diff --git a/CHANGELOG.md b/CHANGELOG.md index a5d9bb9..bb24f6a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,9 @@ project adheres to [Semantic Versioning](http://semver.org/). ### Added - add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks) -- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) +- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) +- add optional input `worker_additional_security_group_ids` to allow one or more additional security groups to be added to all worker launch configurations - #47 (by @hhobbsh @mr-joshua) +- add optional input `additional_security_group_ids` to allow one or more additional security groups to be added to a specific worker launch configuration - #47 (by @mr-joshua) ### Changed diff --git a/README.md b/README.md index d4b8224..d473d81 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes | | tags | A map of tags to add to all resources. | map | `` | no | | vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes | +| worker_additional_security_group_ids | A list of additional security group ids to attach to worker instances | list | `` | no | | worker_group_count | The number of maps contained within the worker_groups list. | string | `1` | no | | worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `` | no | | worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no | diff --git a/examples/eks_test_fixture/main.tf b/examples/eks_test_fixture/main.tf index b941249..a1d959b 100644 --- a/examples/eks_test_fixture/main.tf +++ b/examples/eks_test_fixture/main.tf @@ -36,10 +36,15 @@ locals { # )}" worker_groups = "${list( - map("instance_type","t2.small", - "additional_userdata","echo foo bar", - "subnets", "${join(",", module.vpc.private_subnets)}", - ), + map("instance_type","t2.small", + "additional_userdata","echo foo bar", + "subnets", "${join(",", module.vpc.private_subnets)}", + ), + map("instance_type","t2.small", + "additional_userdata","echo foo bar", + "subnets", "${join(",", module.vpc.private_subnets)}", + "additional_security_group_ids", "${aws_security_group.worker_group_mgmt_one.id},${aws_security_group.worker_group_mgmt_two.id}" + ) )}" tags = "${map("Environment", "test", "GithubRepo", "terraform-aws-eks", @@ -53,6 +58,54 @@ resource "random_string" "suffix" { special = false } +resource "aws_security_group" "worker_group_mgmt_one" { + name_prefix = "worker_group_mgmt_one" + description = "SG to be applied to all *nix machines" + vpc_id = "${module.vpc.vpc_id}" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "10.0.0.0/8", + ] + } +} + +resource "aws_security_group" "worker_group_mgmt_two" { + name_prefix = "worker_group_mgmt_two" + vpc_id = "${module.vpc.vpc_id}" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "192.168.0.0/16", + ] + } +} + +resource "aws_security_group" "all_worker_mgmt" { + name_prefix = "all_worker_management" + vpc_id = "${module.vpc.vpc_id}" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + ] + } +} + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "1.14.0" @@ -67,14 +120,15 @@ module "vpc" { } module "eks" { - source = "../.." - cluster_name = "${local.cluster_name}" - subnets = ["${module.vpc.private_subnets}"] - tags = "${local.tags}" - vpc_id = "${module.vpc.vpc_id}" - worker_groups = "${local.worker_groups}" - worker_group_count = "1" - map_roles = "${var.map_roles}" - map_users = "${var.map_users}" - map_accounts = "${var.map_accounts}" + source = "../.." + cluster_name = "${local.cluster_name}" + subnets = ["${module.vpc.private_subnets}"] + tags = "${local.tags}" + vpc_id = "${module.vpc.vpc_id}" + worker_groups = "${local.worker_groups}" + worker_group_count = "2" + worker_additional_security_group_ids = ["${aws_security_group.all_worker_mgmt.id}"] + map_roles = "${var.map_roles}" + map_users = "${var.map_users}" + map_accounts = "${var.map_accounts}" } diff --git a/local.tf b/local.tf index b83b24d..0e28d84 100644 --- a/local.tf +++ b/local.tf @@ -9,25 +9,26 @@ locals { kubeconfig_name = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}" workers_group_defaults_defaults = { - name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used. - ami_id = "${data.aws_ami.eks_worker.id}" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI. - asg_desired_capacity = "1" # Desired worker capacity in the autoscaling group. - asg_max_size = "3" # Maximum worker capacity in the autoscaling group. - asg_min_size = "1" # Minimum worker capacity in the autoscaling group. - instance_type = "m4.large" # Size of the workers instances. - spot_price = "" # Cost of spot instance. - root_volume_size = "100" # root volume size of workers instances. - root_volume_type = "gp2" # root volume type of workers instances, can be 'standard', 'gp2', or 'io1' - root_iops = "0" # The amount of provisioned IOPS. This must be set with a volume_type of "io1". - key_name = "" # The key name that should be used for the instances in the autoscaling group - pre_userdata = "" # userdata to pre-append to the default userdata. - additional_userdata = "" # userdata to append to the default userdata. - ebs_optimized = true # sets whether to use ebs optimization on supported types. - enable_monitoring = true # Enables/disables detailed monitoring. - public_ip = false # Associate a public ip address with a worker - kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints. - subnets = "" # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789 - autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling. + name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used. + ami_id = "${data.aws_ami.eks_worker.id}" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI. + asg_desired_capacity = "1" # Desired worker capacity in the autoscaling group. + asg_max_size = "3" # Maximum worker capacity in the autoscaling group. + asg_min_size = "1" # Minimum worker capacity in the autoscaling group. + instance_type = "m4.large" # Size of the workers instances. + spot_price = "" # Cost of spot instance. + root_volume_size = "100" # root volume size of workers instances. + root_volume_type = "gp2" # root volume type of workers instances, can be 'standard', 'gp2', or 'io1' + root_iops = "0" # The amount of provisioned IOPS. This must be set with a volume_type of "io1". + key_name = "" # The key name that should be used for the instances in the autoscaling group + pre_userdata = "" # userdata to pre-append to the default userdata. + additional_userdata = "" # userdata to append to the default userdata. + ebs_optimized = true # sets whether to use ebs optimization on supported types. + enable_monitoring = true # Enables/disables detailed monitoring. + public_ip = false # Associate a public ip address with a worker + kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints. + subnets = "" # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789 + autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling. + additional_security_group_ids = "" # A comman delimited list of additional security group ids to include in worker launch config } workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}" diff --git a/variables.tf b/variables.tf index b23cf47..1364bc4 100644 --- a/variables.tf +++ b/variables.tf @@ -91,6 +91,12 @@ variable "worker_security_group_id" { default = "" } +variable "worker_additional_security_group_ids" { + description = "A list of additional security group ids to attach to worker instances" + type = "list" + default = [] +} + variable "worker_sg_ingress_from_port" { description = "Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443)." default = "1025" diff --git a/workers.tf b/workers.tf index 110bb0d..649caa5 100644 --- a/workers.tf +++ b/workers.tf @@ -24,7 +24,7 @@ resource "aws_autoscaling_group" "workers" { resource "aws_launch_configuration" "workers" { name_prefix = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}" associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", lookup(local.workers_group_defaults, "public_ip"))}" - security_groups = ["${local.worker_security_group_id}"] + security_groups = ["${local.worker_security_group_id}", "${var.worker_additional_security_group_ids}", "${compact(split(",",lookup(var.worker_groups[count.index],"additional_security_group_ids",lookup(local.workers_group_defaults, "additional_security_group_ids"))))}"] iam_instance_profile = "${aws_iam_instance_profile.workers.id}" image_id = "${lookup(var.worker_groups[count.index], "ami_id", lookup(local.workers_group_defaults, "ami_id"))}" instance_type = "${lookup(var.worker_groups[count.index], "instance_type", lookup(local.workers_group_defaults, "instance_type"))}"