Fix Network Security Group Gameserver rule not applied on AKS cluster

[WeetA34]

/kind cleanup

What this PR does / Why we need it:
Hello

This PR fixes AKS gameserver network security rule not added to the effective AKS node pool network security group.

AKS install terraform included a network security group and two network security rules which were not used.
This PR follows AKS create cluster documentation by adding the incoming gameserver security rule to the aks-agentpool-******-nsg network security group

Regards

[google-cla]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[WeetA34]

@googlebot I signed it!

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[agones-bot]

Build Succeeded 👏

Build Id: d0cdfe57-5bfe-427e-94fb-8601c641113e

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.15.0-132ff85
• image: gcr.io/agones-images/agones-ping:1.15.0-132ff85
• Linux C++ SDK (build): agonessdk-1.15.0-132ff85-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.15.0-132ff85.zip

A preview of the website (the last 30 builds are retained):

• https://132ff85-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2124/head:pr_2124 && git checkout pr_2124
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.15.0-132ff85

[WeetA34]

@googlebot I signed it!

[google-cla]

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

[WeetA34]

@googlebot I signed it!

[agones-bot]

Build Succeeded 👏

Build Id: c4c7dbcc-d720-4b3d-903e-d7e8e726c1ca

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.15.0-e62bfcf
• image: gcr.io/agones-images/agones-ping:1.15.0-e62bfcf
• Linux C++ SDK (build): agonessdk-1.15.0-e62bfcf-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.15.0-e62bfcf.zip

A preview of the website (the last 30 builds are retained):

• https://e62bfcf-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2124/head:pr_2124 && git checkout pr_2124
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.15.0-e62bfcf

[agones-bot]

Build Succeeded 👏

Build Id: cc72d086-9547-49ef-96b2-52ee35ec3eb3

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.15.0-3f5a491
• image: gcr.io/agones-images/agones-ping:1.15.0-3f5a491
• Linux C++ SDK (build): agonessdk-1.15.0-3f5a491-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.15.0-3f5a491.zip

A preview of the website (the last 30 builds are retained):

• https://3f5a491-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2124/head:pr_2124 && git checkout pr_2124
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.15.0-3f5a491

[agones-bot]

Build Succeeded 👏

Build Id: a27a3d9c-bd99-4d62-8c98-8e85faf0f222

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.15.0-7da58f5
• image: gcr.io/agones-images/agones-ping:1.15.0-7da58f5
• Linux C++ SDK (build): agonessdk-1.15.0-7da58f5-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.15.0-7da58f5.zip

A preview of the website (the last 30 builds are retained):

• https://7da58f5-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2124/head:pr_2124 && git checkout pr_2124
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.15.0-7da58f5

[google-oss-robot]

@dzmitry-lahoda: changing LGTM is restricted to collaborators

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[WeetA34]

/assign @aLekSer

[agones-bot]

Build Succeeded 👏

Build Id: 9d53821a-02d9-4e73-8e84-fae7998e59d0

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.16.0-79a3e7a
• image: gcr.io/agones-images/agones-ping:1.16.0-79a3e7a
• Linux C++ SDK (build): agonessdk-1.16.0-79a3e7a-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.16.0-79a3e7a.zip

A preview of the website (the last 30 builds are retained):

• https://79a3e7a-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/googleforgames/agones.git pull/2124/head:pr_2124 && git checkout pr_2124
• helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.16.0-79a3e7a

[dzmitry-lahoda]

when I do this

data "azurerm_resources" "network_security_groups" {
  #MC_rgagones_agones-dev_westeurope
  resource_group_name = azurerm_kubernetes_cluster.agones.resource_group_name //lower(azurerm_kubernetes_cluster.agones.node_resource_group)

I can see resources in created cluster. But the code in PR, and directly having name of node pool RG does not shows anything inside, while there are resource.

So I have run copy pasted parts of PR, not full PR.

