From 8b33fce6a9861114013923bf212dd0fd354dd49f Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 14:45:54 -0500 Subject: [PATCH 01/18] feat: (PSKD-814) Default K8s version is 1.30, add support for 1.31 Update K8s default to 1.30 in example files Signed-off-by: David.Houck --- examples/sample-input-byo.tfvars | 2 +- examples/sample-input-connect.tfvars | 2 +- examples/sample-input-custom-data.tfvars | 2 +- examples/sample-input-gpu.tfvars | 2 +- examples/sample-input-ha.tfvars | 2 +- examples/sample-input-minimal.tfvars | 2 +- examples/sample-input-singlestore.tfvars | 2 +- examples/sample-input.tfvars | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/sample-input-byo.tfvars b/examples/sample-input-byo.tfvars index 4d51be85..4480b756 100644 --- a/examples/sample-input-byo.tfvars +++ b/examples/sample-input-byo.tfvars @@ -37,7 +37,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" diff --git a/examples/sample-input-connect.tfvars b/examples/sample-input-connect.tfvars index 04d178e1..09a03035 100644 --- a/examples/sample-input-connect.tfvars +++ b/examples/sample-input-connect.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" diff --git a/examples/sample-input-custom-data.tfvars b/examples/sample-input-custom-data.tfvars index 4de8346b..640990dc 100644 --- a/examples/sample-input-custom-data.tfvars +++ b/examples/sample-input-custom-data.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" diff --git a/examples/sample-input-gpu.tfvars b/examples/sample-input-gpu.tfvars index a47a493d..2e1de0b7 100644 --- a/examples/sample-input-gpu.tfvars +++ b/examples/sample-input-gpu.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" diff --git a/examples/sample-input-ha.tfvars b/examples/sample-input-ha.tfvars index 587c6be2..5bbe63ec 100644 --- a/examples/sample-input-ha.tfvars +++ b/examples/sample-input-ha.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" diff --git a/examples/sample-input-minimal.tfvars b/examples/sample-input-minimal.tfvars index 3d36f70c..592ea798 100644 --- a/examples/sample-input-minimal.tfvars +++ b/examples/sample-input-minimal.tfvars @@ -27,7 +27,7 @@ tags = {} # e.g., { "key1" = "value1", "key2" = "value2" } # } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 1 default_nodepool_vm_type = "m5.large" default_nodepool_custom_data = "" diff --git a/examples/sample-input-singlestore.tfvars b/examples/sample-input-singlestore.tfvars index cd4b5baa..7d3fef4e 100644 --- a/examples/sample-input-singlestore.tfvars +++ b/examples/sample-input-singlestore.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" diff --git a/examples/sample-input.tfvars b/examples/sample-input.tfvars index 656f1b04..df70cd60 100644 --- a/examples/sample-input.tfvars +++ b/examples/sample-input.tfvars @@ -27,7 +27,7 @@ postgres_servers = { } ## Cluster config -kubernetes_version = "1.29" +kubernetes_version = "1.30" default_nodepool_node_count = 2 default_nodepool_vm_type = "m5.2xlarge" default_nodepool_custom_data = "" From 1d1ab777e26c2ecf35e6b9e3b10c60418090055e Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 15:35:57 -0500 Subject: [PATCH 02/18] Update default K8s version variable, update kubectl, k8s version document refs Signed-off-by: David.Houck --- README.md | 2 +- docs/CONFIG-VARS.md | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3a317d99..6187ccfd 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ The following are also required: #### Terraform Requirements: - [Terraform](https://www.terraform.io/downloads.html) v1.9.6 -- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.29.8 +- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.30.6 - [jq](https://stedolan.github.io/jq/) v1.6 - [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.17.58 diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 5e736322..19420fd9 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -257,7 +257,7 @@ Custom policy: |
Name
|
Description
|
Type
|
Default
|
Notes
| | :--- | :--- | :--- | :--- | :--- | | create_static_kubeconfig | Allows the user to create a provider- or service account-based kubeconfig file | bool | true | A value of `false` defaults to using the cloud provider's mechanism for generating the kubeconfig file. A value of `true` creates a static kubeconfig that uses a service account and cluster role binding to provide credentials. | -| kubernetes_version | The EKS cluster Kubernetes version | string | "1.29" | | +| kubernetes_version | The EKS cluster Kubernetes version | string | "1.30" | | | create_jump_vm | Create bastion host (jump VM) | bool | true| | | create_jump_public_ip | Add public IP address to jump VM | bool | true | | | jump_vm_admin | OS admin user for the jump VM | string | "jumpuser" | | diff --git a/variables.tf b/variables.tf index afb628c0..713867ca 100644 --- a/variables.tf +++ b/variables.tf @@ -149,7 +149,7 @@ variable "efs_throughput_rate" { variable "kubernetes_version" { description = "The EKS cluster Kubernetes version." type = string - default = "1.29" + default = "1.30" } variable "tags" { From 24bcbbc0b84a0cd83dbdb87321675d93810d41ea Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 15:53:26 -0500 Subject: [PATCH 03/18] TFlint: Use "call_module_type" instead Signed-off-by: David.Houck --- linting-configs/.tflint.hcl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linting-configs/.tflint.hcl b/linting-configs/.tflint.hcl index 3c7aca71..98e99f74 100644 --- a/linting-configs/.tflint.hcl +++ b/linting-configs/.tflint.hcl @@ -8,7 +8,8 @@ # For more information on TFlint Ruleset for AWS, see https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/docs/rules/README.md config { - module = false + # Enables module inspection + call_module_type = "all" } plugin "aws" { From eef1b9be07593a30998cab070a47c2c2b8e780b6 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 17:14:59 -0500 Subject: [PATCH 04/18] Update aws tlfint rulese version, seed with recommended rules Signed-off-by: