From 3d29344ef758b7c8ea906f7aa986c1fc12f81a80 Mon Sep 17 00:00:00 2001 From: mcgin314 Date: Tue, 28 May 2024 13:58:56 -0400 Subject: [PATCH] Change the addons to all use latest, doesn't seem to be any reason not to, especially since it is more likely to cause a conflict during upgrade. --- main.tf | 11 +--- sg_ports.tf | 159 ++++++---------------------------------------------- 2 files changed, 20 insertions(+), 150 deletions(-) diff --git a/main.tf b/main.tf index f41967a..20aec65 100644 --- a/main.tf +++ b/main.tf @@ -100,15 +100,15 @@ module "cluster" { most_recent = true } vpc-cni = { - most_recent = false + most_recent = true service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn } aws-ebs-csi-driver = { - most_recent = false + most_recent = true service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn } aws-efs-csi-driver = { - most_recent = false + most_recent = true service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn } } @@ -119,11 +119,6 @@ module "cluster" { node_security_group_enable_recommended_rules = false - # node_security_group_additional_rules = merge( - # local.ingress_rules, - # local.egress_rules, - # ) - node_security_group_additional_rules = local.node_security_group_additional_rules eks_managed_node_groups = { diff --git a/sg_ports.tf b/sg_ports.tf index 567a8db..b93db24 100644 --- a/sg_ports.tf +++ b/sg_ports.tf @@ -1,139 +1,14 @@ -# locals { -# istio_ports = [ -# { -# description = "Envoy admin port / outbound" -# from_port = 15000 -# to_port = 15001 -# protocol = "tcp" -# }, -# { -# description = "Debug port" -# from_port = 15004 -# to_port = 15004 -# protocol = "tcp" -# }, -# { -# description = "Envoy inbound" -# from_port = 15006 -# to_port = 15006 -# protocol = "tcp" -# }, -# { -# description = "HBONE mTLS tunnel port / secure networks XDS and CA services (Plaintext)" -# from_port = 15008 -# to_port = 15010 -# protocol = "tcp" -# }, -# { -# description = "XDS and CA services (TLS and mTLS)" -# from_port = 15012 -# to_port = 15012 -# protocol = "tcp" -# }, -# { -# description = "Control plane monitoring" -# from_port = 15014 -# to_port = 15014 -# protocol = "tcp" -# }, -# { -# description = "Control plane monitoring" -# from_port = 15017 -# to_port = 15017 -# protocol = "tcp" -# }, -# { -# description = "Merged Prometheus telemetry data from Istio agent, Envoy, and application, Health checks" -# from_port = 15020 -# to_port = 15021 -# protocol = "tcp" -# }, -# { -# description = "DNS port" -# from_port = 15053 -# to_port = 15053 -# protocol = "tcp" -# }, -# { -# description = "Envoy Prometheus telemetry" -# from_port = 15090 -# to_port = 15090 -# protocol = "tcp" -# }, -# { -# description = "aws-load-balancer-controller" -# from_port = 9443 -# to_port = 9443 -# protocol = "tcp" -# }, -# { -# description = "Node to node ingress on ephemeral ports" -# from_port = 80 -# to_port = 65535 -# protocol = "tcp" -# }, -# { -# description = "Cluster API to node 4443/tcp webhook" -# from_port = 4443 -# to_port = 4443 -# protocol = "tcp" -# # source_cluster_security_group = true -# }, -# # prometheus-adapter -# { -# description = "Cluster API to node 6443/tcp webhook" -# from_port = 6443 -# to_port = 6443 -# protocol = "tcp" -# # source_cluster_security_group = true -# }, -# # Karpenter -# { -# description = "Cluster API to node 8443/tcp webhook" -# from_port = 8443 -# to_port = 8443 -# protocol = "tcp" -# # source_cluster_security_group = true -# }, -# ] - -# ingress_rules = { -# for ikey, ivalue in local.istio_ports : -# "${ikey}_ingress" => { -# description = ivalue.description -# protocol = ivalue.protocol -# from_port = ivalue.from_port -# to_port = ivalue.to_port -# type = "ingress" -# self = true -# } -# } - -# egress_rules = { -# for ekey, evalue in local.istio_ports : -# "${ekey}_egress" => { -# description = evalue.description -# protocol = "tcp" -# from_port = evalue.from_port -# to_port = evalue.to_port -# type = "egress" -# self = true -# } -# } - -# } - locals { -node_security_group_additional_rules = { - "ingress_nodes_ephemeral" = { - "description" = "Node to node ingress on ephemeral ports" - "from_port" = 80 - "protocol" = "tcp" - "self" = true - "to_port" = 65535 - "type" = "ingress" - } - # metrics-server + node_security_group_additional_rules = { + "ingress_nodes_ephemeral" = { + "description" = "Node to node ingress on ephemeral ports" + "from_port" = 80 + "protocol" = "tcp" + "self" = true + "to_port" = 65535 + "type" = "ingress" + } + # metrics-server ingress_cluster_4443_webhook = { description = "Cluster API to node 4443/tcp webhook" protocol = "tcp" @@ -170,13 +45,13 @@ node_security_group_additional_rules = { source_cluster_security_group = true } egress_all = { - description = "Allow all egress" - protocol = "-1" - from_port = 0 - to_port = 0 - type = "egress" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all egress" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null } -} + } } \ No newline at end of file