mirror of
https://github.com/ysoftdevs/terraform-aws-eks.git
synced 2026-01-19 01:57:35 +01:00
feat: Add support for networking ip_family which enables support for IPV6 (#1759)
This commit is contained in:
Bryant Biggs
@@ -6,6 +6,46 @@ locals {
|
||||
}
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# EKS IPV6 CNI Policy
|
||||
# TODO - hopefully AWS releases a managed policy which can replace this
|
||||
# https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
|
||||
################################################################################
|
||||
|
||||
data "aws_iam_policy_document" "cni_ipv6_policy" {
|
||||
count = var.create && var.create_cni_ipv6_iam_policy ? 1 : 0
|
||||
|
||||
statement {
|
||||
sid = "AssignDescribe"
|
||||
actions = [
|
||||
"ec2:AssignIpv6Addresses",
|
||||
"ec2:DescribeInstances",
|
||||
"ec2:DescribeTags",
|
||||
"ec2:DescribeNetworkInterfaces",
|
||||
"ec2:DescribeInstanceTypes"
|
||||
]
|
||||
resources = ["*"]
|
||||
}
|
||||
|
||||
statement {
|
||||
sid = "CreateTags"
|
||||
actions = ["ec2:CreateTags"]
|
||||
resources = ["arn:aws:ec2:*:*:network-interface/*"]
|
||||
}
|
||||
}
|
||||
|
||||
# Note - we are keeping this to a minimim in hopes that its soon replaced with an AWS managed policy like `AmazonEKS_CNI_Policy`
|
||||
resource "aws_iam_policy" "cni_ipv6_policy" {
|
||||
count = var.create && var.create_cni_ipv6_iam_policy ? 1 : 0
|
||||
|
||||
# Will cause conflicts if trying to create on multiple clusters but necessary to reference by exact name in sub-modules
|
||||
name = "AmazonEKS_CNI_IPv6_Policy"
|
||||
description = "IAM policy for EKS CNI to assign IPV6 addresses"
|
||||
policy = data.aws_iam_policy_document.cni_ipv6_policy[0].json
|
||||
|
||||
tags = var.tags
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# Node Security Group
|
||||
# Defaults follow https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html
|
||||
@@ -76,28 +116,31 @@ locals {
|
||||
self = true
|
||||
}
|
||||
egress_https = {
|
||||
description = "Egress all HTTPS to internet"
|
||||
protocol = "tcp"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
type = "egress"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
description = "Egress all HTTPS to internet"
|
||||
protocol = "tcp"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
type = "egress"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
|
||||
}
|
||||
egress_ntp_tcp = {
|
||||
description = "Egress NTP/TCP to internet"
|
||||
protocol = "tcp"
|
||||
from_port = 123
|
||||
to_port = 123
|
||||
type = "egress"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
description = "Egress NTP/TCP to internet"
|
||||
protocol = "tcp"
|
||||
from_port = 123
|
||||
to_port = 123
|
||||
type = "egress"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
|
||||
}
|
||||
egress_ntp_udp = {
|
||||
description = "Egress NTP/UDP to internet"
|
||||
protocol = "udp"
|
||||
from_port = 123
|
||||
to_port = 123
|
||||
type = "egress"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
description = "Egress NTP/UDP to internet"
|
||||
protocol = "udp"
|
||||
from_port = 123
|
||||
to_port = 123
|
||||
type = "egress"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -152,11 +195,12 @@ module "fargate_profile" {
|
||||
for_each = { for k, v in var.fargate_profiles : k => v if var.create }
|
||||
|
||||
# Fargate Profile
|
||||
cluster_name = aws_eks_cluster.this[0].name
|
||||
name = try(each.value.name, each.key)
|
||||
subnet_ids = try(each.value.subnet_ids, var.fargate_profile_defaults.subnet_ids, var.subnet_ids)
|
||||
selectors = try(each.value.selectors, var.fargate_profile_defaults.selectors, [])
|
||||
timeouts = try(each.value.timeouts, var.fargate_profile_defaults.timeouts, {})
|
||||
cluster_name = aws_eks_cluster.this[0].name
|
||||
cluster_ip_family = var.cluster_ip_family
|
||||
name = try(each.value.name, each.key)
|
||||
subnet_ids = try(each.value.subnet_ids, var.fargate_profile_defaults.subnet_ids, var.subnet_ids)
|
||||
selectors = try(each.value.selectors, var.fargate_profile_defaults.selectors, [])
|
||||
timeouts = try(each.value.timeouts, var.fargate_profile_defaults.timeouts, {})
|
||||
|
||||
# IAM role
|
||||
create_iam_role = try(each.value.create_iam_role, var.fargate_profile_defaults.create_iam_role, true)
|
||||
@@ -167,6 +211,7 @@ module "fargate_profile" {
|
||||
iam_role_description = try(each.value.iam_role_description, var.fargate_profile_defaults.iam_role_description, "Fargate profile IAM role")
|
||||
iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.fargate_profile_defaults.iam_role_permissions_boundary, null)
|
||||
iam_role_tags = try(each.value.iam_role_tags, var.fargate_profile_defaults.iam_role_tags, {})
|
||||
iam_role_attach_cni_policy = try(each.value.iam_role_attach_cni_policy, var.fargate_profile_defaults.iam_role_attach_cni_policy, true)
|
||||
iam_role_additional_policies = try(each.value.iam_role_additional_policies, var.fargate_profile_defaults.iam_role_additional_policies, [])
|
||||
|
||||
tags = merge(var.tags, try(each.value.tags, var.fargate_profile_defaults.tags, {}))
|
||||
@@ -184,6 +229,7 @@ module "eks_managed_node_group" {
|
||||
cluster_name = aws_eks_cluster.this[0].name
|
||||
cluster_version = try(each.value.cluster_version, var.eks_managed_node_group_defaults.cluster_version, var.cluster_version)
|
||||
cluster_security_group_id = local.cluster_security_group_id
|
||||
cluster_ip_family = var.cluster_ip_family
|
||||
|
||||
# EKS Managed Node Group
|
||||
name = try(each.value.name, each.key)
|
||||
@@ -260,6 +306,7 @@ module "eks_managed_node_group" {
|
||||
iam_role_description = try(each.value.iam_role_description, var.eks_managed_node_group_defaults.iam_role_description, "EKS managed node group IAM role")
|
||||
iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.eks_managed_node_group_defaults.iam_role_permissions_boundary, null)
|
||||
iam_role_tags = try(each.value.iam_role_tags, var.eks_managed_node_group_defaults.iam_role_tags, {})
|
||||
iam_role_attach_cni_policy = try(each.value.iam_role_attach_cni_policy, var.eks_managed_node_group_defaults.iam_role_attach_cni_policy, true)
|
||||
iam_role_additional_policies = try(each.value.iam_role_additional_policies, var.eks_managed_node_group_defaults.iam_role_additional_policies, [])
|
||||
|
||||
# Security group
|
||||
@@ -283,7 +330,8 @@ module "self_managed_node_group" {
|
||||
|
||||
for_each = { for k, v in var.self_managed_node_groups : k => v if var.create }
|
||||
|
||||
cluster_name = aws_eks_cluster.this[0].name
|
||||
cluster_name = aws_eks_cluster.this[0].name
|
||||
cluster_ip_family = var.cluster_ip_family
|
||||
|
||||
# Autoscaling Group
|
||||
name = try(each.value.name, each.key)
|
||||
|
||||
Reference in New Issue
Block a user