David.Houck --- linting-configs/.tflint.hcl | 37 ++++++------------------------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/linting-configs/.tflint.hcl b/linting-configs/.tflint.hcl index 98e99f74..3b4c4db3 100644 --- a/linting-configs/.tflint.hcl +++ b/linting-configs/.tflint.hcl @@ -14,12 +14,13 @@ config { plugin "aws" { enabled = true - version = "0.27.0" + version = "0.34.0" source = "github.com/terraform-linters/tflint-ruleset-aws" } plugin "terraform" { enabled = true + preset = "recommended" } # Disallow // comments in favor of #. @@ -55,39 +56,13 @@ rule "terraform_module_pinned_source" { # Checks that Terraform modules sourced from a registry specify a version. rule "terraform_module_version" { enabled = true + preset = "recommended" } -# Enforces naming conventions +## Enforces naming conventions rule "terraform_naming_convention" { - enabled = true - custom = "^([a-zA-Z0-9])+([_-][a-zA-Z0-9]+)*$" - -#Require specific naming structure - -# variable { -# format = "snake_case" -# } - -# locals { -# format = "snake_case" -# } - -# output { -# format = "snake_case" -# } - -#Allow any format -# resource { -# format = "none" -# } - -# module { -# format = "none" -# } - -# data { -# format = "none" -# } + enabled = false +# custom = "^([a-zA-Z0-9])+([_-][a-zA-Z0-9]+)*$" } From 7d10e7ea561f1f64718dd1bd378522b412876fa1 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 17:43:03 -0500 Subject: [PATCH 05/18] Add addtnl terraform init folders, fix .tflint.hcl syntax error Signed-off-by: David.Houck --- .github/workflows/linter-analysis.yaml | 4 ++++ linting-configs/.tflint.hcl | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linter-analysis.yaml b/.github/workflows/linter-analysis.yaml index b4454d04..35d3e6d3 100644 --- a/.github/workflows/linter-analysis.yaml +++ b/.github/workflows/linter-analysis.yaml @@ -59,7 +59,11 @@ jobs: - name: Initializing modules run: | terraform -chdir=modules/aws_autoscaling init + terraform -chdir=modules/aws_fsx_ontap init terraform -chdir=modules/aws_ebs_csi init + terraform -chdir=modules/aws_vm init + terraform -chdir=modules/aws_vpc init + terraform -chdir=modules/kubeconfig init - name: Initializing TFLint run: TFLINT_LOG=info tflint --init -c "$(pwd)/linting-configs/.tflint.hcl" diff --git a/linting-configs/.tflint.hcl b/linting-configs/.tflint.hcl index 3b4c4db3..9ea4473a 100644 --- a/linting-configs/.tflint.hcl +++ b/linting-configs/.tflint.hcl @@ -56,7 +56,6 @@ rule "terraform_module_pinned_source" { # Checks that Terraform modules sourced from a registry specify a version. rule "terraform_module_version" { enabled = true - preset = "recommended" } ## Enforces naming conventions From ebdc205e63f8cbaa34ced6a2859bb0c94961b4ba Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 17:48:26 -0500 Subject: [PATCH 06/18] Add tflint --recursive --init Signed-off-by: David.Houck --- .github/workflows/linter-analysis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linter-analysis.yaml b/.github/workflows/linter-analysis.yaml index 35d3e6d3..92adbf0b 100644 --- a/.github/workflows/linter-analysis.yaml +++ b/.github/workflows/linter-analysis.yaml @@ -66,7 +66,7 @@ jobs: terraform -chdir=modules/kubeconfig init - name: Initializing TFLint - run: TFLINT_LOG=info tflint --init -c "$(pwd)/linting-configs/.tflint.hcl" + run: TFLINT_LOG=info tflint --recursive --init -c "$(pwd)/linting-configs/.tflint.hcl" - name: Run TFLint Action run: TFLINT_LOG=info tflint -c "$(pwd)/linting-configs/.tflint.hcl" --recursive From bed2f03682d0a73a83474ead873b960566b1fe7e Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Wed, 13 Nov 2024 17:57:22 -0500 Subject: [PATCH 07/18] for tflint: terraform init top level folder Signed-off-by: David.Houck --- .github/workflows/linter-analysis.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/linter-analysis.yaml b/.github/workflows/linter-analysis.yaml index 92adbf0b..a7a4407a 100644 --- a/.github/workflows/linter-analysis.yaml +++ b/.github/workflows/linter-analysis.yaml @@ -58,6 +58,7 @@ jobs: # with the plugin, not needed for regular project use. - name: Initializing modules run: | + terraform init terraform -chdir=modules/aws_autoscaling init terraform -chdir=modules/aws_fsx_ontap init terraform -chdir=modules/aws_ebs_csi init From bad93666a306e80a3b59865e8b90c283d21dc235 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 25 Nov 2024 20:18:52 -0500 Subject: [PATCH 08/18] working, prior to commented out code deletions Signed-off-by: David.Houck --- locals.tf | 13 ++- security.tf | 327 ++++++++++++++++++++++++++++++++-------------------- 2 files changed, 214 insertions(+), 126 deletions(-) diff --git a/locals.tf b/locals.tf index e3f57521..6c52bd4e 100755 --- a/locals.tf +++ b/locals.tf @@ -7,8 +7,8 @@ locals { aws_caller_identity_user_name = element(split("/", data.aws_caller_identity.terraform.arn), length(split("/", data.aws_caller_identity.terraform.arn)) - 1) # General - sec_group = (length(aws_security_group.sg_a) == 0 && length(aws_security_group.sg_b) == 0) ? null : coalescelist(aws_security_group.sg_a, aws_security_group.sg_b) - security_group_id = var.security_group_id == null ? local.sec_group[0].id : data.aws_security_group.sg[0].id + #sec_group = (length(aws_security_group.sg_a) == 0 && length(aws_security_group.sg_b) == 0) ? null : coalescelist(aws_security_group.sg_a, aws_security_group.sg_b) + security_group_id = var.security_group_id == null ? aws_security_group.sg[0].id : data.aws_security_group.sg[0].id cluster_security_group_id = var.cluster_security_group_id == null ? aws_security_group.cluster_security_group[0].id : var.cluster_security_group_id workers_security_group_id = var.workers_security_group_id == null ? aws_security_group.workers_security_group[0].id : var.workers_security_group_id cluster_name = "${var.prefix}-eks" @@ -167,6 +167,15 @@ locals { postgres_sgr_ports = var.postgres_servers != null ? length(local.postgres_servers) != 