github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-04-18 14:59:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow additional security groups to be included in worker launch configurations (#112)

Browse Source 
* Allow additional security groups to be included for all workers and each worker group #47

* update changelog with reference to issue and be more descriptive

* Update CHANGELOG.md

* address pr comments and rebase

* rebase

* fix bug introduced by PR#115 that sets the AMI id to the default value of "" always

* rebase

* align default value of additional_security_group_ids to be pulled from local var workers_group_defaults_defaults
This commit is contained in:
mr-joshua
2018-09-04 10:09:24 -05:00
committed by Max Williams
parent da6ff7d151
commit 0180644770
6 changed files with 99 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -10,7 +10,9 @@ project adheres to [Semantic Versioning](http://semver.org/).
### Added ### Added
- add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks) - add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks)
- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) - expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks)
- add optional input `worker_additional_security_group_ids` to allow one or more additional security groups to be added to all worker launch configurations - #47 (by @hhobbsh @mr-joshua)
- add optional input `additional_security_group_ids` to allow one or more additional security groups to be added to a specific worker launch configuration - #47 (by @mr-joshua)
### Changed ### Changed

1
README.md
View File

@@ -114,6 +114,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes | | subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes |
| tags | A map of tags to add to all resources. | map | `<map>` | no | | tags | A map of tags to add to all resources. | map | `<map>` | no |
| vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes | | vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes |
| worker_additional_security_group_ids | A list of additional security group ids to attach to worker instances | list | `<list>` | no |
| worker_group_count | The number of maps contained within the worker_groups list. | string | `1` | no | | worker_group_count | The number of maps contained within the worker_groups list. | string | `1` | no |
| worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `<list>` | no | | worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `<list>` | no |
| worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no | | worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no |

82
examples/eks_test_fixture/main.tf
View File

@@ -36,10 +36,15 @@ locals {
# )}" # )}"
worker_groups = "${list( worker_groups = "${list(
map("instance_type","t2.small", map("instance_type","t2.small",
"additional_userdata","echo foo bar", "additional_userdata","echo foo bar",
"subnets", "${join(",", module.vpc.private_subnets)}", "subnets", "${join(",", module.vpc.private_subnets)}",
), ),
map("instance_type","t2.small",
"additional_userdata","echo foo bar",
"subnets", "${join(",", module.vpc.private_subnets)}",
"additional_security_group_ids", "${aws_security_group.worker_group_mgmt_one.id},${aws_security_group.worker_group_mgmt_two.id}"
)
)}" )}"
tags = "${map("Environment", "test", tags = "${map("Environment", "test",
"GithubRepo", "terraform-aws-eks", "GithubRepo", "terraform-aws-eks",
@@ -53,6 +58,54 @@ resource "random_string" "suffix" {
special = false special = false
} }
resource "aws_security_group" "worker_group_mgmt_one" {
name_prefix = "worker_group_mgmt_one"
description = "SG to be applied to all *nix machines"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
]
}
}
resource "aws_security_group" "worker_group_mgmt_two" {
name_prefix = "worker_group_mgmt_two"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"192.168.0.0/16",
]
}
}
resource "aws_security_group" "all_worker_mgmt" {
name_prefix = "all_worker_management"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
]
}
}
module "vpc" { module "vpc" {
source = "terraform-aws-modules/vpc/aws" source = "terraform-aws-modules/vpc/aws"
version = "1.14.0" version = "1.14.0"
@@ -67,14 +120,15 @@ module "vpc" {
} }
module "eks" { module "eks" {
source = "../.." source = "../.."
cluster_name = "${local.cluster_name}" cluster_name = "${local.cluster_name}"
subnets = ["${module.vpc.private_subnets}"] subnets = ["${module.vpc.private_subnets}"]
tags = "${local.tags}" tags = "${local.tags}"
vpc_id = "${module.vpc.vpc_id}" vpc_id = "${module.vpc.vpc_id}"
worker_groups = "${local.worker_groups}" worker_groups = "${local.worker_groups}"
worker_group_count = "1" worker_group_count = "2"
map_roles = "${var.map_roles}" worker_additional_security_group_ids = ["${aws_security_group.all_worker_mgmt.id}"]
map_users = "${var.map_users}" map_roles = "${var.map_roles}"
map_accounts = "${var.map_accounts}" map_users = "${var.map_users}"
map_accounts = "${var.map_accounts}"
} }

