diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index 1106630d3c75a..7b6bed63fd1eb 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -135,7 +135,6 @@ func TestSharedVPC(t *testing.T) { // TestPhaseNetwork tests the output of tf for the network phase func TestPhaseNetwork(t *testing.T) { - t.Skip("unable to pass test w/o removing elb stuff") runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseNetwork) } @@ -151,13 +150,6 @@ func TestPhaseCluster(t *testing.T) { runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.PhaseCluster) } -// TestPhaseCluster tests the output of tf for the loadbalancer phase -func TestPhaseLoadBalancers(t *testing.T) { - t.Skip("unable to test until phase is created") - // TODO - // runTestPhase(t, "privateweave.example.com", "lifecycle_phases", "v1alpha2", true, 1, cloudup.LoadBalancers) -} - func runTest(t *testing.T, h *testutils.IntegrationTestHarness, clusterName string, srcDir string, version string, private bool, zones int, expectedFilenames []string, tfFileName string, phase *cloudup.Phase) { var stdout bytes.Buffer @@ -257,8 +249,8 @@ func runTest(t *testing.T, h *testutils.IntegrationTestHarness, clusterName stri } } - // Compare data files - { + // Compare data files if they are provided + if len(expectedFilenames) > 0 { files, err := ioutil.ReadDir(path.Join(h.TempDir, "out", "data")) if err != nil { t.Fatalf("failed to read data dir: %v", err) diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go index b9240a82cc1e9..ac3147c4e52f3 100644 --- a/pkg/model/awsmodel/api_loadbalancer.go +++ b/pkg/model/awsmodel/api_loadbalancer.go @@ -35,7 +35,8 @@ const LoadBalancerDefaultIdleTimeout = 5 * time.Minute // APILoadBalancerBuilder builds a LoadBalancer for accessing the API type APILoadBalancerBuilder struct { *AWSModelContext - Lifecycle *fi.Lifecycle + Lifecycle *fi.Lifecycle + SecurityLifecycle *fi.Lifecycle } var _ fi.ModelBuilder = &APILoadBalancerBuilder{} @@ -144,7 +145,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroup{ Name: s(b.ELBSecurityGroupName("api")), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, VPC: b.LinkToVPC(), Description: s("Security group for api ELB"), @@ -157,7 +158,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("api-elb-egress"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup("api"), Egress: fi.Bool(true), @@ -171,7 +172,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess { t := &awstasks.SecurityGroupRule{ Name: s("https-api-elb-" + cidr), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup("api"), CIDR: s(cidr), @@ -187,7 +188,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("https-elb-to-master"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster), SourceGroup: b.LinkToELBSecurityGroup("api"), diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go index 361738a80b02d..4de117b27632a 100644 --- a/pkg/model/bastion.go +++ b/pkg/model/bastion.go @@ -35,7 +35,8 @@ const BastionELBDefaultIdleTimeout = 5 * time.Minute type BastionModelBuilder struct { *KopsModelContext - Lifecycle *fi.Lifecycle + Lifecycle *fi.Lifecycle + SecurityLifecycle *fi.Lifecycle } var _ fi.ModelBuilder = &BastionModelBuilder{} @@ -56,7 +57,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroup{ Name: s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, VPC: b.LinkToVPC(), Description: s("Security group for bastion"), @@ -69,7 +70,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-egress"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), Egress: fi.Bool(true), @@ -83,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("ssh-elb-to-bastion"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), SourceGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix), @@ -98,7 +99,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-to-master-ssh"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster), SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), @@ -113,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-to-node-ssh"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode), SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), @@ -128,7 +129,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroup{ Name: s(b.ELBSecurityGroupName(BastionELBSecurityGroupPrefix)), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, VPC: b.LinkToVPC(), Description: s("Security group for bastion ELB"), @@ -141,7 +142,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-elb-egress"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix), Egress: fi.Bool(true), @@ -155,7 +156,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { for _, sshAccess := range b.Cluster.Spec.SSHAccess { t := &awstasks.SecurityGroupRule{ Name: s("ssh-external-to-bastion-elb-" + sshAccess), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix), Protocol: s("tcp"), diff --git a/tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf index f3b6be0738519..2b5614d373a5f 100644 --- a/tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf +++ b/tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf @@ -81,6 +81,7 @@ resource "aws_subnet" "us-test-1a-privateweave-example-com" { KubernetesCluster = "privateweave.example.com" Name = "us-test-1a.privateweave.example.com" "kubernetes.io/cluster/privateweave.example.com" = "owned" + "kubernetes.io/role/internal-elb" = "1" } } @@ -93,6 +94,7 @@ resource "aws_subnet" "utility-us-test-1a-privateweave-example-com" { KubernetesCluster = "privateweave.example.com" Name = "utility-us-test-1a.privateweave.example.com" "kubernetes.io/cluster/privateweave.example.com" = "owned" + "kubernetes.io/role/elb" = "1" } } diff --git a/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf index b4e34dd048807..0a20b671d92af 100644 --- a/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf +++ b/tests/integration/update_cluster/lifecycle_phases/security-kubernetes.tf @@ -87,6 +87,214 @@ resource "aws_key_pair" "kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39 public_key = "${file("${path.module}/data/aws_key_pair_kubernetes.privateweave.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key")}" } +resource "aws_security_group" "api-elb-privateweave-example-com" { + name = "api-elb.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for api ELB" + + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "api-elb.privateweave.example.com" + } +} + +resource "aws_security_group" "bastion-elb-privateweave-example-com" { + name = "bastion-elb.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for bastion ELB" + + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "bastion-elb.privateweave.example.com" + } +} + +resource "aws_security_group" "bastion-privateweave-example-com" { + name = "bastion.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for bastion" + + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "bastion.privateweave.example.com" + } +} + +resource "aws_security_group" "masters-privateweave-example-com" { + name = "masters.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for masters" + + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "masters.privateweave.example.com" + } +} + +resource "aws_security_group" "nodes-privateweave-example-com" { + name = "nodes.