0 ? [for k, v in local.postgres_servers : v.server_port ] : [] : null + postgres_cidr_port_pairs = setproduct(local.postgres_sgr_ports, local.postgres_public_access_cidrs) + + ingress_pairs = length(local.postgres_cidr_port_pairs) != 0 ? { for pair in local.postgres_cidr_port_pairs : + "${pair[0]}-${pair[1]}" => { + "server_port" : pair[0], + "cidr" : pair[1] + } + } : {} + postgres_outputs = length(module.postgresql) != 0 ? { for k, v in module.postgresql : k => { diff --git a/security.tf b/security.tf index 0153fbd9..b4859970 100644 --- a/security.tf +++ b/security.tf @@ -6,224 +6,303 @@ data "aws_security_group" "sg" { id = var.security_group_id } +# Note: +# Using aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources is the current best practice. +# Avoid using the aws_security_group_rule resource and the ingress and egress arguments of the aws_security_group resource +# for configuring in-line rules, as they struggle with managing multiple CIDR blocks, and tags and descriptions due to the +# historical lack of unique IDs. + # Security Groups - https://www.terraform.io/docs/providers/aws/r/security_group.html -resource "aws_security_group" "sg_a" { - count = var.security_group_id == null && var.vpc_private_endpoints_enabled == false ? 1 : 0 +resource "aws_security_group" "sg" { + count = var.security_group_id == null ? 1 : 0 name = "${var.prefix}-sg" vpc_id = module.vpc.vpc_id description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs" - egress { - description = "Allow all outbound traffic." - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } + tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } -# Security Groups - https://www.terraform.io/docs/providers/aws/r/security_group.html -resource "aws_security_group" "sg_b" { - count = var.security_group_id == null && var.vpc_private_endpoints_enabled ? 1 : 0 - name = "${var.prefix}-sg" - vpc_id = module.vpc.vpc_id +# resource "aws_security_group" "sg_a" { +# count = var.security_group_id == null && var.vpc_private_endpoints_enabled == false ? 1 : 0 +# name = "${var.prefix}-sg" +# vpc_id = module.vpc.vpc_id + +# description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs" +# } + + # See above Note, Remove this egress rule and replace with aws_vpc_security_group_ingress_rule resource instead + # Look for all instances of this security group egress or ingress pattern in this file and replace likewise + +resource "aws_vpc_security_group_egress_rule" "sg" { + + security_group_id = local.security_group_id + + description = "Allow all outbound traffic." + ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" - description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs" - egress { - description = "Allow all outbound traffic." - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - ingress { - description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = local.vpc_endpoint_private_access_cidrs - } tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } -resource "aws_security_group_rule" "vms" { - count = (length(local.vm_public_access_cidrs) > 0 - && var.security_group_id == null - && ((var.create_jump_public_ip && var.create_jump_vm) - || (var.create_nfs_public_ip && var.storage_type == "standard") - ) - ? 1 : 0 - ) - type = "ingress" +# We only need this/these ingress rule(s) if we are using VPC Endpoints +# Creates an ingress rules for each vpc_endpoint_private_access_cidrs in the list +resource "aws_vpc_security_group_ingress_rule" "sg" { + for_each = var.security_group_id == null && var.vpc_private_endpoints_enabled ? toset(local.vpc_endpoint_private_access_cidrs) : toset([]) + + security_group_id = local.security_group_id + description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints" + ip_protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_ipv4 = each.key + + tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) +} + +# # Security Groups - https://www.terraform.io/docs/providers/aws/r/security_group.html +# resource "aws_security_group" "sg_b" { +# count = var.security_group_id == null && var.vpc_private_endpoints_enabled ? 1 : 0 +# name = "${var.prefix}-sg" +# vpc_id = module.vpc.vpc_id + +# description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs" +# } + # Replace with aws_vpc_security_group_egress_rule resource - Done + +# resource "aws_vpc_security_group_egress_rule" "sg" { + +# security_group_id = "aws_security_group.sg.id" + +# # egress { +# description = "Allow all outbound traffic." +# from_port = 0 +# to_port = 0 +# ip_protocol = "-1" +# cidr_ipv4 = "0.0.0.0/0" + +# } + # Replace with aws_vpc_security_group_ingress_rule resource +# ingress { +# description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints" +# from_port = 443 +# to_port = 443 +# protocol = "tcp" +# cidr_blocks = local.vpc_endpoint_private_access_cidrs +# } +# tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) +# } + +resource "aws_vpc_security_group_ingress_rule" "vms" { + # count = (length(local.vm_public_access_cidrs) > 0 + # && var.security_group_id == null + # && ((var.create_jump_public_ip && var.create_jump_vm) + # || (var.create_nfs_public_ip && var.storage_type == "standard") + # ) + # ? 