github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-04-27 02:48:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow additional security groups to be included in worker launch configurations (#112)

Browse Source 
* Allow additional security groups to be included for all workers and each worker group #47

* update changelog with reference to issue and be more descriptive

* Update CHANGELOG.md

* address pr comments and rebase

* rebase

* fix bug introduced by PR#115 that sets the AMI id to the default value of "" always

* rebase

* align default value of additional_security_group_ids to be pulled from local var workers_group_defaults_defaults
This commit is contained in:
mr-joshua
2018-09-04 10:09:24 -05:00
committed by Max Williams
parent da6ff7d151
commit 0180644770
6 changed files with 99 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@@ -11,6 +11,8 @@ project adheres to [Semantic Versioning](http://semver.org/).
- add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks) - add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks)
- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) - expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks)
- add optional input `worker_additional_security_group_ids` to allow one or more additional security groups to be added to all worker launch configurations - #47 (by @hhobbsh @mr-joshua)
- add optional input `additional_security_group_ids` to allow one or more additional security groups to be added to a specific worker launch configuration - #47 (by @mr-joshua)
### Changed ### Changed

1
README.md
View File

@@ -114,6 +114,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes | | subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes |
| tags | A map of tags to add to all resources. | map | `<map>` | no | | tags | A map of tags to add to all resources. | map | `<map>` | no |
| vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes | | vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes |
| worker_additional_security_group_ids | A list of additional security group ids to attach to worker instances | list | `<list>` | no |
| worker_group_count | The number of maps contained within the worker_groups list. | string | `1` | no | | worker_group_count | The number of maps contained within the worker_groups list. | string | `1` | no |
| worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `<list>` | no | | worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `<list>` | no |
| worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no | | worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no |

56
examples/eks_test_fixture/main.tf
View File

@@ -40,6 +40,11 @@ locals {
"additional_userdata","echo foo bar", "additional_userdata","echo foo bar",
"subnets", "${join(",", module.vpc.private_subnets)}", "subnets", "${join(",", module.vpc.private_subnets)}",
), ),
map("instance_type","t2.small",
"additional_userdata","echo foo bar",
"subnets", "${join(",", module.vpc.private_subnets)}",
"additional_security_group_ids", "${aws_security_group.worker_group_mgmt_one.id},${aws_security_group.worker_group_mgmt_two.id}"
)
)}" )}"
tags = "${map("Environment", "test", tags = "${map("Environment", "test",
"GithubRepo", "terraform-aws-eks", "GithubRepo", "terraform-aws-eks",
@@ -53,6 +58,54 @@ resource "random_string" "suffix" {
special = false special = false
} }
resource "aws_security_group" "worker_group_mgmt_one" {
name_prefix = "worker_group_mgmt_one"
description = "SG to be applied to all *nix machines"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
]
}
}
resource "aws_security_group" "worker_group_mgmt_two" {
name_prefix = "worker_group_mgmt_two"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"192.168.0.0/16",
]
}
}
resource "aws_security_group" "all_worker_mgmt" {
name_prefix = "all_worker_management"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
]
}
}
module "vpc" { module "vpc" {
source = "terraform-aws-modules/vpc/aws" source = "terraform-aws-modules/vpc/aws"
version = "1.14.0" version = "1.14.0"
@@ -73,7 +126,8 @@ module "eks" {
tags = "${local.tags}" tags = "${local.tags}"
vpc_id = "${module.vpc.vpc_id}" vpc_id = "${module.vpc.vpc_id}"
worker_groups = "${local.worker_groups}" worker_groups = "${local.worker_groups}"
worker_group_count = "1" worker_group_count = "2"
worker_additional_security_group_ids = ["${aws_security_group.all_worker_mgmt.id}"]
map_roles = "${var.map_roles}" map_roles = "${var.map_roles}"
map_users = "${var.map_users}" map_users = "${var.map_users}"
map_accounts = "${var.map_accounts}" map_accounts = "${var.map_accounts}"

1
local.tf
View File

@@ -28,6 +28,7 @@ locals {
kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints. kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints.
subnets = "" # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789 subnets = "" # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789
autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling. autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling.
additional_security_group_ids = "" # A comman delimited list of additional security group ids to include in worker launch config
} }
workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}" workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}"

6
variables.tf
View File

@@ -91,6 +91,12 @@ variable "worker_security_group_id" {
default = "" default = ""
} }
variable "worker_additional_security_group_ids" {
description = "A list of additional security group ids to attach to worker instances"
type = "list"
default = []
}
variable "worker_sg_ingress_from_port" { variable "worker_sg_ingress_from_port" {
description = "Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443)." description = "Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443)."
default = "1025" default = "1025"

2
workers.tf
View File

@@ -24,7 +24,7 @@ resource "aws_autoscaling_group" "workers" {
resource "aws_launch_configuration" "workers" { resource "aws_launch_configuration" "workers" {
name_prefix = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}" name_prefix = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}"
associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", lookup(local.workers_group_defaults, "public_ip"))}" associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", lookup(local.workers_group_defaults, "public_ip"))}"
security_groups = ["${local.worker_security_group_id}"] security_groups = ["${local.worker_security_group_id}", "${var.worker_additional_security_group_ids}", "${compact(split(",",lookup(var.worker_groups[count.index],"additional_security_group_ids",lookup(local.workers_group_defaults, "additional_security_group_ids"))))}"]
iam_instance_profile = "${aws_iam_instance_profile.workers.id}" iam_instance_profile = "${aws_iam_instance_profile.workers.id}"
image_id = "${lookup(var.worker_groups[count.index], "ami_id", lookup(local.workers_group_defaults, "ami_id"))}" image_id = "${lookup(var.worker_groups[count.index], "ami_id", lookup(local.workers_group_defaults, "ami_id"))}"
instance_type = "${lookup(var.worker_groups[count.index], "instance_type", lookup(local.workers_group_defaults, "instance_type"))}" instance_type = "${lookup(var.worker_groups[count.index], "instance_type", lookup(local.workers_group_defaults, "instance_type"))}"