitoring"
-#       from_port   = 15014
-#       to_port     = 15014
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Control plane monitoring"
-#       from_port   = 15017
-#       to_port     = 15017
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Merged Prometheus telemetry data from Istio agent, Envoy, and application, Health checks"
-#       from_port   = 15020
-#       to_port     = 15021
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "DNS port"
-#       from_port   = 15053
-#       to_port     = 15053
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Envoy Prometheus telemetry"
-#       from_port   = 15090
-#       to_port     = 15090
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "aws-load-balancer-controller"
-#       from_port   = 9443
-#       to_port     = 9443
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Node to node ingress on ephemeral ports"
-#       from_port   = 80
-#       to_port     = 65535
-#       protocol    = "tcp"
-#     },
-#     {
-#       description = "Cluster API to node 4443/tcp webhook"
-#       from_port   = 4443
-#       to_port     = 4443
-#       protocol    = "tcp"
-#       # source_cluster_security_group = true
-#     },
-#     # prometheus-adapter
-#     {
-#       description = "Cluster API to node 6443/tcp webhook"
-#       from_port   = 6443
-#       to_port     = 6443
-#       protocol    = "tcp"
-#       # source_cluster_security_group = true
-#     },
-#     # Karpenter
-#     {
-#       description = "Cluster API to node 8443/tcp webhook"
-#       from_port   = 8443
-#       to_port     = 8443
-#       protocol    = "tcp"
-#       # source_cluster_security_group = true
-#     },
-#   ]
-
-#   ingress_rules = {
-#     for ikey, ivalue in local.istio_ports :
-#     "${ikey}_ingress" => {
-#       description = ivalue.description
-#       protocol    = ivalue.protocol
-#       from_port   = ivalue.from_port
-#       to_port     = ivalue.to_port
-#       type        = "ingress"
-#       self        = true
-#     }
-#   }
-
-#   egress_rules = {
-#     for ekey, evalue in local.istio_ports :
-#     "${ekey}_egress" => {
-#       description = evalue.description
-#       protocol    = "tcp"
-#       from_port   = evalue.from_port
-#       to_port     = evalue.to_port
-#       type        = "egress"
-#       self        = true
-#     }
-#   }
-
-# }
-
 locals {
-node_security_group_additional_rules = {
-  "ingress_nodes_ephemeral" = {
-    "description" = "Node to node ingress on ephemeral ports"
-    "from_port" = 80
-    "protocol" = "tcp"
-    "self" = true
-    "to_port" = 65535
-    "type" = "ingress"
-  }
-  # metrics-server
+  node_security_group_additional_rules = {
+    "ingress_nodes_ephemeral" = {
+      "description" = "Node to node ingress on ephemeral ports"
+      "from_port"   = 80
+      "protocol"    = "tcp"
+      "self"        = true
+      "to_port"     = 65535
+      "type"        = "ingress"
+    }
+    # metrics-server
     ingress_cluster_4443_webhook = {
       description                   = "Cluster API to node 4443/tcp webhook"
       protocol                      = "tcp"
@@ -170,13 +45,13 @@ node_security_group_additional_rules = {
       source_cluster_security_group = true
     }
     egress_all = {
-      description      = "Allow all egress"
-      protocol         = "-1"
-      from_port        = 0
-      to_port          = 0
-      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
+      description = "Allow all egress"
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      type        = "egress"
+      cidr_blocks = ["0.0.0.0/0"]
       # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
     }
-}
+  }
 }