1 : 0 + # ) + for_each = var.security_group_id == null && ((var.create_jump_public_ip && var.create_jump_vm)) ? toset(local.vm_public_access_cidrs) : toset([]) + + security_group_id = local.security_group_id + description = "Allow SSH from source" from_port = 22 to_port = 22 - protocol = "tcp" - cidr_blocks = local.vm_public_access_cidrs - security_group_id = local.security_group_id + ip_protocol = "tcp" + cidr_ipv4 = each.key } -resource "aws_security_group_rule" "all" { - type = "ingress" - description = "Allow internal security group communication." - from_port = 0 - to_port = 0 - protocol = "all" +resource "aws_vpc_security_group_ingress_rule" "all" { security_group_id = local.security_group_id - self = true -} + description = "Allow internal security group communication." + ip_protocol = "-1" + referenced_security_group_id = local.security_group_id +} -resource "aws_security_group_rule" "postgres_internal" { +# resource "aws_security_group_rule" "all" { +# type = "ingress" +# description = "Allow internal security group communication." +# from_port = 0 +# to_port = 0 +# protocol = "all" +# security_group_id = local.security_group_id +# self = true +# } + +resource "aws_vpc_security_group_ingress_rule" "postgres_internal" { for_each = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([]) - type = "ingress" - description = "Allow Postgres within network" + + description = "Allow Postgress within network" from_port = each.key to_port = each.key - protocol = "tcp" - self = true + ip_protocol = "tcp" security_group_id = local.security_group_id + referenced_security_group_id = local.security_group_id } -resource "aws_security_group_rule" "postgres_external" { +# resource "aws_security_group_rule" "postgres_internal" { +# for_each = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([]) +# type = "ingress" +# description = "Allow Postgres within network" +# from_port = each.key +# to_port = each.key +# protocol = "tcp" +# self = true +# security_group_id = local.security_group_id +# } + +resource "aws_vpc_security_group_ingress_rule" "postgres_external" { for_each = (length(local.postgres_public_access_cidrs) > 0 ? local.postgres_sgr_ports != null - ? toset(local.postgres_sgr_ports) - : toset([]) - : toset([]) + ? local.ingress_pairs + : {} + : {} ) - type = "ingress" + description = "Allow Postgres from source" - from_port = each.key - to_port = each.key - protocol = "tcp" - cidr_blocks = local.postgres_public_access_cidrs + from_port = each.value.server_port + to_port = each.value.server_port + ip_protocol = "tcp" + cidr_ipv4 = each.value.cidr security_group_id = local.security_group_id } +# resource "aws_security_group_rule" "postgres_external" { +# for_each = (length(local.postgres_public_access_cidrs) > 0 +# ? local.postgres_sgr_ports != null +# ? toset(local.postgres_sgr_ports) +# : toset([]) +# : toset([]) +# ) +# type = "ingress" +# description = "Allow Postgres from source" +# from_port = each.key +# to_port = each.key +# protocol = "tcp" +# cidr_blocks = local.postgres_public_access_cidrs +# security_group_id = local.security_group_id +# } + resource "aws_security_group" "cluster_security_group" { + + count = var.cluster_security_group_id == null ? 1 : 0 + name = "${var.prefix}-eks_cluster_sg" vpc_id = module.vpc.vpc_id + description = "EKS cluster security group." + tags = merge(local.tags, { "Name" : "${var.prefix}-eks_cluster_sg" }) +} + + # Replace with aws_vpc_security_group_egress_rule resource +resource "aws_vpc_security_group_egress_rule" "cluster_security_group" { count = var.cluster_security_group_id == null ? 1 : 0 - description = "EKS cluster security group." - egress { - description = "Allow all outbound traffic." - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow all outbound traffic." + ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" + security_group_id = local.cluster_security_group_id } - ingress { - description = "Allow additional HTTPS/443 ingress to private EKS cluster API server endpoint per var.cluster_endpoint_private_access_cidrs" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = local.cluster_endpoint_private_access_cidrs + + # Replace with aws_vpc_security_group_ingress_rule resource +resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" { + for_each = var.cluster_security_group_id == null ? toset(local.cluster_endpoint_private_access_cidrs) : toset([]) + + description = "Allow additional HTTPS/443 ingress to private EKS cluster API server endpoint per var.cluster_endpoint_private_access_cidrs" + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + cidr_ipv4 = each.key + security_group_id = local.cluster_security_group_id } -} -resource "aws_security_group_rule" "cluster_ingress" { + # Replace with aws_vpc_security_group_ingress_rule resource +resource "aws_vpc_security_group_ingress_rule" "cluster_ingress" { count = var.cluster_security_group_id == null ? 1 : 0 - type = "ingress" description = "Allow pods to communicate with the EKS cluster API." from_port = 443 to_port = 443 - protocol = "tcp" - source_security_group_id = local.workers_security_group_id + ip_protocol = "tcp" + referenced_security_group_id = local.workers_security_group_id security_group_id = local.cluster_security_group_id } resource "aws_security_group" "workers_security_group" { + count = var.workers_security_group_id == null ? 1 : 0 + + description = "Security group for all nodes in the cluster." name = "${var.prefix}-eks_worker_sg" vpc_id = module.vpc.vpc_id tags = merge(local.tags, { "Name" : "${var.prefix}-eks_worker_sg" }, { "kubernetes.io/cluster/${local.cluster_name}" : "owned" } ) - +} + +resource "aws_vpc_security_group_egress_rule" "workers_security_group" { count = var.workers_security_group_id == null ? 1 : 0 - description = "Security group for all nodes in the cluster." - egress = [ - { - cidr_blocks = [ - "0.0.0.0/0", - ] - ipv6_cidr_blocks = [] - prefix_list_ids = [] - self = false - security_groups = [] - description = "Allow cluster egress access to the Internet." - from_port = 0 - to_port = 0 - protocol = "-1" - }, - ] - -} - -resource "aws_security_group_rule" "worker_self" { + cidr_ipv4 = "0.0.0.0/0" + security_group_id = local.workers_security_group_id + description = "Allow cluster egress access to the Internet." + ip_protocol = "-1" + +} + +resource "aws_vpc_security_group_ingress_rule" "worker_self" { count = var.workers_security_group_id == null ? 1 : 0 - type = "ingress" - description = "Allow node to communicate with each other." - from_port = 0 - protocol = "-1" - self = true - to_port = 0 + description = "Allow node to communicate with each other." + ip_protocol = "-1" + referenced_security_group_id = aws_security_group.workers_security_group[0].id security_group_id = aws_security_group.workers_security_group[0].id } -resource "aws_security_group_rule" "worker_cluster_api" { +resource "aws_vpc_security_group_ingress_rule" "worker_cluster_api" { count = var.workers_security_group_id == null ? 