From fb3a7bb5f28182ace26d4a221eaf3b262e115c09 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 19:42:37 -0400 Subject: [PATCH 01/20] update sg naming --- security_groups.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/security_groups.tf b/security_groups.tf index e62c641..5fc9024 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -100,14 +100,6 @@ resource "aws_security_group" "extra_cluster_sg" { cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) } - # kubectl logs - ingress { - from_port = 10250 - to_port = 10250 - protocol = "tcp" - cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) - } - egress { from_port = 0 to_port = 0 From a2124bda30e7557751a2a34474cf8ed3d176037f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 20:28:11 -0400 Subject: [PATCH 02/20] enable private access --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index cf353f9..663db4b 100644 --- a/main.tf +++ b/main.tf @@ -44,6 +44,7 @@ module "cluster" { "controllerManager", "scheduler", ] + cloudwatch_log_group_retention_in_days = "14" vpc_id = local.vpc_id subnet_ids = local.subnets From 3c1c1ff260e9bf9cb8bc14c9cbb2154716861e20 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 20:47:06 -0400 Subject: [PATCH 03/20] align with upstream --- security_groups.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security_groups.tf b/security_groups.tf index 5fc9024..e8449a3 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -10,7 +10,11 @@ resource "aws_security_group" "additional_eks_cluster_sg" { tags = merge( local.base_tags, var.tags, +<<<<<<< HEAD { "Name" = local.additional_eks_cluster_sg_name }, +======= + tomap({ "Name" = local.additional_eks_cluster_sg_name }), +>>>>>>> ddd6d64 (align with upstream) ) vpc_id = data.aws_vpc.eks_vpc.id @@ -100,6 +104,14 @@ resource "aws_security_group" "extra_cluster_sg" { cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) } + # kubectl logs + ingress { + from_port = 10250 + to_port = 10250 + protocol = "tcp" + cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) + } + egress { from_port = 0 to_port = 0 From ee61f015cf844c295207bf921b9e815158729b84 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 21:43:01 -0400 Subject: [PATCH 04/20] set support to standard --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index 663db4b..788ffa1 100644 --- a/main.tf +++ b/main.tf @@ -45,6 +45,9 @@ module "cluster" { "scheduler", ] cloudwatch_log_group_retention_in_days = "14" + upgrade_policy = { + support_type = "STANDARD" + } vpc_id = local.vpc_id subnet_ids = local.subnets From 821c563bc770c7e8b64a7d45592907e1695ad853 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 21:44:58 -0400 Subject: [PATCH 05/20] syntax --- main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 788ffa1..3d19787 100644 --- a/main.tf +++ b/main.tf @@ -45,10 +45,9 @@ module "cluster" { "scheduler", ] cloudwatch_log_group_retention_in_days = "14" - upgrade_policy = { + upgrade_policy { support_type = "STANDARD" } - vpc_id = local.vpc_id subnet_ids = local.subnets From 22324eb93b59ff0ed4fb45505b7cb07291606f81 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 21:47:37 -0400 Subject: [PATCH 06/20] fmt --- main.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 3d19787..663db4b 100644 --- a/main.tf +++ b/main.tf @@ -45,9 +45,7 @@ module "cluster" { "scheduler", ] cloudwatch_log_group_retention_in_days = "14" - upgrade_policy { - support_type = "STANDARD" - } + vpc_id = local.vpc_id subnet_ids = local.subnets From 5f1810291509d43fb686c05efc89c66bb158eb50 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 22:29:46 -0400 Subject: [PATCH 07/20] try arm --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 663db4b..32abadc 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,7 @@ module "cluster" { } eks_managed_node_group_defaults = { - ami_type = "BOTTLEROCKET_x86_64" + ami_type = "BOTTLEROCKET_ARM_64_FIPS" } node_security_group_enable_recommended_rules = true From c8143959188604d67c595fc945d8ecd071c321ab Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 22:31:17 -0400 Subject: [PATCH 08/20] not fips --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 32abadc..752d3c2 