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for nodes" + + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "nodes.privateweave.example.com" + } +} + +resource "aws_security_group_rule" "all-master-to-master" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "all-master-to-node" { + type = "ingress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "all-node-to-node" { + type = "ingress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "api-elb-egress" { + type = "egress" + security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "bastion-egress" { + type = "egress" + security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "bastion-elb-egress" { + type = "egress" + security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "bastion-to-master-ssh" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + from_port = 22 + to_port = 22 + protocol = "tcp" +} + +resource "aws_security_group_rule" "bastion-to-node-ssh" { + type = "ingress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + from_port = 22 + to_port = 22 + protocol = "tcp" +} + +resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "https-elb-to-master" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 443 + to_port = 443 + protocol = "tcp" +} + +resource "aws_security_group_rule" "master-egress" { + type = "egress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "node-egress" { + type = "egress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "node-to-master-tcp-1-4000" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 1 + to_port = 4000 + protocol = "tcp" +} + +resource "aws_security_group_rule" "node-to-master-tcp-4003-65535" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 4003 + to_port = 65535 + protocol = "tcp" +} + +resource "aws_security_group_rule" "node-to-master-udp-1-65535" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 1 + to_port = 65535 + protocol = "udp" +} + +resource "aws_security_group_rule" "ssh-elb-to-bastion" { + type = "ingress" + security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" + from_port = 22 + to_port = 22 + protocol = "tcp" +} + +resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] +} + terraform = { required_version = ">= 0.9.3" } diff --git a/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf deleted file mode 100644 index e936392bc1b7f..0000000000000 --- a/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf +++ /dev/null @@ -1,235 +0,0 @@ -output "bastion_security_group_ids" { - value = ["${aws_security_group.bastion-privateweave-example-com.id}"] -} - -output "cluster_name" { - value = "privateweave.example.com" -} - -output "master_security_group_ids" { - value = ["${aws_security_group.masters-privateweave-example-com.id}"] -} - -output "node_security_group_ids" { - value = ["${aws_security_group.nodes-privateweave-example-com.id}"] -} - -output "region" { - value = "us-test-1" -} - -provider "aws" { - region = "us-test-1" -} - -resource "aws_security_group" "api-elb-privateweave-example-com" { - name = "api-elb.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for api ELB" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "api-elb.privateweave.example.com" - } -} - -resource "aws_security_group" "bastion-elb-privateweave-example-com" { - name = "bastion-elb.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for bastion ELB" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "bastion-elb.privateweave.example.com" - } -} - -resource "aws_security_group" "bastion-privateweave-example-com" { - name = "bastion.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for bastion" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "bastion.privateweave.example.com" - } -} - -resource "aws_security_group" "masters-privateweave-example-com" { - name = "masters.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for masters" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "masters.privateweave.example.com" - } -} - -resource "aws_security_group" "nodes-privateweave-example-com" { - name = "nodes.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for nodes" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "nodes.privateweave.example.com" - } -} - -resource "aws_security_group_rule" "all-master-to-master" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" -} - -resource "aws_security_group_rule" "all-master-to-node" { - type = "ingress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" -} - -resource "aws_security_group_rule" "all-node-to-node" { - type = "ingress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" -} - -resource "aws_security_group_rule" "api-elb-egress" { - type = "egress" - security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "bastion-egress" { - type = "egress" - security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "bastion-elb-egress" { - type = "egress" - security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "bastion-to-master-ssh" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" -} - -resource "aws_security_group_rule" "bastion-to-node-ssh" { - type = "ingress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" -} - -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { - type = "ingress" - security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "https-elb-to-master" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" - from_port = 443 - to_port = 443 - protocol = "tcp" -} - -resource "aws_security_group_rule" "master-egress" { - type = "egress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "node-egress" { - type = "egress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "node-to-master-tcp-1-4000" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 1 - to_port = 4000 - protocol = "tcp" -} - -resource "aws_security_group_rule" "node-to-master-tcp-4003-65535" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 4003 - to_port = 65535 - protocol = "tcp" -} - -resource "aws_security_group_rule" "node-to-master-udp-1-65535" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 1 - to_port = 65535 - protocol = "udp" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - type = "ingress" - security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - type = "ingress" - security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -terraform = { - required_version = ">= 0.9.3" -} diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go index 9b61a9585df58..79c493d4c6c58 100644 --- a/upup/pkg/fi/cloudup/apply_cluster.go +++ b/upup/pkg/fi/cloudup/apply_cluster.go @@ -535,11 +535,11 @@ func (c *ApplyClusterCmd) Run() error { l.Builders = append(l.Builders, &model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, - &awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: networkLifecycle}, - &model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle}, - &model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle}, - &model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, - &model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, + &awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle}, + &model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle}, + &model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, + &model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle}, + &model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle}, &model.SSHKeyModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle}, ) @@ -563,9 +563,9 @@ func (c *ApplyClusterCmd) Run() error { l.Builders = append(l.Builders, &model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, - &gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, - &gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, - &gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, + &gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle}, + &gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle}, + &gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle}, &gcemodel.NetworkModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, )