diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
index c20c238..3f67574 100644
--- a/.github/workflows/terraform-release.yaml
+++ b/.github/workflows/terraform-release.yaml
@@ -1,4 +1,4 @@
-name: Terraform CI/CD
+name: Terraform Module Release
on:
workflow_dispatch:
pull_request:
@@ -6,15 +6,15 @@ on:
branches:
- main
jobs:
- terraform-ci-cd:
- runs-on: 229685449397
+ terraform-release:
+ runs-on: "229685449397"
permissions:
contents: write
steps:
- name: Checkout code
uses: CSVD/gh-actions-checkout@v4
-
+
- name: Setup GITHUB Credentials
id: github_credentials
uses: CSVD/gh-auth@main
@@ -32,7 +32,7 @@ jobs:
# Test GitHub CLI auth status
gh auth status || echo "GitHub CLI authentication failed"
-
+
- name: Run Release Action
uses: CSVD/releaser@main
with:
diff --git a/README.md b/README.md
index ef22a3a..34cb686 100644
--- a/README.md
+++ b/README.md
@@ -98,12 +98,14 @@ efs-csi-controller 0 5m
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
| [aws](#requirement\_aws) | ~> 5.14 |
+| [null](#requirement\_null) | ~> 3.2 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.88.0 |
+| [aws](#provider\_aws) | 5.95.0 |
+| [null](#provider\_null) | 3.2.3 |
| [terraform](#provider\_terraform) | n/a |
## Modules
@@ -125,6 +127,7 @@ efs-csi-controller 0 5m
| [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
new file mode 100644
index 0000000..ae2b6f1
--- /dev/null
+++ b/additional_sg_rules.tf
@@ -0,0 +1,21 @@
+locals {
+ node_security_group_additional_rules = {
+ ingress_nodes_ephemeral = {
+ description = "Node to node ingress on ephemeral ports"
+ from_port = 80
+ protocol = "tcp"
+ self = true
+ to_port = 65535
+ type = "ingress"
+ }
+ # ALB controller, NGINX
+ ingress_cluster_9443_webhook = {
+ description = "Cluster API to node 9443/tcp webhook"
+ from_port = 9443
+ protocol = "tcp"
+ source_cluster_security_group = true
+ to_port = 9443
+ type = "ingress"
+ }
+ }
+}
diff --git a/main.tf b/main.tf
index cf353f9..8e45b9e 100644
--- a/main.tf
+++ b/main.tf
@@ -135,6 +135,9 @@ resource "aws_ec2_tag" "container_subnets" {
}
}
+# NOTE: Because the source SG of this rule is the primary SG of the cluster,
+# we cannot add it to "node_security_group_additional_rules" map, which is
+# referenced by cluster module. It will create circular dependency.
resource "aws_security_group_rule" "allow_sidecar_injection" {
description = "Webhook container port, from Control Plane"
protocol = "tcp"
diff --git a/requirements.tf b/requirements.tf
index 83145db..ea1dad6 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -6,5 +6,9 @@ terraform {
source = "hashicorp/aws"
version = "~> 5.14"
}
+ null = {
+ source = "hashicorp/null"
+ version = "~> 3.2"
+ }
}
}
diff --git a/security_groups.tf b/security_groups.tf
index e62c641..c37cec7 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -44,7 +44,6 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
}
}
-
resource "aws_security_group" "all_worker_mgmt" {
name = local.all_worker_mgmt_name
diff --git a/sg_ports.tf b/sg_ports.tf
deleted file mode 100644
index 8f9201c..0000000
--- a/sg_ports.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-locals {
- node_security_group_additional_rules = {
- ingress_nodes_ephemeral = {
- description = "Node to node ingress on ephemeral ports"
- from_port = 80
- protocol = "tcp"
- self = true
- to_port = 65535
- type = "ingress"
- }
- # metrics-server
- ingress_cluster_4443_webhook = {
- description = "Cluster API to node 4443/tcp webhook"
- from_port = 4443
- protocol = "tcp"
- source_cluster_security_group = true
- to_port = 4443
- type = "ingress"
- }
- # prometheus-adapter
- ingress_cluster_6443_webhook = {
- description = "Cluster API to node 6443/tcp webhook"
- from_port = 6443
- protocol = "tcp"
- source_cluster_security_group = true
- to_port = 6443
- type = "ingress"
- }
- # Karpenter
- ingress_cluster_8443_webhook = {
- description = "Cluster API to node 8443/tcp webhook"
- from_port = 8443
- protocol = "tcp"
- source_cluster_security_group = true
- to_port = 8443
- type = "ingress"
- }
- # ALB controller, NGINX
- ingress_cluster_9443_webhook = {
- description = "Cluster API to node 9443/tcp webhook"
- from_port = 9443
- protocol = "tcp"
- source_cluster_security_group = true
- to_port = 9443
- type = "ingress"
- }
- egress_all = {
- cidr_blocks = ["0.0.0.0/0"]
- description = "Allow all egress"
- from_port = 0
- protocol = "-1"
- to_port = 0
- type = "egress"
- # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
- }
- }
-}
diff --git a/version.tf b/version.tf
index 12b0e9a..ac9731a 100644
--- a/version.tf
+++ b/version.tf
@@ -1,4 +1,16 @@
+resource "null_resource" "git_version" {
+ triggers = {
+ # Force this to run on every apply to get the latest tag value
+ always_run = timestamp()
+ }
+
+ provisioner "local-exec" {
+ command = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag"
+ on_failure = continue
+ }
+}
+
locals {
module_name = "tfmod-eks"
- module_version = "0.1.1"
+ module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest"
}