1 : 0 - type = "ingress" description = "Allow worker pods to receive communication from the cluster control plane." from_port = 1025 - protocol = "tcp" - source_security_group_id = local.cluster_security_group_id to_port = 65535 + ip_protocol = "tcp" + referenced_security_group_id = local.cluster_security_group_id security_group_id = aws_security_group.workers_security_group[0].id } -resource "aws_security_group_rule" "worker_cluster_api_443" { +resource "aws_vpc_security_group_ingress_rule" "worker_cluster_api_443" { count = var.workers_security_group_id == null ? 1 : 0 - type = "ingress" description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane." from_port = 443 - protocol = "tcp" - source_security_group_id = local.cluster_security_group_id to_port = 443 + ip_protocol = "tcp" + referenced_security_group_id = local.cluster_security_group_id security_group_id = aws_security_group.workers_security_group[0].id } +# TODO: Make sure tags are applied to all resources -resource "aws_security_group_rule" "vm_private_access_22" { +resource "aws_vpc_security_group_ingress_rule" "vm_private_access_22" { - count = (length(local.vm_private_access_cidrs) > 0 + for_each = (length(local.vm_private_access_cidrs) > 0 && var.workers_security_group_id == null && ((var.create_jump_public_ip == false && var.create_jump_vm) - || (var.create_nfs_public_ip == false && var.storage_type == "standard") - ) - ? 1 : 0 + || (var.create_nfs_public_ip == false && var.storage_type == "standard")) ? toset(local.vm_private_access_cidrs) : toset([]) ) - type = "ingress" + description = "Allow SSH to a private IP based Jump VM per var.vm_private_access_cidrs. Required for DAC baseline client VM." from_port = 22 to_port = 22 - protocol = "tcp" - cidr_blocks = local.vm_private_access_cidrs + ip_protocol = "tcp" + cidr_ipv4 = each.key security_group_id = aws_security_group.workers_security_group[0].id } From 9c8e5dd4d4ec750336dace4b61ef90158af36803 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 19:36:46 -0500 Subject: [PATCH 09/18] With sg_a&b consolidation, remove uneeded local variable Signed-off-by: David.Houck --- locals.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/locals.tf b/locals.tf index 6c52bd4e..0d8934ac 100755 --- a/locals.tf +++ b/locals.tf @@ -7,7 +7,6 @@ locals { aws_caller_identity_user_name = element(split("/", data.aws_caller_identity.terraform.arn), length(split("/", data.aws_caller_identity.terraform.arn)) - 1) # General - #sec_group = (length(aws_security_group.sg_a) == 0 && length(aws_security_group.sg_b) == 0) ? null : coalescelist(aws_security_group.sg_a, aws_security_group.sg_b) security_group_id = var.security_group_id == null ? aws_security_group.sg[0].id : data.aws_security_group.sg[0].id cluster_security_group_id = var.cluster_security_group_id == null ? aws_security_group.cluster_security_group[0].id : var.cluster_security_group_id workers_security_group_id = var.workers_security_group_id == null ? aws_security_group.workers_security_group[0].id : var.workers_security_group_id From 58f1a6f20369b2d2f00a177101de2bcfb63edc2b Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 19:39:24 -0500 Subject: [PATCH 10/18] Use security_group_ingress/egress rule resources, not inline rules Signed-off-by: David.Houck --- security.tf | 102 +++++----------------------------------------------- 1 file changed, 9 insertions(+), 93 deletions(-) diff --git a/security.tf b/security.tf index b4859970..ef688ea8 100644 --- a/security.tf +++ b/security.tf @@ -23,17 +23,6 @@ resource "aws_security_group" "sg" { tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } -# resource "aws_security_group" "sg_a" { -# count = var.security_group_id == null && var.vpc_private_endpoints_enabled == false ? 1 : 0 -# name = "${var.prefix}-sg" -# vpc_id = module.vpc.vpc_id - -# description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs" -# } - - # See above Note, Remove this egress rule and replace with aws_vpc_security_group_ingress_rule resource instead - # Look for all instances of this security group egress or ingress pattern in this file and replace likewise - resource "aws_vpc_security_group_egress_rule" "sg" { security_group_id = local.security_group_id @@ -45,9 +34,10 @@ resource "aws_vpc_security_group_egress_rule" "sg" { tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } -# We only need this/these ingress rule(s) if we are using VPC Endpoints +# Only create this/these ingress rule(s) if we are using VPC Endpoints # Creates an ingress rules for each vpc_endpoint_private_access_cidrs in the list resource "aws_vpc_security_group_ingress_rule" "sg" { + for_each = var.security_group_id == null && var.vpc_private_endpoints_enabled ? toset(local.vpc_endpoint_private_access_cidrs) : toset([]) security_group_id = local.security_group_id @@ -60,47 +50,8 @@ resource "aws_vpc_security_group_ingress_rule" "sg" { tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } -# # Security Groups - https://www.terraform.io/docs/providers/aws/r/security_group.html -# resource "aws_security_group" "sg_b" { -# count = var.security_group_id == null && var.vpc_private_endpoints_enabled ? 