From d20ae12edebba7a16c5eb525b504a22ee6ea7320 Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Fri, 4 Apr 2025 09:04:34 -0700 Subject: [PATCH 1/2] release process fixed (#41) From 356309111c0dacc5219b23db410cf44026cc24bd Mon Sep 17 00:00:00 2001 From: Delong Yang Date: Wed, 16 Apr 2025 14:35:00 -0400 Subject: [PATCH 2/2] Rename sg_ports.tf and clean up duplicate rules --- additional_sg_rules.tf | 21 ++++++++++++++++ main.tf | 3 +++ sg_ports.tf | 57 ------------------------------------------ 3 files changed, 24 insertions(+), 57 deletions(-) create mode 100644 additional_sg_rules.tf delete mode 100644 sg_ports.tf diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf new file mode 100644 index 0000000..ae2b6f1 --- /dev/null +++ b/additional_sg_rules.tf @@ -0,0 +1,21 @@ +locals { + node_security_group_additional_rules = { + ingress_nodes_ephemeral = { + description = "Node to node ingress on ephemeral ports" + from_port = 80 + protocol = "tcp" + self = true + to_port = 65535 + type = "ingress" + } + # ALB controller, NGINX + ingress_cluster_9443_webhook = { + description = "Cluster API to node 9443/tcp webhook" + from_port = 9443 + protocol = "tcp" + source_cluster_security_group = true + to_port = 9443 + type = "ingress" + } + } +} diff --git a/main.tf b/main.tf index cf353f9..8e45b9e 100644 --- a/main.tf +++ b/main.tf @@ -135,6 +135,9 @@ resource "aws_ec2_tag" "container_subnets" { } } +# NOTE: Because the source SG of this rule is the primary SG of the cluster, +# we cannot add it to "node_security_group_additional_rules" map, which is +# referenced by cluster module. It will create circular dependency. resource "aws_security_group_rule" "allow_sidecar_injection" { description = "Webhook container port, from Control Plane" protocol = "tcp" diff --git a/sg_ports.tf b/sg_ports.tf deleted file mode 100644 index 8f9201c..0000000 --- a/sg_ports.tf +++ /dev/null @@ -1,57 +0,0 @@ -locals { - node_security_group_additional_rules = { - ingress_nodes_ephemeral = { - description = "Node to node ingress on ephemeral ports" - from_port = 80 - protocol = "tcp" - self = true - to_port = 65535 - type = "ingress" - } - # metrics-server - ingress_cluster_4443_webhook = { - description = "Cluster API to node 4443/tcp webhook" - from_port = 4443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 4443 - type = "ingress" - } - # prometheus-adapter - ingress_cluster_6443_webhook = { - description = "Cluster API to node 6443/tcp webhook" - from_port = 6443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 6443 - type = "ingress" - } - # Karpenter - ingress_cluster_8443_webhook = { - description = "Cluster API to node 8443/tcp webhook" - from_port = 8443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 8443 - type = "ingress" - } - # ALB controller, NGINX - ingress_cluster_9443_webhook = { - description = "Cluster API to node 9443/tcp webhook" - from_port = 9443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 9443 - type = "ingress" - } - egress_all = { - cidr_blocks = ["0.0.0.0/0"] - description = "Allow all egress" - from_port = 0 - protocol = "-1" - to_port = 0 - type = "egress" - # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null - } - } -}