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,7 @@ module "cluster" { } eks_managed_node_group_defaults = { - ami_type = "BOTTLEROCKET_ARM_64_FIPS" + ami_type = "BOTTLEROCKET_ARM_64" } node_security_group_enable_recommended_rules = true From 245d483ea2ff5151463e7a9afc7d59a448300217 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Mar 2025 14:29:25 -0400 Subject: [PATCH 09/20] not arm --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 752d3c2..663db4b 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,7 @@ module "cluster" { } eks_managed_node_group_defaults = { - ami_type = "BOTTLEROCKET_ARM_64" + ami_type = "BOTTLEROCKET_x86_64" } node_security_group_enable_recommended_rules = true From c7b72560b666804aae8f8829a4cd3273cd02fc5a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Mar 2025 18:29:14 -0400 Subject: [PATCH 10/20] sort --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index 663db4b..cf353f9 100644 --- a/main.tf +++ b/main.tf @@ -44,7 +44,6 @@ module "cluster" { "controllerManager", "scheduler", ] - cloudwatch_log_group_retention_in_days = "14" vpc_id = local.vpc_id subnet_ids = local.subnets From aa71b3ec59dffd54feaaf8320ac78f8f82da5ecb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 1 Apr 2025 16:04:51 -0400 Subject: [PATCH 11/20] try new addons --- main.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/main.tf b/main.tf index cf353f9..927b849 100644 --- a/main.tf +++ b/main.tf @@ -61,15 +61,30 @@ module "cluster" { most_recent = true service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn } + cert-manager = { + most_recent = true + } coredns = { most_recent = true } eks-pod-identity-agent = { most_recent = true } + external-dns = { + most_recent = true + } kube-proxy = { most_recent = true } + kube-state-metrics = { + most_recent = true + } + metrics-server = { + most_recent = true + } + prometheus-node-exporter = { + most_recent = true + } snapshot-controller = { most_recent = true } From b9e4079a3e59e6f9a1d3ce010e271d227fb8a0e7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 1 Apr 2025 16:57:17 -0400 Subject: [PATCH 12/20] tehse addons don't work --- main.tf | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/main.tf b/main.tf index 927b849..cf353f9 100644 --- a/main.tf +++ b/main.tf @@ -61,30 +61,15 @@ module "cluster" { most_recent = true service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn } - cert-manager = { - most_recent = true - } coredns = { most_recent = true } eks-pod-identity-agent = { most_recent = true } - external-dns = { - most_recent = true - } kube-proxy = { most_recent = true } - kube-state-metrics = { - most_recent = true - } - metrics-server = { - most_recent = true - } - prometheus-node-exporter = { - most_recent = true - } snapshot-controller = { most_recent = true } From 5ea4a63e5e0ffea97ff2a9065b82b2a2ee937720 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 1 Apr 2025 17:37:51 -0400 Subject: [PATCH 13/20] remove extra tomap()s --- security_groups.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/security_groups.tf b/security_groups.tf index e8449a3..e62c641 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -10,11 +10,7 @@ resource "aws_security_group" "additional_eks_cluster_sg" { tags = merge( local.base_tags, var.tags, -<<<<<<< HEAD { "Name" = local.additional_eks_cluster_sg_name }, -======= - tomap({ "Name" = local.additional_eks_cluster_sg_name }), ->>>>>>> ddd6d64 (align with upstream) ) vpc_id = data.aws_vpc.eks_vpc.id From d835a31060e325d0cc4316098212ccbf3618c3b4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 16 Apr 2025 12:55:17 -0400 Subject: [PATCH 14/20] use data to set version in module --- README.md | 4 ++++ requirements.tf | 4 ++++ version.tf | 27 +++++++++++++++++++++++++-- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ef22a3a..7134c2a 100644 --- a/README.md +++ b/README.md @@ -98,12 +98,14 @@ efs-csi-controller 0 5m |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | ~> 5.14 | +| [null](#requirement\_null) | ~> 3.2 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | 5.88.0 | +| [null](#provider\_null) | 3.2.3 | | [terraform](#provider\_terraform) | n/a | ## Modules @@ -125,6 +127,8 @@ efs-csi-controller 0 5m | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.module_name](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/requirements.tf b/requirements.tf index 83145db..ea1dad6 100644 --- a/requirements.tf +++ b/requirements.tf @@ -6,5 +6,9 @@ terraform { source = "hashicorp/aws" version = "~> 5.14" } + null = { + source = "hashicorp/null" + version = "~> 3.2" + } } } diff --git a/version.tf b/version.tf index 12b0e9a..a91119e 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,27 @@ +resource "null_resource" "git_version" { + triggers = { + # Force this to run on every apply to get the latest tag value + always_run = timestamp() + } + + provisioner "local-exec" { + command = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag" + on_failure = continue + } +} + +resource "null_resource" "module_name" { + triggers = { + module_path = path.module + } + + provisioner "local-exec" { + command = "basename $(pwd) > ${path.module}/.module_name" + on_failure = continue + } +} + locals { - module_name = "tfmod-eks" - module_version = "0.1.1" + module_name = fileexists("${path.module}/.module_name") ? trimspace(file("${path.module}/.module_name")) : "tfmod-eks" + module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest" } From 159a98a998aa9b3c4a0047996a54a8b018a910ba Mon Sep 17 00:00:00 2001 From: Delong Yang Date: Wed, 16 Apr 2025 20:00:48 -0400 Subject: [PATCH 15/20] Rename sg_ports.tf and clean up duplicate rules (#42) - Rename sg_ports.tf to additional_sg_rules.tf - Clean up duplicate rules - Add a comment --------- Co-authored-by: Matthew Creal Morgan --- additional_sg_rules.tf | 21 ++++++++++++++++ main.tf | 3 +++ sg_ports.tf | 57 ------------------------------------------ 3 files changed, 24 insertions(+), 57 deletions(-) create mode 100644 additional_sg_rules.tf delete mode 100644 sg_ports.tf diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf new file mode 100644 index 0000000..ae2b6f1 --- /dev/null +++ b/additional_sg_rules.tf @@ -0,0 +1,21 @@ +locals { + node_security_group_additional_rules = { + ingress_nodes_ephemeral = { + description = "Node to node ingress on ephemeral ports" + from_port = 80 + protocol = "tcp" + self = true + to_port = 65535 + type = "ingress" + } + # ALB controller, NGINX + ingress_cluster_9443_webhook = { + description = "Cluster API to node 9443/tcp webhook" + from_port = 9443 + protocol = "tcp" + source_cluster_security_group = true + to_port = 9443 + type = "ingress" + } + } +} diff --git a/main.tf b/main.tf index cf353f9..8e45b9e 100644 --- a/main.tf +++ b/main.tf @@ -135,6 +135,9 @@ resource "aws_ec2_tag" "container_subnets" { } } +# NOTE: Because the source SG of this rule is the primary SG of the cluster, +# we cannot add it to "node_security_group_additional_rules" map, which is +# referenced by cluster module. It will create circular dependency. resource "aws_security_group_rule" "allow_sidecar_injection" { description = "Webhook container port, from Control Plane" protocol = "tcp" diff --git a/sg_ports.tf b/sg_ports.tf deleted file mode 100644 index 8f9201c..0000000 --- a/sg_ports.tf +++ /dev/null @@ -1,57 +0,0 @@ -locals { - node_security_group_additional_rules = { - ingress_nodes_ephemeral = { - description = "Node to node ingress on ephemeral ports" - from_port = 80 - protocol = "tcp" - self = true - to_port = 65535 - type = "ingress" - } - # metrics-server - ingress_cluster_4443_webhook = { - description = "Cluster API to node 4443/tcp webhook" - from_port = 4443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 4443 - type = "ingress" - } - # prometheus-adapter - ingress_cluster_6443_webhook = { - description = "Cluster API to node 6443/tcp webhook" - from_port = 6443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 6443 - type = "ingress" - } - # Karpenter - ingress_cluster_8443_webhook = { - description = "Cluster API to node 8443/tcp webhook" - from_port = 8443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 8443 - type = "ingress" - } - # ALB controller, NGINX - ingress_cluster_9443_webhook = { - description = "Cluster API to node 9443/tcp webhook" - from_port = 9443 - protocol = "tcp" - source_cluster_security_group = true - to_port = 9443 - type = "ingress" - } - egress_all = { - cidr_blocks = ["0.0.0.0/0"] - description = "Allow all egress" - from_port = 0 - protocol = "-1" - to_port = 0 - type = "egress" - # ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null - } - } -} From 374b396bf3790a8f99e0e7cadb1593488f3ed96b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 11:42:01 -0400 Subject: [PATCH 16/20] ensure workflows are current --- .../terraform-release.yaml => terraform-release.yaml | 10 +++++----- .../terraform-validate.yaml => terraform-validate.yaml | 0 2 files changed, 5 insertions(+), 5 deletions(-) rename .github/workflows/terraform-release.yaml => terraform-release.yaml (93%) rename .github/workflows/terraform-validate.yaml => terraform-validate.yaml (100%) diff --git a/.github/workflows/terraform-release.yaml b/terraform-release.yaml similarity index 93% rename from .github/workflows/terraform-release.yaml rename to terraform-release.yaml index c20c238..3f67574 100644 --- a/.github/workflows/terraform-release.yaml +++ b/terraform-release.yaml @@ -1,4 +1,4 @@ -name: Terraform CI/CD +name: Terraform Module Release on: workflow_dispatch: pull_request: @@ -6,15 +6,15 @@ on: branches: - main jobs: - terraform-ci-cd: - runs-on: 229685449397 + terraform-release: + runs-on: "229685449397" permissions: contents: write steps: - name: Checkout code uses: CSVD/gh-actions-checkout@v4 - + - name: Setup GITHUB Credentials id: github_credentials uses: CSVD/gh-auth@main @@ -32,7 +32,7 @@ jobs: # Test GitHub CLI auth status gh auth status || echo "GitHub CLI authentication failed" - + - name: Run Release Action uses: CSVD/releaser@main with: diff --git a/.github/workflows/terraform-validate.yaml b/terraform-validate.yaml similarity index 100% rename from .github/workflows/terraform-validate.yaml rename to terraform-validate.yaml From 0591c762b06ac2a94b2410f6fed273ce95a77a2a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 15:42:40 -0400 Subject: [PATCH 17/20] ensure workflows are current --- .../workflows/terraform-release.yaml | 0 .../workflows/terraform-validate.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename terraform-release.yaml => .github/workflows/terraform-release.yaml (100%) rename terraform-validate.yaml => .github/workflows/terraform-validate.yaml (100%) diff --git a/terraform-release.yaml b/.github/workflows/terraform-release.yaml similarity index 100% rename from terraform-release.yaml rename to .github/workflows/terraform-release.yaml diff --git a/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml similarity index 100% rename from terraform-validate.yaml rename to .github/workflows/terraform-validate.yaml From 523e5576bf025e0df0094b60718ae443a7a9d22f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 22 Apr 2025 00:59:28 -0400 Subject: [PATCH 18/20] ensure committed --- README.md | 3 +-- version.tf | 13 +------------ 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 7134c2a..34cb686 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ efs-csi-controller 0 5m | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.88.0 | +| [aws](#provider\_aws) | 5.95.0 | | [null](#provider\_null) | 3.2.3 | | [terraform](#provider\_terraform) | n/a | @@ -128,7 +128,6 @@ efs-csi-controller 0 5m | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [null_resource.module_name](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/version.tf b/version.tf index a91119e..ac9731a 100644 --- a/version.tf +++ b/version.tf @@ -10,18 +10,7 @@ resource "null_resource" "git_version" { } } -resource "null_resource" "module_name" { - triggers = { - module_path = path.module - } - - provisioner "local-exec" { - command = "basename $(pwd) > ${path.module}/.module_name" - on_failure = continue - } -} - locals { - module_name = fileexists("${path.module}/.module_name") ? trimspace(file("${path.module}/.module_name")) : "tfmod-eks" + module_name = "tfmod-eks" module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest" } From d6e8081e1f5c8aba47c4d633dd8d1e97eae2b72f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 22 Apr 2025 12:16:30 -0400 Subject: [PATCH 19/20] nuke --- security_groups.tf | 120 --------------------------------------------- 1 file changed, 120 deletions(-) delete mode 100644 security_groups.tf diff --git a/security_groups.tf b/security_groups.tf deleted file mode 100644 index e62c641..0000000 --- a/security_groups.tf +++ /dev/null @@ -1,120 +0,0 @@ - -locals { - all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name) - additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name) -} - -resource "aws_security_group" "additional_eks_cluster_sg" { - name = local.additional_eks_cluster_sg_name - - tags = merge( - local.base_tags, - var.tags, - { "Name" = local.additional_eks_cluster_sg_name }, - ) - - vpc_id = data.aws_vpc.eks_vpc.id - - ingress { - from_port = 0 - to_port = 0 - protocol = -1 - - security_groups = [ - aws_security_group.all_worker_mgmt.id, - ] - } - - # in-VPC access to K8s API - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - lifecycle { - ignore_changes = [ingress, egress] - } -} - - -resource "aws_security_group" "all_worker_mgmt" { - name = local.all_worker_mgmt_name - - tags = merge( - local.base_tags, - var.tags, - { "Name" = local.all_worker_mgmt_name }, - ) - - vpc_id = local.vpc_id - - ingress { - from_port = 0 - to_port = 0 - protocol = -1 - cidr_blocks = [local.vpc_cidr_block] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - lifecycle { - ignore_changes = [ingress, egress] - } -} - -resource "aws_security_group" "extra_cluster_sg" { - name = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) - description = format("Security group for additional access for EKS cluster %v", var.cluster_name) - - tags = merge( - local.base_tags, - var.tags, - { "Name" = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) }, - ) - - vpc_id = data.aws_vpc.eks_vpc.id - - ingress { - from_port = 0 - to_port = 0 - protocol = -1 - self = true - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) - } - - # kubectl logs - ingress { - from_port = 10250 - to_port = 10250 - protocol = "tcp" - cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - lifecycle { - ignore_changes = [ingress, egress] - } -} From 0079d6f10bfd3944b6b5de2671c3f6d5fabb20be Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 22 Apr 2025 12:24:05 -0400 Subject: [PATCH 20/20] restore security_groups.tf --- security_groups.tf | 119 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 security_groups.tf diff --git a/security_groups.tf b/security_groups.tf new file mode 100644 index 0000000..c37cec7 --- /dev/null +++ b/security_groups.tf @@ -0,0 +1,119 @@ + +locals { + all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name) + additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name) +} + +resource "aws_security_group" "additional_eks_cluster_sg" { + name = local.additional_eks_cluster_sg_name + + tags = merge( + local.base_tags, + var.tags, + { "Name" = local.additional_eks_cluster_sg_name }, + ) + + vpc_id = data.aws_vpc.eks_vpc.id + + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + + security_groups = [ + aws_security_group.all_worker_mgmt.id, + ] + } + + # in-VPC access to K8s API + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + lifecycle { + ignore_changes = [ingress, egress] + } +} + +resource "aws_security_group" "all_worker_mgmt" { + name = local.all_worker_mgmt_name + + tags = merge( + local.base_tags, + var.tags, + { "Name" = local.all_worker_mgmt_name }, + ) + + vpc_id = local.vpc_id + + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = [local.vpc_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + lifecycle { + ignore_changes = [ingress, egress] + } +} + +resource "aws_security_group" "extra_cluster_sg" { + name = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) + description = format("Security group for additional access for EKS cluster %v", var.cluster_name) + + tags = merge( + local.base_tags, + var.tags, + { "Name" = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) }, + ) + + vpc_id = data.aws_vpc.eks_vpc.id + + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) + } + + # kubectl logs + ingress { + from_port = 10250 + to_port = 10250 + protocol = "tcp" + cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + lifecycle { + ignore_changes = [ingress, egress] + } +}