Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Security Group rules #186

Merged
merged 4 commits into from
May 24, 2023
Merged

Update Security Group rules #186

merged 4 commits into from
May 24, 2023

Conversation

aknysh
Copy link
Member

@aknysh aknysh commented May 21, 2023
edited
Loading

what

  • Update Security Group rules

why

  • This module can create an additional Security Group for the EKS cluster for backwards compatibility if you are updating this module to the latest version on existing clusters
  • If the cluster was created using an older version of the module, EKS did not create a managed cluster Security Group at the time, and the the cluster Security Group was the additional Security Group
  • This additional Security Group is returned from the expression one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
  • When the module tries to create resource "aws_security_group_rule" "managed_ingress_cidr_blocks" to add the allowed ingress CIDR blocks, the following error is thrown
 Error: [WARN] A duplicate Security Group rule was found on (sg-xxxxxxxxx). This may be
│ a side effect of a now-fixed Terraform issue causing two security groups with
│ identical attributes but different source_security_group_ids to overwrite each
│ other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
│ information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: 10.222.0.0/16, ALL, ALLOW" already exists
│ 	status code: 400, request id: 7065e36d-ffca-4540-8e43-ed75d94d752e
│
│   with module.eks_cluster.aws_security_group_rule.managed_ingress_cidr_blocks[0],
│   on .terraform/modules/eks_cluster/security-group.tf line 17, in resource "aws_security_group_rule" "managed_ingress_cidr_blocks":
│   17: resource "aws_security_group_rule" "managed_ingress_cidr_blocks" {
  • This PR adds a variable managed_security_group_rules_enabled. For the very old clusters (which use the custom SG as the main cluster SG), set the variable to false to not add the SG rules to it (since the SG is the custom SG to which the module adds the same rules anyway)

@aknysh aknysh added the patch A minor, backward compatible change label May 21, 2023
@aknysh aknysh requested a review from Nuru May 21, 2023 23:00
@aknysh aknysh self-assigned this May 21, 2023
@aknysh aknysh requested review from a team as code owners May 21, 2023 23:00
@aknysh aknysh requested review from Gowiem and joe-niland May 21, 2023 23:00
@aknysh
Copy link
Member Author

aknysh commented May 21, 2023

/terratest

bridgecrew[bot]
bridgecrew bot reviewed May 21, 2023
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found errors in this PR ⬇️

security-group.tf Show resolved Hide resolved
security-group.tf Show resolved Hide resolved
security-group.tf Show resolved Hide resolved
security-group.tf Show resolved Hide resolved
@aknysh aknysh changed the title Update Security Group Update Security Group rules May 21, 2023
Nuru
Nuru requested changes May 23, 2023
View reviewed changes
Copy link
Sponsor Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is wrong and should not be merged.

This attempts to solve a problem for old EKS clusters, but does it in a way that potentially causes problems for new EKS clusters, by not modifying the default EKS cluster Security Group, which risks regressing on #80.

It is a good attempt, but I do not think there is a good way to modify this module to support old EKS clusters. I think, instead, people with old clusters, where the only Security Group for the cluster is the one this module created, should migrate by removing the security group from their Terraform state, and letting it behave as if it were created by EKS. Yes, it will leave the SG dangling when the cluster is deleted, but if deleting the cluster were an option then that is the better path forward anyway, so we can expect that the dangling Security Group will not be a problem, and can be manually deleted when the time comes.

@aknysh aknysh requested a review from Nuru May 23, 2023 14:02
bridgecrew[bot]
bridgecrew bot reviewed May 23, 2023
View reviewed changes
security-group.tf Outdated Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed May 23, 2023
View reviewed changes
security-group.tf Outdated Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed May 23, 2023
View reviewed changes
security-group.tf Outdated Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed May 23, 2023
View reviewed changes
security-group.tf Outdated Show resolved Hide resolved
@aknysh
Copy link
Member Author

aknysh commented May 23, 2023
edited
Loading

I think this is wrong and should not be merged.

This attempts to solve a problem for old EKS clusters, but does it in a way that potentially causes problems for new EKS clusters, by not modifying the default EKS cluster Security Group, which risks regressing on #80.

It is a good attempt, but I do not think there is a good way to modify this module to support old EKS clusters. I think, instead, people with old clusters, where the only Security Group for the cluster is the one this module created, should migrate by removing the security group from their Terraform state, and letting it behave as if it were created by EKS. Yes, it will leave the SG dangling when the cluster is deleted, but if deleting the cluster were an option then that is the better path forward anyway, so we can expect that the dangling Security Group will not be a problem, and can be manually deleted when the time comes.

I've updated the PR and added this variable

variable "managed_security_group_rules_enabled" {
  type        = bool
  description = "Flag to enable/disable the ingress and egress rules for the EKS managed Security Group"
  default     = true
}

with the default values set to true so it does not affect anything at all for both new clusters and old cluster.
But for the very old clusters (created when EKS did not create manages SG), setting managed_security_group_rules_enabled to false will allow to move forward and use the latest module version with the very old clusters.

@aknysh
Copy link
Member Author

aknysh commented May 23, 2023

/terratest

@aknysh
Copy link
Member Author

aknysh commented May 23, 2023

/terratest

@aknysh aknysh merged commit c8a4adf into main May 24, 2023
@aknysh aknysh deleted the fix-security-group-1 branch May 24, 2023 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridgecrew Bridgecrew Bridgecrew left review comments

@Nuru Nuru Nuru approved these changes

@Gowiem Gowiem Awaiting requested review from Gowiem Gowiem is a code owner automatically assigned from cloudposse/contributors

@joe-niland joe-niland Awaiting requested review from joe-niland joe-niland is a code owner automatically assigned from cloudposse/contributors

Assignees

@aknysh aknysh

Labels
patch A minor, backward compatible change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aknysh @Nuru