From 4383bf328ff57148bdea4b633ce2a2b1d47e25a9 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Mon, 2 Oct 2023 17:23:14 -0700 Subject: [PATCH 1/2] Stop using DualStack subnets by default --- cloudmock/aws/mockelbv2/targetgroups.go | 1 + docs/networking/ipv6.md | 2 +- docs/topology.md | 2 +- pkg/apis/kops/validation/aws.go | 3 + pkg/model/awsmodel/api_loadbalancer.go | 65 ++++++++++----- pkg/model/awsmodel/bastion.go | 79 +++++++++++++------ .../awstasks/launchtemplate_target_api.go | 6 ++ upup/pkg/fi/cloudup/awstasks/targetgroup.go | 30 ++++--- upup/pkg/fi/cloudup/new_cluster.go | 14 +--- .../fi/cloudup/populate_instancegroup_spec.go | 8 -- 10 files changed, 135 insertions(+), 75 deletions(-) diff --git a/cloudmock/aws/mockelbv2/targetgroups.go b/cloudmock/aws/mockelbv2/targetgroups.go index 400b97451d620..2c544566b7cbe 100644 --- a/cloudmock/aws/mockelbv2/targetgroups.go +++ b/cloudmock/aws/mockelbv2/targetgroups.go @@ -95,6 +95,7 @@ func (m *MockELBV2) CreateTargetGroup(request *elbv2.CreateTargetGroupInput) (*e tg := elbv2.TargetGroup{ TargetGroupName: request.Name, + IpAddressType: request.IpAddressType, Port: request.Port, Protocol: request.Protocol, VpcId: request.VpcId, diff --git a/docs/networking/ipv6.md b/docs/networking/ipv6.md index ef24a075cd0e9..ba7f9b1e8c3a7 100644 --- a/docs/networking/ipv6.md +++ b/docs/networking/ipv6.md @@ -23,7 +23,7 @@ For example, if the VPC's CIDR is `2001:db8::/56` then the syntax `/64#a` would Public and utility subnets are expected to be dual-stack. Subnets of type `Private` are expected to be IPv6-only. There is a new type of subnet `DualStack` which is like `Private` but is dual-stack. -The `DualStack` subnets are used by default for the control plane and APIServer nodes. +Prior to kOps 1.29, `DualStack` subnets are used by default for bastion servers, the control plane, and APIServer nodes. IPv6-only subnets require Kubernetes 1.22 or later. For this reason, private topology on an IPv6 cluster also requires Kubernetes 1.22 or later. diff --git a/docs/topology.md b/docs/topology.md index 0d597d713bc64..d2e709d0f269b 100644 --- a/docs/topology.md +++ b/docs/topology.md @@ -37,7 +37,7 @@ NAT64 range `64:ff9b::/96` is typically routed to a NAT64 device, such as an AWS A subnet of type `DualStack` is like `Private`, but supports both IPv4 and IPv6. -On AWS, this subnet type is used for nodes, such as control plane nodes and bastions, +On AWS prior to kOps 1.29, this subnet type is used for nodes, such as control plane nodes and bastions, which need to be instance targets of a load balancer. ## Utility Subnet diff --git a/pkg/apis/kops/validation/aws.go b/pkg/apis/kops/validation/aws.go index 333079e14552b..41554dcbf8b50 100644 --- a/pkg/apis/kops/validation/aws.go +++ b/pkg/apis/kops/validation/aws.go @@ -47,6 +47,9 @@ func awsValidateCluster(c *kops.Cluster, strict bool) field.ErrorList { if lbSpec.Class == kops.LoadBalancerClassNetwork && lbSpec.UseForInternalAPI && lbSpec.Type == kops.LoadBalancerTypeInternal { allErrs = append(allErrs, field.Forbidden(lbPath.Child("useForInternalAPI"), "useForInternalAPI cannot be used with internal NLB due lack of hairpinning support")) } + if lbSpec.Class == kops.LoadBalancerClassClassic && c.Spec.IsIPv6Only() { + allErrs = append(allErrs, field.Forbidden(lbPath.Child("class"), "IPv6 clusters do not support classic load balancers")) + } if lbSpec.SSLCertificate != "" && lbSpec.Class != kops.LoadBalancerClassNetwork { allErrs = append(allErrs, field.Forbidden(lbPath.Child("sslCertificate"), "sslCertificate requires a network load balancer. See https://github.com/kubernetes/kops/blob/master/permalinks/acm_nlb.md")) } diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go index b5158ca6e0ddb..cfd224c574276 100644 --- a/pkg/model/awsmodel/api_loadbalancer.go +++ b/pkg/model/awsmodel/api_loadbalancer.go @@ -270,6 +270,11 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { } } + ipAddressType := "ipv4" + if b.Cluster.Spec.IsIPv6Only() { + ipAddressType = "ipv6" + } + if b.APILoadBalancerClass() == kops.LoadBalancerClassClassic { c.AddTask(clb) } else if b.APILoadBalancerClass() == kops.LoadBalancerClassNetwork { @@ -290,6 +295,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { Lifecycle: b.Lifecycle, VPC: b.LinkToVPC(), Tags: groupTags, + IPAddressType: fi.PtrTo(ipAddressType), Protocol: