-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make VPN-only subnets private #163
Conversation
2bc5e5e
to
7d561ea
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. Some notes:
- The
netmask
package has not been updated in 3 years, so this worries me a bit - though we're not doing anything complex with it, theoretically it could be fine for this use case. - Is detecting if the route is in a private CIDR range the only qualifier we can use here? cc @lukehoban @pgavlin
- Can we add any supporting tests for this?
|
Agreed, based on docs I've seen I don't see what else we leverage to detect this, but I don't know enough about vpc personal gateways to gleam if only detecting private CIDR's is enough. Hoping Luke or Pat can add some more insight.
Yes - an integration test in |
Slightly separate from this immediate PR - I do wonder if we can/should get rid of all this logic that tries to "guess" the subset of the subnets to use. It seems we should just ask users to tell us. And in general, users already do today either pass I really can't recall why we added all this complexity. I think it was because the old |
Yes, this was essentially a consequence of the awsinfra.Network API. Is there any way we can do a quick poll to find out how many folks are passing on a mixed set of subnets here? |
@lblackstone any updates by chance per Luke's comments? |
@metral No, I was partway through figuring out if there was a way to remove this logic and then got sidetracked. Do we want to go ahead and merge this change, and then figure out how to simplify the process separately? |
If this will be short-lived anyways, then we should probably just skip on this PR, and follow Luke's suggestion to be reliant on the user deliberately specify which subnet they want to run in, versus us guessing as the logic is currently doing. |
@lukehoban WDYT about deprecating pulumi-eks/nodejs/eks/cluster.ts Lines 336 to 342 in 19c8dfb
publicSubnetIds and privateSubnetIds ?
|
I actually do think we should take this fix as is. And then open a new issue to track making a breaking change to simplify this. There is some subtlety to that discussion - so should probably have it separately of this tactical issue. |
Will do; thanks for clarifying. |
The previous logic did not properly detect VPN-only subnets, and erroneously assigned them to the public group. This fix properly detects if the CIDR block is in a private range, and adds that subnet to the private list.
7d561ea
to
67d069b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
The previous logic did not properly detect VPN-only subnets,
and erroneously assigned them to the public group. This fix
properly detects if the CIDR block is in a private range, and
adds that subnet to the private list.
Fixes #151