New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to add additional security groups to a node group #66
Ability to add additional security groups to a node group #66
Conversation
…he launch template depends on
+1. it would be great to have this. |
This pull request is now in conflict. Could you fix it @nustiueudinastea? 🙏 |
Hi @nustiueudinastea thanks for your work on this. There are conflicting files can you please rebase and then run the following commands.
This feature is currently needed for us. It would be great if you can take a look at this. |
@kwarunek @tirumerla I updated the PR and the docs. Please give it a go in your local environment if you have a chance. |
Sorry @nustiueudinastea just got back from my paternity. I added a comment and tested removing |
@nustiueudinastea @tirumerla we're using this feature over a month without any issues - it just do the job for us. Seems to be ok in the production clusters as well as in the development ones (multiple recreations occur every week) - in summary dozens of node groups.
|
@tirumerla I removed that length operation. Indeed it seemed useless. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This pull request is now in conflict. Could you fix it @nustiueudinastea? 🙏 |
@nustiueudinastea Could you please rebase it again so that the merge conflicts are fixed. @aknysh Can we run the tests and merge this once the rebase is done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some changes requested, but for now do not rebase this PR, as that will pull in breaking changes that are scheduled to be reverted.
All changes to this module are temporarily on hold. We are working on updates to standardize how we we handle security groups and security group rules. This change will fit right in, but the code base will change significantly and this change might be lost if merged before then. Also, there is a decent chance we will simply incorporate this feature as part of the migration. However, if you want to use this by referencing the Git tag or commit, go ahead and make the requested changes.
@@ -12,7 +12,7 @@ locals { | |||
|
|||
need_remote_access_sg = local.enabled && local.have_ssh_key && local.generate_launch_template | |||
|
|||
get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false | |||
get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg || length(var.additional_security_group_ids) > 0) : false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not needed. get_cluster_date
is true only if we need to invoke a data provider to get more information about the cluster.
get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg || length(var.additional_security_group_ids) > 0) : false | |
get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false |
@@ -86,6 +86,7 @@ locals { | |||
ec2_ssh_key = local.have_ssh_key ? var.ec2_ssh_key : "none" | |||
# Keep sorted so that change in order does not trigger replacement via random_pet | |||
source_security_group_ids = local.ng_needs_remote_access ? sort(var.source_security_group_ids) : [] | |||
additional_security_group_ids = sort(var.additional_security_group_ids) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ng
object is just for data that is needed for the aws_eks_node_group
resource. Since additional_security_group_ids
only affects the launch template, this should not be here.
@@ -46,6 +46,12 @@ variable "source_security_group_ids" { | |||
description = "Set of EC2 Security Group IDs to allow SSH access (port 22) to the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0)" | |||
} | |||
|
|||
variable "additional_security_group_ids" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a new naming convention. Please rename this associated_security_group_ids
variable "additional_security_group_ids" { | |
variable "associated_security_group_ids" { |
what
why