[dzmitry-lahoda]

I made output, without any filters,that group is shown empty.... :*

nsg = {
  "id" = "resource-eaeffc3e-2844-440f-967f-55abd5ea15c2"
  "resource_group_name" = "MC_rgagones_agones-dev_westeurope"
  "resources" = []
}

data "azurerm_resources" "network_security_groups" {
  resource_group_name = azurerm_kubernetes_cluster.agones.node_resource_group
}

[WeetA34]

you forgot type = "Microsoft.Network/networkSecurityGroups" in data
in my PR, it's:

data "azurerm_resources" "network_security_groups" {
  resource_group_name = azurerm_kubernetes_cluster.agones.node_resource_group
  type                = "Microsoft.Network/networkSecurityGroups"
}

[dzmitry-lahoda]

nsg = {
  "id" = "resource-cc61f29c-1d33-40fd-a0ff-ef8dc559c637"
  "resource_group_name" = "MC_rgagones_agones-dev_westeurope"
  "resources" = []
  "type" = "Microsoft.Network/networkSecurityGroups"
}

data "azurerm_resources" "network_security_groups" {
  resource_group_name = azurerm_kubernetes_cluster.agones.node_resource_group
  type = "Microsoft.Network/networkSecurityGroups"
}

Type is filter, I checked whole grope - nothing. It is aks 18.19

[WeetA34]

weird. no issue on my side. i have the security group as a member of data resources attribute array.
To test my filter on the security rule resource, i also tested with extra security groups.
I always have secgroups in data resources attribute

[google-oss-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dzmitry-lahoda, markmandel, WeetA34

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [markmandel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dzmitry-lahoda]

Weird thing.

Seems like group name is arbitrary. Like if it is either MC_ or mc_, so get weird artifacts.

resource_group_name                        = "MC_rgagones_agonesdev_westeurope" -> "mc_rgagones_agonesdev_westeurope" # forces replacement

Will try to run and see if it works. It is kind of sometimes lower, sometimes not (not the PR issue, but Azure one).

[WeetA34]

perhaps depending on the provider version.
When i created this MR, i had to force lowercase because it was saved in lowercase.
which Azurerm provider version do you use right now?

[WeetA34]

ha, i reread your message.
With the same azurerm provider version, sometimes you have MC and sometimes mc?

[WeetA34]

hashicorp/terraform-provider-azurerm#10077

[WeetA34]

what you can do right now to ignore this random case issue is adding a lifecycle ignore_changes block inside the azurerm_network_security_rule resource:

resource "azurerm_network_security_rule" "gameserver" {
  name                       = "gameserver"
  ...
  lifecycle {
    ignore_changes = [
      resource_group_name
    ]
  }
}

[dzmitry-lahoda]

With the same azurerm provider version, sometimes you have MC and sometimes mc?

let me test new version.

[WeetA34]

with a new version it will be the same i guess.
What i wanted to be sure is do you have random results with the same provider?

[dzmitry-lahoda]

Used 2.62. Replaced with 2.65. I will rerun script couple of times within month and check (script is not above, but my local modification for windows cluster).

[WeetA34]

Can you perform terraform plan with different azurerm version to see if it's random or related to a provider version?
Thank you

[dzmitry-lahoda]

created in 2.62, applied in 2.65:

 resource_group_name                        = "MC_rgagones_agonesdev_westeurope" -> "mc_rgagones_agonesdev_westeurope" # forces replacement

Seems ignore will help

[WeetA34]

Ok. It seems forcing resource_group_name to lowercase is no more needed.
I’ll deploy a new cluster with latest azurerm provider.
If needed i’ll create a PR to remove lower function.

[WeetA34]

i created a new cluster and encountered your previous issue with data security groups which returned no resources.
i had to lowercase the resource_group_name to get results

data "azurerm_resources" "network_security_groups" {
  resource_group_name = lower(azurerm_kubernetes_cluster.agones.node_resource_group)

  type = "Microsoft.Network/networkSecurityGroups"
}

-->

$ terraform state show 'module.aks_cluster.data.azurerm_resources.network_security_groups'
# module.aks_cluster.data.azurerm_resources.network_security_groups:
data "azurerm_resources" "network_security_groups" {
    id                  = "resource-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    resource_group_name = "mc_agonesrg_test-cluster_eastus"
    resources           = [
        {
            id       = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/mc_agonesrg_test-cluster_eastus/providers/Microsoft.Network/networkSecurityGroups/aks-agentpool-xxxxxxxx-nsg"
            location = "eastus"
            name     = "aks-agentpool-xxxxxxxx-nsg"
            tags     = {}
            type     = "Microsoft.Network/networkSecurityGroups"
        },
    ]
    type                = "Microsoft.Network/networkSecurityGroups"
}