39
local.tf
View File

@@ -9,25 +9,26 @@ locals {
kubeconfig_name = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}" kubeconfig_name = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
workers_group_defaults_defaults = { workers_group_defaults_defaults = {
name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used. name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used.
ami_id = "${data.aws_ami.eks_worker.id}" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI. ami_id = "${data.aws_ami.eks_worker.id}" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI.
asg_desired_capacity = "1" # Desired worker capacity in the autoscaling group. asg_desired_capacity = "1" # Desired worker capacity in the autoscaling group.
asg_max_size = "3" # Maximum worker capacity in the autoscaling group. asg_max_size = "3" # Maximum worker capacity in the autoscaling group.
asg_min_size = "1" # Minimum worker capacity in the autoscaling group. asg_min_size = "1" # Minimum worker capacity in the autoscaling group.
instance_type = "m4.large" # Size of the workers instances. instance_type = "m4.large" # Size of the workers instances.
spot_price = "" # Cost of spot instance. spot_price = "" # Cost of spot instance.
root_volume_size = "100" # root volume size of workers instances. root_volume_size = "100" # root volume size of workers instances.
root_volume_type = "gp2" # root volume type of workers instances, can be 'standard', 'gp2', or 'io1' root_volume_type = "gp2" # root volume type of workers instances, can be 'standard', 'gp2', or 'io1'
root_iops = "0" # The amount of provisioned IOPS. This must be set with a volume_type of "io1". root_iops = "0" # The amount of provisioned IOPS. This must be set with a volume_type of "io1".
key_name = "" # The key name that should be used for the instances in the autoscaling group key_name = "" # The key name that should be used for the instances in the autoscaling group
pre_userdata = "" # userdata to pre-append to the default userdata. pre_userdata = "" # userdata to pre-append to the default userdata.
additional_userdata = "" # userdata to append to the default userdata. additional_userdata = "" # userdata to append to the default userdata.
ebs_optimized = true # sets whether to use ebs optimization on supported types. ebs_optimized = true # sets whether to use ebs optimization on supported types.
enable_monitoring = true # Enables/disables detailed monitoring. enable_monitoring = true # Enables/disables detailed monitoring.
public_ip = false # Associate a public ip address with a worker public_ip = false # Associate a public ip address with a worker
kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints. kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints.
subnets = "" # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789 subnets = "" # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789
autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling. autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling.
additional_security_group_ids = "" # A comman delimited list of additional security group ids to include in worker launch config
} }
workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}" workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}"

6
variables.tf
View File

@@ -91,6 +91,12 @@ variable "worker_security_group_id" {
default = "" default = ""
} }
variable "worker_additional_security_group_ids" {
description = "A list of additional security group ids to attach to worker instances"
type = "list"
default = []
}
variable "worker_sg_ingress_from_port" { variable "worker_sg_ingress_from_port" {
description = "Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443)." description = "Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443)."
default = "1025" default = "1025"

2
workers.tf
View File

@@ -24,7 +24,7 @@ resource "aws_autoscaling_group" "workers" {
resource "aws_launch_configuration" "workers" { resource "aws_launch_configuration" "workers" {
name_prefix = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}" name_prefix = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}"
associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", lookup(local.workers_group_defaults, "public_ip"))}" associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", lookup(local.workers_group_defaults, "public_ip"))}"
security_groups = ["${local.worker_security_group_id}"] security_groups = ["${local.worker_security_group_id}", "${var.worker_additional_security_group_ids}", "${compact(split(",",lookup(var.worker_groups[count.index],"additional_security_group_ids",lookup(local.workers_group_defaults, "additional_security_group_ids"))))}"]
iam_instance_profile = "${aws_iam_instance_profile.workers.id}" iam_instance_profile = "${aws_iam_instance_profile.workers.id}"
image_id = "${lookup(var.worker_groups[count.index], "ami_id", lookup(local.workers_group_defaults, "ami_id"))}" image_id = "${lookup(var.worker_groups[count.index], "ami_id", lookup(local.workers_group_defaults, "ami_id"))}"
instance_type = "${lookup(var.worker_groups[count.index], "instance_type", lookup(local.workers_group_defaults, "instance_type"))}" instance_type = "${lookup(var.worker_groups[count.index], "instance_type", lookup(local.workers_group_defaults, "instance_type"))}"