Skip to content

Commit

Permalink
Update Security Group (cloudposse#141)
Browse files Browse the repository at this point in the history
* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Auto Format

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Udate Security Group

* Update docs/migration-0.45.x+.md

Co-authored-by: nitrocode <[email protected]>

* Udate Security Group

Co-authored-by: cloudpossebot <[email protected]>
Co-authored-by: nitrocode <[email protected]>
  • Loading branch information
3 people authored Jan 8, 2022
1 parent e738650 commit b745ed1
Show file tree
Hide file tree
Showing 16 changed files with 309 additions and 299 deletions.
42 changes: 21 additions & 21 deletions README.md

Large diffs are not rendered by default.

145 changes: 75 additions & 70 deletions README.yaml
Original file line number Diff line number Diff line change
@@ -1,51 +1,55 @@
name: terraform-aws-eks-cluster

license: APACHE2

github_repo: cloudposse/terraform-aws-eks-cluster

badges:
- name: Latest Release
image: https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg
url: https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest
- name: Slack Community
image: https://slack.cloudposse.com/badge.svg
url: https://slack.cloudposse.com
- name: Latest Release
image: https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg
url: https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest
- name: Slack Community
image: https://slack.cloudposse.com/badge.svg
url: https://slack.cloudposse.com

related:
- name: terraform-aws-eks-workers
description: Terraform module to provision an AWS AutoScaling Group, IAM Role, and
Security Group for EKS Workers
url: https://github.com/cloudposse/terraform-aws-eks-workers
- name: terraform-aws-ec2-autoscale-group
description: Terraform module to provision Auto Scaling Group and Launch Template
on AWS
url: https://github.com/cloudposse/terraform-aws-ec2-autoscale-group
- name: terraform-aws-ecs-container-definition
description: Terraform module to generate well-formed JSON documents (container
definitions) that are passed to the aws_ecs_task_definition Terraform resource
url: https://github.com/cloudposse/terraform-aws-ecs-container-definition
- name: terraform-aws-ecs-alb-service-task
description: Terraform module which implements an ECS service which exposes a web
service via ALB
url: https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
- name: terraform-aws-ecs-web-app
description: Terraform module that implements a web app on ECS and supports autoscaling,
CI/CD, monitoring, ALB integration, and much more
url: https://github.com/cloudposse/terraform-aws-ecs-web-app
- name: terraform-aws-ecs-codepipeline
description: Terraform module for CI/CD with AWS Code Pipeline and Code Build for
ECS
url: https://github.com/cloudposse/terraform-aws-ecs-codepipeline
- name: terraform-aws-ecs-cloudwatch-autoscaling
description: Terraform module to autoscale ECS Service based on CloudWatch metrics
url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-autoscaling
- name: terraform-aws-ecs-cloudwatch-sns-alarms
description: Terraform module to create CloudWatch Alarms on ECS Service level metrics
url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms
- name: terraform-aws-ec2-instance
description: Terraform module for providing a general purpose EC2 instance
url: https://github.com/cloudposse/terraform-aws-ec2-instance
- name: terraform-aws-ec2-instance-group
description: Terraform module for provisioning multiple general purpose EC2 hosts
for stateful applications
url: https://github.com/cloudposse/terraform-aws-ec2-instance-group
- name: terraform-aws-eks-workers
description: Terraform module to provision an AWS AutoScaling Group, IAM Role, and
Security Group for EKS Workers
url: https://github.com/cloudposse/terraform-aws-eks-workers
- name: terraform-aws-ec2-autoscale-group
description: Terraform module to provision Auto Scaling Group and Launch Template
on AWS
url: https://github.com/cloudposse/terraform-aws-ec2-autoscale-group
- name: terraform-aws-ecs-container-definition
description: Terraform module to generate well-formed JSON documents (container
definitions) that are passed to the aws_ecs_task_definition Terraform resource
url: https://github.com/cloudposse/terraform-aws-ecs-container-definition
- name: terraform-aws-ecs-alb-service-task
description: Terraform module which implements an ECS service which exposes a web
service via ALB
url: https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
- name: terraform-aws-ecs-web-app
description: Terraform module that implements a web app on ECS and supports autoscaling,
CI/CD, monitoring, ALB integration, and much more
url: https://github.com/cloudposse/terraform-aws-ecs-web-app
- name: terraform-aws-ecs-codepipeline
description: Terraform module for CI/CD with AWS Code Pipeline and Code Build for
ECS
url: https://github.com/cloudposse/terraform-aws-ecs-codepipeline
- name: terraform-aws-ecs-cloudwatch-autoscaling
description: Terraform module to autoscale ECS Service based on CloudWatch metrics
url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-autoscaling
- name: terraform-aws-ecs-cloudwatch-sns-alarms
description: Terraform module to create CloudWatch Alarms on ECS Service level metrics
url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms
- name: terraform-aws-ec2-instance
description: Terraform module for providing a general purpose EC2 instance
url: https://github.com/cloudposse/terraform-aws-ec2-instance
- name: terraform-aws-ec2-instance-group
description: Terraform module for provisioning multiple general purpose EC2 hosts
for stateful applications
url: https://github.com/cloudposse/terraform-aws-ec2-instance-group

description: Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster on AWS.