Without the lowercase

data "azurerm_resources" "network_security_groups" {
  resource_group_name = azurerm_kubernetes_cluster.agones.node_resource_group

  type = "Microsoft.Network/networkSecurityGroups"
}

-->

$ terraform state show 'module.aks_cluster.data.azurerm_resources.network_security_groups'
# module.aks_cluster.data.azurerm_resources.network_security_groups:
data "azurerm_resources" "network_security_groups" {
    id                  = "resource-adc23b9e-a9c7-4bb2-8ded-fce0863d7a3d"
    resource_group_name = "MC_agonesRG_test-cluster_eastus"
    resources           = []
    type                = "Microsoft.Network/networkSecurityGroups"
}

[WeetA34]

hummm weird
with or without lower, it finds the security group now

[WeetA34]

regarding the security group rule with provider 2.65.0, resource_group_name has been saved in lowercase so when i apply again, it wants to recreate the security group rule

  # module.aks_cluster.azurerm_network_security_rule.gameserver must be replaced
-/+ resource "azurerm_network_security_rule" "gameserver" {
        access                                     = "Allow"
        destination_address_prefix                 = "*"
      - destination_address_prefixes               = [] -> null
      - destination_application_security_group_ids = [] -> null
        destination_port_range                     = "7000-8000"
      - destination_port_ranges                    = [] -> null
        direction                                  = "Inbound"
      ~ id                                         = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/mc_agonesrg_test-cluster_eastus/providers/Microsoft.Network/networkSecurityGroups/aks-agentpool-xxxxxxxx-nsg/securityRules/gameserver" -> (known after apply)
        name                                       = "gameserver"
        network_security_group_name                = "aks-agentpool-xxxxxxxx-nsg"
        priority                                   = 100
        protocol                                   = "Udp"
      ~ resource_group_name                        = "mc_agonesrg_test-cluster_eastus" -> "MC_agonesRG_test-cluster_eastus" # forces replacement
        source_address_prefix                      = "*"
      - source_address_prefixes                    = [] -> null
      - source_application_security_group_ids      = [] -> null
        source_port_range                          = "*"
      - source_port_ranges                         = [] -> null
    }

[WeetA34]

hello @dzmitry-lahoda,
can you check PR2165 please?
Thank you

[dzmitry-lahoda]

Sure, will check PR branch, so started from master

azurerm_kubernetes_cluster_node_pool.metrics: Creation complete after 4m41s [id=/subscriptions/xxxxxx/resourcegroups/rglahoda/providers/Microsoft.ContainerService/managedClusters/dztestcluster/agentPools/metrics]
╷
│ Error: Invalid index
│
│   on aks.tf line 109, in resource "azurerm_network_security_rule" "gameserver":
│  109:   network_security_group_name = [for network_security_group in data.azurerm_resources.network_security_groups.resources : network_security_group.name if length(regexall("^aks-agentpool-\\d+-nsg$", network_security_group.name)) > 0][0]
│     ├────────────────
│     │ data.azurerm_resources.network_security_groups.resources is empty list of object
│
│ The given key does not identify an element in this collection value.
╵
xxxxxx\agones\install\terraform\modules\aks [main ≡ +0 ~3 -0 !]> 

[WeetA34]

Hello,
don't use master as it doesn't include my PR
see #2165 (comment)

[dzmitry-lahoda]

Sure, just to check that.

On second attempt to run again, master passed well. No changes, just retried after some time.

So kube_config is now

sensitive = true

Switching to branch.

[WeetA34]

let's continue discussion on PR2165

[dzmitry-lahoda]

@WeetA34 used this for reference of hash https://github.com/Azure/aks-engine/blob/master/pkg/api/types.go#L1014-L1030