Skip to content

Commit

Permalink
Update to use the Security Group module (cloudposse#138)
Browse files Browse the repository at this point in the history
* Use Security Group module

* Use Security Group module

* Use Security Group module

* Use Security Group module

* Use Security Group module

* Use Security Group module

* Use Security Group module

* Use Security Group module
  • Loading branch information
aknysh authored Dec 29, 2021
1 parent 4f0dc08 commit e738650
Show file tree
Hide file tree
Showing 19 changed files with 277 additions and 158 deletions.
3 changes: 2 additions & 1 deletion .github/auto-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ version-resolver:
- 'bugfix'
- 'bug'
- 'hotfix'
- 'no-release'
default: 'minor'

categories:
Expand Down Expand Up @@ -46,7 +47,7 @@ template: |
replacers:
# Remove irrelevant information from Renovate bot
- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
- search: '/(?<=---\s)\s*^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
replace: ''
# Remove Renovate bot banner image
- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/auto-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,8 @@ jobs:
github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
# Drafts your next Release notes as Pull Requests are merged into "main"
- uses: release-drafter/release-drafter@v5
if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')"
with:
publish: true
publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }}
prerelease: false
config-name: auto-release.yml
env:
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright 2018-2021 Cloud Posse, LLC
Copyright 2018-2022 Cloud Posse, LLC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
39 changes: 23 additions & 16 deletions README.md

Large diffs are not rendered by default.

15 changes: 10 additions & 5 deletions README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,9 @@ related:
description: Terraform module for provisioning multiple general purpose EC2 hosts
for stateful applications
url: https://github.com/cloudposse/terraform-aws-ec2-instance-group
description: Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster
on AWS.

description: Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster on AWS.

introduction: |-
The module provisions the following resources:
Expand All @@ -60,6 +61,9 @@ introduction: |-
- The module creates and automatically applies an authentication ConfigMap to allow the workers nodes to join the cluster and to add additional users/roles/accounts
__NOTE:__ The module works with [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html).
__NOTE:__ Release `0.45.0` contains breaking changes that will result in the destruction of your existing EKS cluster.
To preserve the original cluster, follow the instructions in the [0.44.x to 0.45.x+ migration path](./docs/migration-0.44.x-0.45.x+.md).
__NOTE:__ Every Terraform module that provisions an EKS cluster has faced the challenge that access to the cluster
is partly controlled by a resource inside the cluster, a ConfigMap called `aws-auth`. You need to be able to access
Expand Down Expand Up @@ -118,7 +122,7 @@ introduction: |-
Then run `terraform plan` again and you should see only your desired changes made "in place". After applying your
changes, if you want to set `kubernetes_config_map_ignore_role_changes` back to `true`, you will again need to use
`terraform state mv` to move the `auth-map` back to its old "address".
usage: |2-
For a complete example, see [examples/complete](examples/complete).
Expand Down Expand Up @@ -300,21 +304,22 @@ usage: |2-
context = module.label.context
}
```
include:
- docs/targets.md
- docs/terraform.md
contributors:
- name: Erik Osterman
homepage: https://github.com/osterman
avatar: http://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144
avatar: https://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144
github: osterman
- name: Andriy Knysh
homepage: https://github.com/aknysh/
avatar: https://avatars0.githubusercontent.com/u/7356997?v=4&u=ed9ce1c9151d552d985bdf5546772e14ef7ab617&s=144
github: aknysh
- name: Igor Rodionov
homepage: https://github.com/goruha/
avatar: http://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144
avatar: https://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144
github: goruha
- name: Oscar
homepage: https://github.com/osulli/
Expand Down
25 changes: 25 additions & 0 deletions docs/migration-0.44.x-0.45.x+.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Migration from 0.44.x to 0.45.x+

Version `0.45.0` of this module introduces breaking changes that, without taking additional precautions, will cause the EKS cluster to be recreated.

This is because version `0.45.0` relies on the [terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group)
module for managing the cluster Security Group. This changes the Terraform resource address for the Security Group, which will cause Terraform to recreate the SG.

To circumvent this, after bumping the module version to `0.45.0` (or above), run a plan to retrieve the resource address of the SG that Terraform would like to destroy, and the resource
address of the SG which Terraform would like to create.

First, make sure that the following variable is set:

```hcl
security_group_description = "Security Group for EKS cluster"
```

Setting `security_group_description` to its "legacy" value will keep the Security Group from being replaced, and hence the EKS cluster from being recreated.

Finally, change the resource address of the existing Security Group.

```bash
$ terraform state mv "...aws_security_group.default[0]" "...module.eks_cluster.aws_security_group.default[0]"
```

This will result in a Terraform apply that will only destroy SG Rules, but not the Security Group itself or the EKS cluster.
Loading

0 comments on commit e738650

Please sign in to comment.