Expand All @@ -62,8 +66,8 @@ introduction: |-
__NOTE:__ The module works with [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html).
__NOTE:__ Release `0.45.0` contains breaking changes that will result in the destruction of your existing EKS cluster.
To preserve the original cluster, follow the instructions in the [0.44.x to 0.45.x+ migration path](./docs/migration-0.44.x-0.45.x+.md).
__NOTE:__ Release `0.45.0` contains some changes that could result in the destruction of your existing EKS cluster.
To circumvent this, follow the instructions in the [0.45.x+ migration path](./docs/migration-0.45.x+.md).
__NOTE:__ Every Terraform module that provisions an EKS cluster has faced the challenge that access to the cluster
is partly controlled by a resource inside the cluster, a ConfigMap called `aws-auth`. You need to be able to access
Expand Down Expand Up @@ -173,7 +177,7 @@ usage: |2-
source = "cloudposse/dynamic-subnets/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
igw_id = module.vpc.igw_id
Expand All @@ -189,7 +193,7 @@ usage: |2-
source = "cloudposse/eks-node-group/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
instance_types = [var.instance_type]
subnet_ids = module.subnets.public_subnet_ids
health_check_type = var.health_check_type
Expand All @@ -201,7 +205,7 @@ usage: |2-
cluster_autoscaler_enabled = var.autoscaling_policies_enabled
context = module.label.context
# Ensure the cluster is fully created before trying to add the node group
module_depends_on = module.eks_cluster.kubernetes_config_map_id
}
Expand All @@ -221,7 +225,7 @@ usage: |2-
}
```
Module usage with two worker groups:
Module usage with two unmanaged worker groups:
```hcl
locals {
Expand Down Expand Up @@ -256,7 +260,7 @@ usage: |2-
autoscaling_policies_enabled = var.autoscaling_policies_enabled
cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent
cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent
context = module.label.context
}
Expand Down Expand Up @@ -299,29 +303,30 @@ usage: |2-
oidc_provider_enabled = false
workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn]
workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
allowed_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
context = module.label.context
}
```
include:
- docs/targets.md
- docs/terraform.md
- docs/targets.md
- docs/terraform.md

contributors:
- name: Erik Osterman
homepage: https://github.com/osterman
avatar: https://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144
github: osterman
- name: Andriy Knysh
homepage: https://github.com/aknysh/
avatar: https://avatars0.githubusercontent.com/u/7356997?v=4&u=ed9ce1c9151d552d985bdf5546772e14ef7ab617&s=144
github: aknysh
- name: Igor Rodionov
homepage: https://github.com/goruha/
avatar: https://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144
github: goruha
- name: Oscar
homepage: https://github.com/osulli/
avatar: https://avatars1.githubusercontent.com/u/46930728?v=4&s=144
github: osulli
- name: Erik Osterman
homepage: https://github.com/osterman
avatar: https://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144
github: osterman
- name: Andriy Knysh
homepage: https://github.com/aknysh/
avatar: https://avatars0.githubusercontent.com/u/7356997?v=4&u=ed9ce1c9151d552d985bdf5546772e14ef7ab617&s=144
github: aknysh
- name: Igor Rodionov
homepage: https://github.com/goruha/
avatar: https://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144
github: goruha
- name: Oscar
homepage: https://github.com/osulli/
avatar: https://avatars1.githubusercontent.com/u/46930728?v=4&s=144
github: osulli
25 changes: 0 additions & 25 deletions docs/migration-0.44.x-0.45.x+.md

This file was deleted.

47 changes: 47 additions & 0 deletions docs/migration-0.45.x+.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Migration to 0.45.x+

Version `0.45.0` of this module introduces potential breaking changes that, without taking additional precautions, could cause the EKS cluster to be recreated.

## Background

This module creates an EKS cluster, which automatically creates an EKS-managed Security Group in which all managed nodes are placed automatically by EKS, and unmanaged nodes could be placed
by the user, to ensure the nodes and control plane can communicate.

Before version `0.45.0`, this module, by default, created an additional Security Group. Prior to version `0.19.0` of this module, that additional Security Group was the only one exposed by
this module (because EKS at the time did not create the managed Security Group for the cluster), and it was intended that all worker nodes (managed and unmanaged) be placed in this
additional Security Group. With version `0.19.0`, this module exposed the managed Security Group created by the EKS cluster, in which all managed node groups are placed by default. We now
recommend placing non-managed node groups in the EKS-created Security Group as well by using the `allowed_security_group_ids` variable, and not create an additional Security Group.

See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html for more details.

## Migration process

If you are deploying a new EKS cluster with this module, no special steps need to be taken. Just keep the variable `create_security_group` set to `false` to not create an additional Security
Group. Don't use the deprecated variables (see `variables-deprecated.tf`).

If you are updating this module to the latest version on existing (already deployed) EKS clusters, set the variable `create_security_group` to `true` to enable the additional Security Group
and all the rules (which were enabled by default in the previous releases of this module).

## Deprecated variables

Some variables have been deprecated (see `variables-deprecated.tf`), don't use them when creating new EKS clusters.

- Use `allowed_security_group_ids` instead of `allowed_security_groups` and `workers_security_group_ids`

- When using unmanaged worker nodes (e.g. with https://github.com/cloudposse/terraform-aws-eks-workers module), provide the worker nodes Security Groups to the cluster using
the `allowed_security_group_ids` variable, for example:

```hcl
module "eks_workers" {
source = "cloudposse/eks-workers/aws"
}
module "eks_workers_2" {
source = "cloudposse/eks-workers/aws"
}
module "eks_cluster" {
source = "cloudposse/eks-cluster/aws"
allowed_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
}
```
Loading

0 comments on commit b745ed1

Please sign in to comment.