-
-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Security Group rules #186
Conversation
/terratest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found errors in this PR ⬇️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is wrong and should not be merged.
This attempts to solve a problem for old EKS clusters, but does it in a way that potentially causes problems for new EKS clusters, by not modifying the default EKS cluster Security Group, which risks regressing on #80.
It is a good attempt, but I do not think there is a good way to modify this module to support old EKS clusters. I think, instead, people with old clusters, where the only Security Group for the cluster is the one this module created, should migrate by removing the security group from their Terraform state, and letting it behave as if it were created by EKS. Yes, it will leave the SG dangling when the cluster is deleted, but if deleting the cluster were an option then that is the better path forward anyway, so we can expect that the dangling Security Group will not be a problem, and can be manually deleted when the time comes.
I've updated the PR and added this variable variable "managed_security_group_rules_enabled" {
type = bool
description = "Flag to enable/disable the ingress and egress rules for the EKS managed Security Group"
default = true
}
with the default values set to |
/terratest |
/terratest |
what
why
one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
resource "aws_security_group_rule" "managed_ingress_cidr_blocks"
to add the allowed ingress CIDR blocks, the following error is thrownmanaged_security_group_rules_enabled
. For the very old clusters (which use the custom SG as the main cluster SG), set the variable tofalse
to not add the SG rules to it (since the SG is the custom SG to which the module adds the same rules anyway)