1 : 0 -# name = "${var.prefix}-sg" -# vpc_id = module.vpc.vpc_id - -# description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs" -# } - # Replace with aws_vpc_security_group_egress_rule resource - Done - -# resource "aws_vpc_security_group_egress_rule" "sg" { - -# security_group_id = "aws_security_group.sg.id" - -# # egress { -# description = "Allow all outbound traffic." -# from_port = 0 -# to_port = 0 -# ip_protocol = "-1" -# cidr_ipv4 = "0.0.0.0/0" - -# } - # Replace with aws_vpc_security_group_ingress_rule resource -# ingress { -# description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints" -# from_port = 443 -# to_port = 443 -# protocol = "tcp" -# cidr_blocks = local.vpc_endpoint_private_access_cidrs -# } -# tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) -# } - resource "aws_vpc_security_group_ingress_rule" "vms" { - # count = (length(local.vm_public_access_cidrs) > 0 - # && var.security_group_id == null - # && ((var.create_jump_public_ip && var.create_jump_vm) - # || (var.create_nfs_public_ip && var.storage_type == "standard") - # ) - # ? 1 : 0 - # ) + for_each = var.security_group_id == null && ((var.create_jump_public_ip && var.create_jump_vm)) ? toset(local.vm_public_access_cidrs) : toset([]) security_group_id = local.security_group_id @@ -120,17 +71,8 @@ resource "aws_vpc_security_group_ingress_rule" "all" { referenced_security_group_id = local.security_group_id } -# resource "aws_security_group_rule" "all" { -# type = "ingress" -# description = "Allow internal security group communication." -# from_port = 0 -# to_port = 0 -# protocol = "all" -# security_group_id = local.security_group_id -# self = true -# } - resource "aws_vpc_security_group_ingress_rule" "postgres_internal" { + for_each = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([]) description = "Allow Postgress within network" @@ -141,18 +83,8 @@ resource "aws_vpc_security_group_ingress_rule" "postgres_internal" { referenced_security_group_id = local.security_group_id } -# resource "aws_security_group_rule" "postgres_internal" { -# for_each = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([]) -# type = "ingress" -# description = "Allow Postgres within network" -# from_port = each.key -# to_port = each.key -# protocol = "tcp" -# self = true -# security_group_id = local.security_group_id -# } - resource "aws_vpc_security_group_ingress_rule" "postgres_external" { + for_each = (length(local.postgres_public_access_cidrs) > 0 ? local.postgres_sgr_ports != null ? local.ingress_pairs @@ -168,23 +100,6 @@ resource "aws_vpc_security_group_ingress_rule" "postgres_external" { security_group_id = local.security_group_id } -# resource "aws_security_group_rule" "postgres_external" { -# for_each = (length(local.postgres_public_access_cidrs) > 0 -# ? local.postgres_sgr_ports != null -# ? toset(local.postgres_sgr_ports) -# : toset([]) -# : toset([]) -# ) -# type = "ingress" -# description = "Allow Postgres from source" -# from_port = each.key -# to_port = each.key -# protocol = "tcp" -# cidr_blocks = local.postgres_public_access_cidrs -# security_group_id = local.security_group_id -# } - - resource "aws_security_group" "cluster_security_group" { count = var.cluster_security_group_id == null ? 1 : 0 @@ -197,8 +112,8 @@ resource "aws_security_group" "cluster_security_group" { } - # Replace with aws_vpc_security_group_egress_rule resource resource "aws_vpc_security_group_egress_rule" "cluster_security_group" { + count = var.cluster_security_group_id == null ? 1 : 0 description = "Allow all outbound traffic." @@ -207,8 +122,8 @@ resource "aws_vpc_security_group_egress_rule" "cluster_security_group" { security_group_id = local.cluster_security_group_id } - # Replace with aws_vpc_security_group_ingress_rule resource resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" { + for_each = var.cluster_security_group_id == null ? toset(local.cluster_endpoint_private_access_cidrs) : toset([]) description = "Allow additional HTTPS/443 ingress to private EKS cluster API server endpoint per var.cluster_endpoint_private_access_cidrs" @@ -220,7 +135,6 @@ resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" { } - # Replace with aws_vpc_security_group_ingress_rule resource resource "aws_vpc_security_group_ingress_rule" "cluster_ingress" { count = var.cluster_security_group_id == null ? 1 : 0 @@ -234,6 +148,7 @@ resource "aws_vpc_security_group_ingress_rule" "cluster_ingress" { } resource "aws_security_group" "workers_security_group" { + count = var.workers_security_group_id == null ? 1 : 0 description = "Security group for all nodes in the cluster." @@ -246,6 +161,7 @@ resource "aws_security_group" "workers_security_group" { } resource "aws_vpc_security_group_egress_rule" "workers_security_group" { + count = var.workers_security_group_id == null ? 1 : 0 cidr_ipv4 = "0.0.0.0/0" From 46f878e6c5bc57819de31f78d502dd6f4e7f021a Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 19:49:54 -0500 Subject: [PATCH 11/18] Add checksum for kubectl download Signed-off-by: David.Houck --- Dockerfile | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3a41d036..5d5918ec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,23 +2,31 @@ ARG TERRAFORM_VERSION=1.9.6 ARG AWS_CLI_VERSION=2.17.58 FROM hashicorp/terraform:$TERRAFORM_VERSION AS terraform +FROM almalinux:minimal AS amin +WORKDIR /app +USER root +ARG KUBECTL_VERSION=1.30.6 +ARG KUBECTL_CHECKSUM=7a3adf80ca74b1b2afdfc7f4570f0005ca03c2812367ffb6ee2f731d66e45e61 +RUN set -eux \ + && curl -fSLO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \ + && chmod 755 ./kubectl \ + && sha256sum --check --strict <(echo ${KUBECTL_CHECKSUM} kubectl) + FROM amazon/aws-cli:$AWS_CLI_VERSION -ARG KUBECTL_VERSION=1.29.8 WORKDIR /viya4-iac-aws +COPY --from=amin /app/kubectl /usr/local/bin/kubectl COPY --from=terraform /bin/terraform /bin/terraform COPY . . RUN yum -y install git openssh jq which \ && yum -y update openssl-libs glib2 vim-minimal vim-data curl \ && yum clean all && rm -rf /var/cache/yum \ - && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \ - && chmod 755 ./kubectl /viya4-iac-aws/docker-entrypoint.sh \ - && mv ./kubectl /usr/local/bin/kubectl \ - && chmod g=u -R /etc/passwd /etc/group /viya4-iac-aws \ + && chmod 755 /viya4-iac-aws/docker-entrypoint.sh \ && git config --system --add safe.directory /viya4-iac-aws \ - && terraform init + && terraform init \ + && chmod g=u -R /etc/passwd /etc/group /viya4-iac-aws ENV TF_VAR_iac_tooling=docker