fi.PtrTo("TCP"), Port: fi.PtrTo(int64(443)), Attributes: groupAttrs, @@ -316,6 +322,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { Lifecycle: b.Lifecycle, VPC: b.LinkToVPC(), Tags: groupTags, + IPAddressType: fi.PtrTo(ipAddressType), Protocol: fi.PtrTo("TCP"), Port: fi.PtrTo(int64(wellknownports.KopsControllerPort)), Attributes: groupAttrs, @@ -341,6 +348,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { Lifecycle: b.Lifecycle, VPC: b.LinkToVPC(), Tags: tlsGroupTags, + IPAddressType: fi.PtrTo(ipAddressType), Protocol: fi.PtrTo("TLS"), Port: fi.PtrTo(int64(443)), Attributes: groupAttrs, @@ -517,24 +525,6 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { SourceGroup: lbSG, ToPort: fi.PtrTo(int64(443)), }) - c.AddTask(&awstasks.SecurityGroupRule{ - Name: fi.PtrTo(fmt.Sprintf("icmp-pmtu-elb-to-cp%s", suffix)), - Lifecycle: b.SecurityLifecycle, - FromPort: fi.PtrTo(int64(3)), - Protocol: fi.PtrTo("icmp"), - SecurityGroup: masterGroup.Task, - SourceGroup: lbSG, - ToPort: fi.PtrTo(int64(4)), - }) - c.AddTask(&awstasks.SecurityGroupRule{ - Name: fi.PtrTo(fmt.Sprintf("icmp-pmtu-cp%s-to-elb", suffix)), - Lifecycle: b.SecurityLifecycle, - FromPort: fi.PtrTo(int64(3)), - Protocol: fi.PtrTo("icmp"), - SecurityGroup: lbSG, - SourceGroup: masterGroup.Task, - ToPort: fi.PtrTo(int64(4)), - }) if b.Cluster.UsesNoneDNS() { c.AddTask(&awstasks.SecurityGroupRule{ Name: fi.PtrTo(fmt.Sprintf("kops-controller-elb-to-cp%s", suffix)), @@ -546,6 +536,45 @@ func (b *APILoadBalancerBuilder) Build(c *fi.CloudupModelBuilderContext) error { SourceGroup: lbSG, }) } + if b.Cluster.Spec.IsIPv6Only() { + c.AddTask(&awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmpv6-pmtu-elb-to-cp%s", suffix)), + Lifecycle: b.SecurityLifecycle, + FromPort: fi.PtrTo(int64(-1)), + Protocol: fi.PtrTo("icmpv6"), + SecurityGroup: masterGroup.Task, + SourceGroup: lbSG, + ToPort: fi.PtrTo(int64(-1)), + }) + c.AddTask(&awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmpv6-pmtu-cp%s-to-elb", suffix)), + Lifecycle: b.SecurityLifecycle, + FromPort: fi.PtrTo(int64(-1)), + Protocol: fi.PtrTo("icmpv6"), + SecurityGroup: lbSG, + SourceGroup: masterGroup.Task, + ToPort: fi.PtrTo(int64(-1)), + }) + } else { + c.AddTask(&awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmp-pmtu-elb-to-cp%s", suffix)), + Lifecycle: b.SecurityLifecycle, + FromPort: fi.PtrTo(int64(3)), + Protocol: fi.PtrTo("icmp"), + SecurityGroup: masterGroup.Task, + SourceGroup: lbSG, + ToPort: fi.PtrTo(int64(4)), + }) + c.AddTask(&awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmp-pmtu-cp%s-to-elb", suffix)), + Lifecycle: b.SecurityLifecycle, + FromPort: fi.PtrTo(int64(3)), + Protocol: fi.PtrTo("icmp"), + SecurityGroup: lbSG, + SourceGroup: masterGroup.Task, + ToPort: fi.PtrTo(int64(4)), + }) + } } } diff --git a/pkg/model/awsmodel/bastion.go b/pkg/model/awsmodel/bastion.go index a21281f18c061..e7d1f815eae2d 100644 --- a/pkg/model/awsmodel/bastion.go +++ b/pkg/model/awsmodel/bastion.go @@ -288,31 +288,60 @@ func (b *BastionModelBuilder) Build(c *fi.CloudupModelBuilderContext) error { } AddDirectionalGroupRule(c, t) } - { - suffix := bastionGroup.Suffix - t := &awstasks.SecurityGroupRule{ - Name: fi.PtrTo(fmt.Sprintf("icmp-to-bastion%s", suffix)), - Lifecycle: b.SecurityLifecycle, - SecurityGroup: bastionGroup.Task, - SourceGroup: lbSG, - Protocol: fi.PtrTo("icmp"), - FromPort: fi.PtrTo(int64(3)), - ToPort: fi.PtrTo(int64(4)), + if useIPv6ForBastion(b) { + { + suffix := bastionGroup.Suffix + t := &awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmpv6-to-bastion%s", suffix)), + Lifecycle: b.SecurityLifecycle, + SecurityGroup: bastionGroup.Task, + SourceGroup: lbSG, + Protocol: fi.PtrTo("icmpv6"), + FromPort: fi.PtrTo(int64(-1)), + ToPort: fi.PtrTo(int64(-1)), + } + AddDirectionalGroupRule(c, t) } - AddDirectionalGroupRule(c, t) - } - { - suffix := bastionGroup.Suffix - t := &awstasks.SecurityGroupRule{ - Name: fi.PtrTo(fmt.Sprintf("icmp-from-bastion%s", suffix)), - Lifecycle: b.SecurityLifecycle, - SecurityGroup: lbSG, - SourceGroup: bastionGroup.Task, - Protocol: fi.PtrTo("icmp"), - FromPort: fi.PtrTo(int64(3)), - ToPort: fi.PtrTo(int64(4)), + { + suffix := bastionGroup.Suffix + t := &awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmpv6-from-bastion%s", suffix)), + Lifecycle: b.SecurityLifecycle, + SecurityGroup: lbSG, + SourceGroup: bastionGroup.Task, + Protocol: fi.PtrTo("icmpv6"), + FromPort: fi.PtrTo(int64(-1)), + ToPort: fi.PtrTo(int64(-1)), + } + AddDirectionalGroupRule(c, t) + } + } else { + { + suffix := bastionGroup.Suffix + t := &awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmp-to-bastion%s", suffix)), + Lifecycle: b.SecurityLifecycle, + SecurityGroup: bastionGroup.Task, + SourceGroup: lbSG, + Protocol: fi.PtrTo("icmp"), + FromPort: fi.PtrTo(int64(3)), + ToPort: fi.PtrTo(int64(4)), + } + AddDirectionalGroupRule(c, t) + } + { + suffix := bastionGroup.Suffix + t := &awstasks.SecurityGroupRule{ + Name: fi.PtrTo(fmt.Sprintf("icmp-from-bastion%s", suffix)), + Lifecycle: b.SecurityLifecycle, + SecurityGroup: lbSG, + SourceGroup: bastionGroup.Task, + Protocol: fi.PtrTo("icmp"), + FromPort: fi.PtrTo(int64(3)), + ToPort: fi.PtrTo(int64(4)), + } + AddDirectionalGroupRule(c, t) } - AddDirectionalGroupRule(c, t) } } @@ -381,6 +410,7 @@ func (b *BastionModelBuilder) Build(c *fi.CloudupModelBuilderContext) error { Lifecycle: b.Lifecycle, VPC: b.LinkToVPC(), Tags: sshGroupTags, + IPAddressType: fi.PtrTo("ipv4"), Protocol: fi.PtrTo("TCP"), Port: fi.PtrTo(int64(22)), Attributes: groupAttrs, @@ -389,6 +419,9 @@ func (b *BastionModelBuilder) Build(c *fi.CloudupModelBuilderContext) error { UnhealthyThreshold: fi.PtrTo(int64(2)), Shared: fi.PtrTo(false), } + if useIPv6ForBastion(b) { + tg.IPAddressType = fi.PtrTo("ipv6") + } c.AddTask(tg) diff --git a/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go b/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go index 0a2d8d7dd3645..20efc5281247d 100644 --- a/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go +++ b/upup/pkg/fi/cloudup/awstasks/launchtemplate_target_api.go @@ -38,6 +38,11 @@ func (t *LaunchTemplate) RenderAWS(c *awsup.AWSAPITarget, a, e, changes *LaunchT return err } + primaryIPv6 := false + if fi.ValueOf(t.IPv6AddressCount) > 0 { + primaryIPv6 = true + } + // @step: lets build the launch template data data := &ec2.RequestLaunchTemplateData{ DisableApiTermination: fi.PtrTo(false), @@ -55,6 +60,7 @@ func (t *LaunchTemplate) RenderAWS(c *awsup.AWSAPITarget, a, e, changes *LaunchT DeleteOnTermination: aws.Bool(true), DeviceIndex: fi.PtrTo(int64(0)), Ipv6AddressCount: t.IPv6AddressCount, + PrimaryIpv6: fi.PtrTo(primaryIPv6), }, }, } diff --git a/upup/pkg/fi/cloudup/awstasks/targetgroup.go b/upup/pkg/fi/cloudup/awstasks/targetgroup.go index 7d89f087ca09f..21da0a3c8728c 100644 --- a/upup/pkg/fi/cloudup/awstasks/targetgroup.go +++ b/upup/pkg/fi/cloudup/awstasks/targetgroup.go @@ -41,12 +41,13 @@ const ( // +kops:fitask type TargetGroup struct { - Name *string - Lifecycle fi.Lifecycle - VPC *VPC - Tags map[string]string - Port *int64 - Protocol *string + Name *string + Lifecycle fi.Lifecycle + VPC *VPC + Tags map[string]string + IPAddressType *string + Port *int64 + Protocol *string // ARN is the Amazon Resource Name for the Target Group ARN *string @@ -97,6 +98,7 @@ func (e *TargetGroup) Find(c *fi.CloudupContext) (*TargetGroup, error) { actual := &TargetGroup{ Name: tg.TargetGroupName, + IPAddressType: tg.IpAddressType, Port: tg.Port, Protocol: tg.Protocol, ARN: tg.TargetGroupArn, @@ -168,6 +170,9 @@ func (_ *TargetGroup) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *TargetGrou return nil } + // TODO: To fix the IPAddressType we need to recreate the TargetGroup. + // We can't delete the existing TargetGroup until it's unreferenced by the listener. + // You register targets for your Network Load Balancer with a target group. By default, the load balancer sends requests // to registered targets using the port and protocol that you specified for the target group. You can override this port // when you register each target with the target group. @@ -175,6 +180,7 @@ func (_ *TargetGroup) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *TargetGrou if a == nil { request := &elbv2.CreateTargetGroupInput{ Name: e.Name, + IpAddressType: e.IPAddressType, Port: e.Port, Protocol: e.Protocol, VpcId: e.VPC.ID, @@ -239,6 +245,7 @@ func (a OrderTargetGroupsByName) Less(i, j int) bool { type terraformTargetGroup struct { Name string `cty:"name"` + IPAddressType string `cty:"ip_address_type"` Port int64 `cty:"port"` Protocol string `cty:"protocol"` VPCID *terraformWriter.Literal `cty:"vpc_id"` @@ -266,11 +273,12 @@ func (_ *TargetGroup) RenderTerraform(t *terraform.TerraformTarget, a, e, change } tf := &terraformTargetGroup{ - Name: *e.Name, - Port: *e.Port, - Protocol: *e.Protocol, - VPCID: e.VPC.TerraformLink(), - Tags: e.Tags, + Name: *e.Name, + IPAddressType: *e.IPAddressType, + Port: *e.Port, + Protocol: *e.Protocol, + VPCID: e.VPC.TerraformLink(), + Tags: e.Tags, HealthCheck: terraformTargetGroupHealthCheck{ Interval: *e.Interval, HealthyThreshold: *e.HealthyThreshold, diff --git a/upup/pkg/fi/cloudup/new_cluster.go b/upup/pkg/fi/cloudup/new_cluster.go index 24d549bd8b511..728db1eb5f740 100644 --- a/upup/pkg/fi/cloudup/new_cluster.go +++ b/upup/pkg/fi/cloudup/new_cluster.go @@ -493,14 +493,6 @@ func NewCluster(opt *NewClusterOptions, clientset simple.Clientset) (*NewCluster if len(ig.Spec.Subnets) == 0 { return nil, fmt.Errorf("control-plane InstanceGroup %s did not specify any Subnets", g.ObjectMeta.Name) } - } else if ig.IsAPIServerOnly() && cluster.Spec.IsIPv6Only() { - if len(ig.Spec.Subnets) == 0 { - for _, subnet := range cluster.Spec.Networking.Subnets { - if subnet.Type != api.SubnetTypePrivate && subnet.Type != api.SubnetTypeUtility { - ig.Spec.Subnets = append(g.Spec.Subnets, subnet.Name) - } - } - } } else { if len(ig.Spec.Subnets) == 0 { for _, subnet := range cluster.Spec.Networking.Subnets { @@ -903,11 +895,7 @@ func setupControlPlane(opt *NewClusterOptions, cluster *api.Cluster, zoneToSubne default: // Use only the main subnet for control-plane nodes subnet := subnets[0] - if opt.IPv6 && opt.Topology == api.TopologyPrivate { - g.Spec.Subnets = append(g.Spec.Subnets, "dualstack-"+subnet.Name) - } else { - g.Spec.Subnets = append(g.Spec.Subnets, subnet.Name) - } + g.Spec.Subnets = append(g.Spec.Subnets, subnet.Name) } if cloudProvider == api.CloudProviderGCE || cloudProvider == api.CloudProviderAzure { diff --git a/upup/pkg/fi/cloudup/populate_instancegroup_spec.go b/upup/pkg/fi/cloudup/populate_instancegroup_spec.go index ddbed298cf798..00e96ac427438 100644 --- a/upup/pkg/fi/cloudup/populate_instancegroup_spec.go +++ b/upup/pkg/fi/cloudup/populate_instancegroup_spec.go @@ -157,14 +157,6 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup, if len(ig.Spec.Subnets) == 0 { return nil, fmt.Errorf("control-plane InstanceGroup %s did not specify any Subnets", ig.ObjectMeta.Name) } - } else if ig.IsAPIServerOnly() && cluster.Spec.IsIPv6Only() { - if len(ig.Spec.Subnets) == 0 { - for _, subnet := range cluster.Spec.Networking.Subnets { - if subnet.Type != kops.SubnetTypePrivate && subnet.Type != kops.SubnetTypeUtility { - ig.Spec.Subnets = append(ig.Spec.Subnets, subnet.Name) - } - } - } } else { if len(ig.Spec.Subnets) == 0 { for _, subnet := range cluster.Spec.Networking.Subnets { From ab4df0f42b35e731e49ee456ebb39c6d09f91bf3 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Mon, 2 Oct 2023 21:34:29 -0700 Subject: [PATCH 2/2] hack/update-expected.sh --- .../ipv6/expected-v1alpha2.yaml | 2 +- .../bastionadditional_user-data/kubernetes.tf | 7 ++-- .../update_cluster/complex/kubernetes.tf | 14 ++++--- .../minimal-dns-none/kubernetes.tf | 14 ++++--- .../minimal-ipv6-calico/kubernetes.tf | 41 ++++++++++--------- .../minimal-ipv6-cilium/kubernetes.tf | 41 ++++++++++--------- .../kubernetes.tf | 41 ++++++++++--------- .../update_cluster/minimal-ipv6/kubernetes.tf | 41 ++++++++++--------- .../private-shared-ip/kubernetes.tf | 7 ++-- .../private-shared-subnet/kubernetes.tf | 7 ++-- .../privatecalico/kubernetes.tf | 7 ++-- .../update_cluster/privatecanal/kubernetes.tf | 7 ++-- .../privatecilium-eni/kubernetes.tf | 7 ++-- .../privatecilium/kubernetes.tf | 7 ++-- .../privatecilium2/kubernetes.tf | 7 ++-- .../privateciliumadvanced/kubernetes.tf | 7 ++-- .../update_cluster/privatedns1/kubernetes.tf | 7 ++-- .../update_cluster/privatedns2/kubernetes.tf | 7 ++-- .../privateflannel/kubernetes.tf | 7 ++-- .../privatekopeio/kubernetes.tf | 7 ++-- .../shared_vpc_ipv6/kubernetes.tf | 41 ++++++++++--------- .../update_cluster/unmanaged/kubernetes.tf | 7 ++-- 22 files changed, 178 insertions(+), 155 deletions(-) diff --git a/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml b/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml index 6e869b192bac5..d6d4524afa4d1 100644 --- a/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml +++ b/tests/integration/create_cluster/ipv6/expected-v1alpha2.yaml @@ -87,7 +87,7 @@ spec: minSize: 1 role: Master subnets: - - dualstack-us-test-1a + - us-test-1a --- diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf index 0209bd70b9913..5143fb357dcdf 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf +++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf @@ -803,9 +803,10 @@ resource "aws_lb_target_group" "bastion-bastionuserdata-e-4grhsv" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-bastionuserdata-e-4grhsv" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-bastionuserdata-e-4grhsv" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "bastionuserdata.example.com" "Name" = "bastion-bastionuserdata-e-4grhsv" diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf index 5c65a98dd0be4..68ccd5de2e4f4 100644 --- a/tests/integration/update_cluster/complex/kubernetes.tf +++ b/tests/integration/update_cluster/complex/kubernetes.tf @@ -683,9 +683,10 @@ resource "aws_lb_target_group" "tcp-complex-example-com-vpjolq" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-complex-example-com-vpjolq" - port = 443 - protocol = "TCP" + ip_address_type = "ipv4" + name = "tcp-complex-example-com-vpjolq" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "complex.example.com" "Name" = "tcp-complex-example-com-vpjolq" @@ -705,9 +706,10 @@ resource "aws_lb_target_group" "tls-complex-example-com-5nursn" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tls-complex-example-com-5nursn" - port = 443 - protocol = "TLS" + ip_address_type = "ipv4" + name = "tls-complex-example-com-5nursn" + port = 443 + protocol = "TLS" tags = { "KubernetesCluster" = "complex.example.com" "Name" = "tls-complex-example-com-5nursn" diff --git a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf index 8e833de33901d..a46c7f3083daf 100644 --- a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf @@ -612,9 +612,10 @@ resource "aws_lb_target_group" "kops-controller-minimal-e-uvauf3" { protocol = "TCP" unhealthy_threshold = 2 } - name = "kops-controller-minimal-e-uvauf3" - port = 3988 - protocol = "TCP" + ip_address_type = "ipv4" + name = "kops-controller-minimal-e-uvauf3" + port = 3988 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal.example.com" "Name" = "kops-controller-minimal-e-uvauf3" @@ -632,9 +633,10 @@ resource "aws_lb_target_group" "tcp-minimal-example-com-5905t8" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-minimal-example-com-5905t8" - port = 443 - protocol = "TCP" + ip_address_type = "ipv4" + name = "tcp-minimal-example-com-5905t8" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal.example.com" "Name" = "tcp-minimal-example-com-5905t8" diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf index 2576479b16c98..8be40a7c9dbd7 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf @@ -652,9 +652,10 @@ resource "aws_lb_target_group" "tcp-minimal-ipv6-example--bne5ih" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-minimal-ipv6-example--bne5ih" - port = 443 - protocol = "TCP" + ip_address_type = "ipv6" + name = "tcp-minimal-ipv6-example--bne5ih" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal-ipv6.example.com" "Name" = "tcp-minimal-ipv6-example--bne5ih" @@ -1212,33 +1213,33 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { + from_port = -1 + ipv6_cidr_blocks = ["::/0"] + protocol = "icmpv6" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = -1 + type = "ingress" +} + +resource "aws_security_group_rule" "icmpv6-pmtu-cp-to-elb" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-elb-to-cp" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { - from_port = -1 - ipv6_cidr_blocks = ["::/0"] - protocol = "icmpv6" - security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = -1 - type = "ingress" -} - resource "aws_sqs_queue" "minimal-ipv6-example-com-nth" { message_retention_seconds = 300 name = "minimal-ipv6-example-com-nth" diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf index b95b25f989bed..142a894c1e905 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf @@ -652,9 +652,10 @@ resource "aws_lb_target_group" "tcp-minimal-ipv6-example--bne5ih" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-minimal-ipv6-example--bne5ih" - port = 443 - protocol = "TCP" + ip_address_type = "ipv6" + name = "tcp-minimal-ipv6-example--bne5ih" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal-ipv6.example.com" "Name" = "tcp-minimal-ipv6-example--bne5ih" @@ -1203,33 +1204,33 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { + from_port = -1 + ipv6_cidr_blocks = ["::/0"] + protocol = "icmpv6" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = -1 + type = "ingress" +} + +resource "aws_security_group_rule" "icmpv6-pmtu-cp-to-elb" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-elb-to-cp" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { - from_port = -1 - ipv6_cidr_blocks = ["::/0"] - protocol = "icmpv6" - security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = -1 - type = "ingress" -} - resource "aws_sqs_queue" "minimal-ipv6-example-com-nth" { message_retention_seconds = 300 name = "minimal-ipv6-example-com-nth" diff --git a/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf index c22b297be92fe..ae7bc5b3d5f3b 100644 --- a/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf @@ -652,9 +652,10 @@ resource "aws_lb_target_group" "tcp-minimal-ipv6-example--bne5ih" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-minimal-ipv6-example--bne5ih" - port = 443 - protocol = "TCP" + ip_address_type = "ipv6" + name = "tcp-minimal-ipv6-example--bne5ih" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal-ipv6.example.com" "Name" = "tcp-minimal-ipv6-example--bne5ih" @@ -1195,33 +1196,33 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { + from_port = -1 + ipv6_cidr_blocks = ["::/0"] + protocol = "icmpv6" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = -1 + type = "ingress" +} + +resource "aws_security_group_rule" "icmpv6-pmtu-cp-to-elb" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-elb-to-cp" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { - from_port = -1 - ipv6_cidr_blocks = ["::/0"] - protocol = "icmpv6" - security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = -1 - type = "ingress" -} - resource "aws_sqs_queue" "minimal-ipv6-example-com-nth" { message_retention_seconds = 300 name = "minimal-ipv6-example-com-nth" diff --git a/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf index daf244dc4dd32..1892b7ca8e687 100644 --- a/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf @@ -652,9 +652,10 @@ resource "aws_lb_target_group" "tcp-minimal-ipv6-example--bne5ih" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-minimal-ipv6-example--bne5ih" - port = 443 - protocol = "TCP" + ip_address_type = "ipv6" + name = "tcp-minimal-ipv6-example--bne5ih" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal-ipv6.example.com" "Name" = "tcp-minimal-ipv6-example--bne5ih" @@ -1195,33 +1196,33 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { + from_port = -1 + ipv6_cidr_blocks = ["::/0"] + protocol = "icmpv6" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = -1 + type = "ingress" +} + +resource "aws_security_group_rule" "icmpv6-pmtu-cp-to-elb" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-elb-to-cp" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { - from_port = -1 - ipv6_cidr_blocks = ["::/0"] - protocol = "icmpv6" - security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = -1 - type = "ingress" -} - resource "aws_sqs_queue" "minimal-ipv6-example-com-nth" { message_retention_seconds = 300 name = "minimal-ipv6-example-com-nth" diff --git a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf index 8675c58304676..7e77fd5b81020 100644 --- a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf @@ -784,9 +784,10 @@ resource "aws_lb_target_group" "bastion-private-shared-ip-eepmph" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-private-shared-ip-eepmph" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-private-shared-ip-eepmph" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "private-shared-ip.example.com" "Name" = "bastion-private-shared-ip-eepmph" diff --git a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf index 3b48357183ffd..191506ad01552 100644 --- a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf @@ -779,9 +779,10 @@ resource "aws_lb_target_group" "bastion-private-shared-su-5ol32q" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-private-shared-su-5ol32q" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-private-shared-su-5ol32q" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "private-shared-subnet.example.com" "Name" = "bastion-private-shared-su-5ol32q" diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf index 2c23d1615dd17..795efe7b91e39 100644 --- a/tests/integration/update_cluster/privatecalico/kubernetes.tf +++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf @@ -798,9 +798,10 @@ resource "aws_lb_target_group" "bastion-privatecalico-exa-hocohm" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatecalico-exa-hocohm" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatecalico-exa-hocohm" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatecalico.example.com" "Name" = "bastion-privatecalico-exa-hocohm" diff --git a/tests/integration/update_cluster/privatecanal/kubernetes.tf b/tests/integration/update_cluster/privatecanal/kubernetes.tf index 84cdfc2927e7f..35cea0fc644d2 100644 --- a/tests/integration/update_cluster/privatecanal/kubernetes.tf +++ b/tests/integration/update_cluster/privatecanal/kubernetes.tf @@ -802,9 +802,10 @@ resource "aws_lb_target_group" "bastion-privatecanal-exam-hmhsp5" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatecanal-exam-hmhsp5" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatecanal-exam-hmhsp5" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatecanal.example.com" "Name" = "bastion-privatecanal-exam-hmhsp5" diff --git a/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf b/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf index 71e93ebb1dd28..106adc352e7d7 100644 --- a/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf @@ -802,9 +802,10 @@ resource "aws_lb_target_group" "bastion-privatecilium-exa-l2ms01" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatecilium-exa-l2ms01" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatecilium-exa-l2ms01" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatecilium.example.com" "Name" = "bastion-privatecilium-exa-l2ms01" diff --git a/tests/integration/update_cluster/privatecilium/kubernetes.tf b/tests/integration/update_cluster/privatecilium/kubernetes.tf index 71e93ebb1dd28..106adc352e7d7 100644 --- a/tests/integration/update_cluster/privatecilium/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium/kubernetes.tf @@ -802,9 +802,10 @@ resource "aws_lb_target_group" "bastion-privatecilium-exa-l2ms01" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatecilium-exa-l2ms01" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatecilium-exa-l2ms01" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatecilium.example.com" "Name" = "bastion-privatecilium-exa-l2ms01" diff --git a/tests/integration/update_cluster/privatecilium2/kubernetes.tf b/tests/integration/update_cluster/privatecilium2/kubernetes.tf index 6b22a6111e479..53226945b5be5 100644 --- a/tests/integration/update_cluster/privatecilium2/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium2/kubernetes.tf @@ -802,9 +802,10 @@ resource "aws_lb_target_group" "bastion-privatecilium-exa-l2ms01" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatecilium-exa-l2ms01" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatecilium-exa-l2ms01" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatecilium.example.com" "Name" = "bastion-privatecilium-exa-l2ms01" diff --git a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf index 5ae576329e2c7..4a845998870b7 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf +++ b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf @@ -819,9 +819,10 @@ resource "aws_lb_target_group" "bastion-privateciliumadva-0jni40" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privateciliumadva-0jni40" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privateciliumadva-0jni40" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privateciliumadvanced.example.com" "Name" = "bastion-privateciliumadva-0jni40" diff --git a/tests/integration/update_cluster/privatedns1/kubernetes.tf b/tests/integration/update_cluster/privatedns1/kubernetes.tf index 7cb63a4d39dc1..c1fa916ce6803 100644 --- a/tests/integration/update_cluster/privatedns1/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns1/kubernetes.tf @@ -884,9 +884,10 @@ resource "aws_lb_target_group" "bastion-privatedns1-examp-mbgbef" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatedns1-examp-mbgbef" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatedns1-examp-mbgbef" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatedns1.example.com" "Name" = "bastion-privatedns1-examp-mbgbef" diff --git a/tests/integration/update_cluster/privatedns2/kubernetes.tf b/tests/integration/update_cluster/privatedns2/kubernetes.tf index 0338a1d005846..790e3e9cbebf1 100644 --- a/tests/integration/update_cluster/privatedns2/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns2/kubernetes.tf @@ -793,9 +793,10 @@ resource "aws_lb_target_group" "bastion-privatedns2-examp-e704o2" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatedns2-examp-e704o2" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatedns2-examp-e704o2" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatedns2.example.com" "Name" = "bastion-privatedns2-examp-e704o2" diff --git a/tests/integration/update_cluster/privateflannel/kubernetes.tf b/tests/integration/update_cluster/privateflannel/kubernetes.tf index d835b398c5b11..83a7ff7c7b187 100644 --- a/tests/integration/update_cluster/privateflannel/kubernetes.tf +++ b/tests/integration/update_cluster/privateflannel/kubernetes.tf @@ -802,9 +802,10 @@ resource "aws_lb_target_group" "bastion-privateflannel-ex-753531" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privateflannel-ex-753531" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privateflannel-ex-753531" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privateflannel.example.com" "Name" = "bastion-privateflannel-ex-753531" diff --git a/tests/integration/update_cluster/privatekopeio/kubernetes.tf b/tests/integration/update_cluster/privatekopeio/kubernetes.tf index dc839f69b247b..2888ce2d360ed 100644 --- a/tests/integration/update_cluster/privatekopeio/kubernetes.tf +++ b/tests/integration/update_cluster/privatekopeio/kubernetes.tf @@ -811,9 +811,10 @@ resource "aws_lb_target_group" "bastion-privatekopeio-exa-d8ef8e" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-privatekopeio-exa-d8ef8e" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-privatekopeio-exa-d8ef8e" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "privatekopeio.example.com" "Name" = "bastion-privatekopeio-exa-d8ef8e" diff --git a/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf b/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf index cab1d640feb94..cd8f40bcee657 100644 --- a/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf +++ b/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf @@ -634,9 +634,10 @@ resource "aws_lb_target_group" "tcp-minimal-ipv6-example--bne5ih" { protocol = "TCP" unhealthy_threshold = 2 } - name = "tcp-minimal-ipv6-example--bne5ih" - port = 443 - protocol = "TCP" + ip_address_type = "ipv6" + name = "tcp-minimal-ipv6-example--bne5ih" + port = 443 + protocol = "TCP" tags = { "KubernetesCluster" = "minimal-ipv6.example.com" "Name" = "tcp-minimal-ipv6-example--bne5ih" @@ -1177,33 +1178,33 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { + from_port = -1 + ipv6_cidr_blocks = ["::/0"] + protocol = "icmpv6" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = -1 + type = "ingress" +} + +resource "aws_security_group_rule" "icmpv6-pmtu-cp-to-elb" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { - from_port = 3 - protocol = "icmp" +resource "aws_security_group_rule" "icmpv6-pmtu-elb-to-cp" { + from_port = -1 + protocol = "icmpv6" security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = 4 + to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { - from_port = -1 - ipv6_cidr_blocks = ["::/0"] - protocol = "icmpv6" - security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id - to_port = -1 - type = "ingress" -} - resource "aws_sqs_queue" "minimal-ipv6-example-com-nth" { message_retention_seconds = 300 name = "minimal-ipv6-example-com-nth" diff --git a/tests/integration/update_cluster/unmanaged/kubernetes.tf b/tests/integration/update_cluster/unmanaged/kubernetes.tf index 70b6f3f850ace..be65806f6ccbe 100644 --- a/tests/integration/update_cluster/unmanaged/kubernetes.tf +++ b/tests/integration/update_cluster/unmanaged/kubernetes.tf @@ -787,9 +787,10 @@ resource "aws_lb_target_group" "bastion-unmanaged-example-d7bn3d" { protocol = "TCP" unhealthy_threshold = 2 } - name = "bastion-unmanaged-example-d7bn3d" - port = 22 - protocol = "TCP" + ip_address_type = "ipv4" + name = "bastion-unmanaged-example-d7bn3d" + port = 22 + protocol = "TCP" tags = { "KubernetesCluster" = "unmanaged.example.com" "Name" = "bastion-unmanaged-example-d7bn3d"