ENTRYPOINT ["/viya4-iac-aws/docker-entrypoint.sh"] From c4f83cb728a559469751a63eeb342ba8bf035b92 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 20:21:21 -0500 Subject: [PATCH 12/18] Add ignore DL3002, installs require root Signed-off-by: David.Houck --- linting-configs/.hadolint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/linting-configs/.hadolint.yaml b/linting-configs/.hadolint.yaml index e3c7d2c0..c30675d4 100644 --- a/linting-configs/.hadolint.yaml +++ b/linting-configs/.hadolint.yaml @@ -5,3 +5,4 @@ ignored: # Specify version with yum install -y - - https://github.com/hadolint/hadolint/wiki/DL3033 - DL3033 + - DL3002 From 46268279aca01ad845f646d28a0b7e7b5590cc63 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 20:23:32 -0500 Subject: [PATCH 13/18] fix SC3001 warning, use bash shell Signed-off-by: David.Houck --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5d5918ec..f73d9990 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ WORKDIR /app USER root ARG KUBECTL_VERSION=1.30.6 ARG KUBECTL_CHECKSUM=7a3adf80ca74b1b2afdfc7f4570f0005ca03c2812367ffb6ee2f731d66e45e61 -RUN set -eux \ +RUN /bin/bash -eux \ && curl -fSLO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \ && chmod 755 ./kubectl \ && sha256sum --check --strict <(echo ${KUBECTL_CHECKSUM} kubectl) From 31337f777eb88e5b6dc8ad50db1c4bb657a20828 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 20:30:11 -0500 Subject: [PATCH 14/18] fix SC3001 warning, use bash shell, 2nd try Signed-off-by: David.Houck --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f73d9990..ce1296a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ WORKDIR /app USER root ARG KUBECTL_VERSION=1.30.6 ARG KUBECTL_CHECKSUM=7a3adf80ca74b1b2afdfc7f4570f0005ca03c2812367ffb6ee2f731d66e45e61 -RUN /bin/bash -eux \ +RUN /usr/bin/bash -eux \ && curl -fSLO https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl \ && chmod 755 ./kubectl \ && sha256sum --check --strict <(echo ${KUBECTL_CHECKSUM} kubectl) From 0dbcb345c9ddba104bfcc5803e6899e898522833 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 20:50:17 -0500 Subject: [PATCH 15/18] ignore SC3001, false positive Signed-off-by: David.Houck --- linting-configs/.hadolint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/linting-configs/.hadolint.yaml b/linting-configs/.hadolint.yaml index c30675d4..c50f26c8 100644 --- a/linting-configs/.hadolint.yaml +++ b/linting-configs/.hadolint.yaml @@ -6,3 +6,4 @@ ignored: # Specify version with yum install -y - - https://github.com/hadolint/hadolint/wiki/DL3033 - DL3033 - DL3002 + - SC3001 From 47b8a21613a192c4d204179cc117703bd09c5c72 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 20:59:58 -0500 Subject: [PATCH 16/18] scan top-level project Signed-off-by: David.Houck --- linting-configs/.tflint.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linting-configs/.tflint.hcl b/linting-configs/.tflint.hcl index 9ea4473a..a6e25999 100644 --- a/linting-configs/.tflint.hcl +++ b/linting-configs/.tflint.hcl @@ -9,7 +9,7 @@ config { # Enables module inspection - call_module_type = "all" + call_module_type = "none" } plugin "aws" { From 3bdfb9af15c09ee8590d02b9caa4483eb29bbdc9 Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 21:13:04 -0500 Subject: [PATCH 17/18] Fix TFlint sets arg must not be null error Signed-off-by: David.Houck --- locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/locals.tf b/locals.tf index 0d8934ac..ccebde10 100755 --- a/locals.tf +++ b/locals.tf @@ -165,7 +165,7 @@ locals { postgres_servers = var.postgres_servers == null ? {} : { for k, v in var.postgres_servers : k => merge(var.postgres_server_defaults, v, ) } postgres_sgr_ports = var.postgres_servers != null ? length(local.postgres_servers) != 0 ? [for k, v in local.postgres_servers : v.server_port - ] : [] : null + ] : [] : [] postgres_cidr_port_pairs = setproduct(local.postgres_sgr_ports, local.postgres_public_access_cidrs) ingress_pairs = length(local.postgres_cidr_port_pairs) != 0 ? { for pair in local.postgres_cidr_port_pairs : From c57e1b95d3353551bb3ba9f8d34b5ad8e4ea0f1a Mon Sep 17 00:00:00 2001 From: "David.Houck" Date: Mon, 2 Dec 2024 21:29:17 -0500 Subject: [PATCH 18/18] Only TF format changes Signed-off-by: David.Houck --- security.tf | 114 ++++++++++++++++++++++++++-------------------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/security.tf b/security.tf index ef688ea8..1c129c85 100644 --- a/security.tf +++ b/security.tf @@ -28,8 +28,8 @@ resource "aws_vpc_security_group_egress_rule" "sg" { security_group_id = local.security_group_id description = "Allow all outbound traffic." - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" + ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } @@ -41,11 +41,11 @@ resource "aws_vpc_security_group_ingress_rule" "sg" { for_each = var.security_group_id == null && var.vpc_private_endpoints_enabled ? toset(local.vpc_endpoint_private_access_cidrs) : toset([]) security_group_id = local.security_group_id - description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints" - ip_protocol = "tcp" - from_port = 443 - to_port = 443 - cidr_ipv4 = each.key + description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints" + ip_protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_ipv4 = each.key tags = merge(local.tags, { "Name" : "${var.prefix}-sg" }) } @@ -53,33 +53,33 @@ resource "aws_vpc_security_group_ingress_rule" "sg" { resource "aws_vpc_security_group_ingress_rule" "vms" { for_each = var.security_group_id == null && ((var.create_jump_public_ip && var.create_jump_vm)) ? toset(local.vm_public_access_cidrs) : toset([]) - + security_group_id = local.security_group_id - description = "Allow SSH from source" - from_port = 22 - to_port = 22 - ip_protocol = "tcp" - cidr_ipv4 = each.key + description = "Allow SSH from source" + from_port = 22 + to_port = 22 + ip_protocol = "tcp" + cidr_ipv4 = each.key } resource "aws_vpc_security_group_ingress_rule" "all" { security_group_id = local.security_group_id - description = "Allow internal security group communication." - ip_protocol = "-1" + description = "Allow internal security group communication." + ip_protocol = "-1" referenced_security_group_id = local.security_group_id } resource "aws_vpc_security_group_ingress_rule" "postgres_internal" { - for_each = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([]) + for_each = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([]) - description = "Allow Postgress within network" - from_port = each.key - to_port = each.key - ip_protocol = "tcp" - security_group_id = local.security_group_id + description = "Allow Postgress within network" + from_port = each.key + to_port = each.key + ip_protocol = "tcp" + security_group_id = local.security_group_id referenced_security_group_id = local.security_group_id } @@ -104,11 +104,11 @@ resource "aws_security_group" "cluster_security_group" { count = var.cluster_security_group_id == null ? 1 : 0 - name = "${var.prefix}-eks_cluster_sg" - vpc_id = module.vpc.vpc_id + name = "${var.prefix}-eks_cluster_sg" + vpc_id = module.vpc.vpc_id description = "EKS cluster security group." - - tags = merge(local.tags, { "Name" : "${var.prefix}-eks_cluster_sg" }) + + tags = merge(local.tags, { "Name" : "${var.prefix}-eks_cluster_sg" }) } @@ -116,11 +116,11 @@ resource "aws_vpc_security_group_egress_rule" "cluster_security_group" { count = var.cluster_security_group_id == null ? 1 : 0 - description = "Allow all outbound traffic." - ip_protocol = "-1" - cidr_ipv4 = "0.0.0.0/0" + description = "Allow all outbound traffic." + ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" security_group_id = local.cluster_security_group_id - } +} resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" { @@ -132,19 +132,19 @@ resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" { ip_protocol = "tcp" cidr_ipv4 = each.key security_group_id = local.cluster_security_group_id - } +} resource "aws_vpc_security_group_ingress_rule" "cluster_ingress" { count = var.cluster_security_group_id == null ? 1 : 0 - description = "Allow pods to communicate with the EKS cluster API." - from_port = 443 - to_port = 443 - ip_protocol = "tcp" + description = "Allow pods to communicate with the EKS cluster API." + from_port = 443 + to_port = 443 + ip_protocol = "tcp" referenced_security_group_id = local.workers_security_group_id - security_group_id = local.cluster_security_group_id + security_group_id = local.cluster_security_group_id } resource "aws_security_group" "workers_security_group" { @@ -152,22 +152,22 @@ resource "aws_security_group" "workers_security_group" { count = var.workers_security_group_id == null ? 1 : 0 description = "Security group for all nodes in the cluster." - name = "${var.prefix}-eks_worker_sg" - vpc_id = module.vpc.vpc_id + name = "${var.prefix}-eks_worker_sg" + vpc_id = module.vpc.vpc_id tags = merge(local.tags, { "Name" : "${var.prefix}-eks_worker_sg" }, { "kubernetes.io/cluster/${local.cluster_name}" : "owned" } ) } - + resource "aws_vpc_security_group_egress_rule" "workers_security_group" { - + count = var.workers_security_group_id == null ? 1 : 0 - cidr_ipv4 = "0.0.0.0/0" - security_group_id = local.workers_security_group_id - description = "Allow cluster egress access to the Internet." - ip_protocol = "-1" + cidr_ipv4 = "0.0.0.0/0" + security_group_id = local.workers_security_group_id + description = "Allow cluster egress access to the Internet." + ip_protocol = "-1" } @@ -175,34 +175,34 @@ resource "aws_vpc_security_group_ingress_rule" "worker_self" { count = var.workers_security_group_id == null ? 1 : 0 - description = "Allow node to communicate with each other." - ip_protocol = "-1" + description = "Allow node to communicate with each other." + ip_protocol = "-1" referenced_security_group_id = aws_security_group.workers_security_group[0].id - security_group_id = aws_security_group.workers_security_group[0].id + security_group_id = aws_security_group.workers_security_group[0].id } resource "aws_vpc_security_group_ingress_rule" "worker_cluster_api" { count = var.workers_security_group_id == null ? 1 : 0 - description = "Allow worker pods to receive communication from the cluster control plane." - from_port = 1025 - to_port = 65535 - ip_protocol = "tcp" + description = "Allow worker pods to receive communication from the cluster control plane." + from_port = 1025 + to_port = 65535 + ip_protocol = "tcp" referenced_security_group_id = local.cluster_security_group_id - security_group_id = aws_security_group.workers_security_group[0].id + security_group_id = aws_security_group.workers_security_group[0].id } resource "aws_vpc_security_group_ingress_rule" "worker_cluster_api_443" { count = var.workers_security_group_id == null ? 1 : 0 - description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane." - from_port = 443 - to_port = 443 - ip_protocol = "tcp" + description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane." + from_port = 443 + to_port = 443 + ip_protocol = "tcp" referenced_security_group_id = local.cluster_security_group_id - security_group_id = aws_security_group.workers_security_group[0].id + security_group_id = aws_security_group.workers_security_group[0].id } # TODO: Make sure tags are applied to all resources @@ -212,7 +212,7 @@ resource "aws_vpc_security_group_ingress_rule" "vm_private_access_22" { for_each = (length(local.vm_private_access_cidrs) > 0 && var.workers_security_group_id == null && ((var.create_jump_public_ip == false && var.create_jump_vm) - || (var.create_nfs_public_ip == false && var.storage_type == "standard")) ? toset(local.vm_private_access_cidrs) : toset([]) + || (var.create_nfs_public_ip == false && var.storage_type == "standard")) ? toset(local.vm_private_access_cidrs) : toset([]) ) description = "Allow SSH to a private IP based Jump VM per var.vm_private_access_cidrs. Required for DAC baseline client VM."