From 1482de7784601a96b8f433ef6e17fee2cbe56095 Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Fri, 28 May 2021 20:32:40 +0200 Subject: [PATCH 1/2] fix: Drop duplicated security group rule for EKS private access endpoint --- README.md | 1 - cluster.tf | 14 ++------------ 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index cc29644c36..607c8be86c 100644 --- a/README.md +++ b/README.md @@ -193,7 +193,6 @@ Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraf | [aws_security_group_rule.cluster_egress_internet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cluster_https_worker_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cluster_primary_ingress_workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.cluster_private_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cluster_private_access_cidrs_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cluster_private_access_sg_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.workers_egress_internet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | diff --git a/cluster.tf b/cluster.tf index cca7226d9e..13d38a09a7 100644 --- a/cluster.tf +++ b/cluster.tf @@ -89,6 +89,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" { resource "aws_security_group_rule" "cluster_private_access_cidrs_source" { count = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && var.cluster_endpoint_private_access_cidrs != null ? 1 : 0 + description = "Allow private K8S API ingress from custom CIDR source." type = "ingress" from_port = 443 to_port = 443 @@ -100,6 +101,7 @@ resource "aws_security_group_rule" "cluster_private_access_cidrs_source" { resource "aws_security_group_rule" "cluster_private_access_sg_source" { count = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && var.cluster_endpoint_private_access_sg != null ? length(var.cluster_endpoint_private_access_sg) : 0 + description = "Allow private K8S API ingress from custom Security Groups source." type = "ingress" from_port = 443 to_port = 443 @@ -109,18 +111,6 @@ resource "aws_security_group_rule" "cluster_private_access_sg_source" { security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id } -resource "aws_security_group_rule" "cluster_private_access" { - description = "Allow private K8S API ingress from custom source." - count = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access ? 1 : 0 - type = "ingress" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.cluster_endpoint_private_access_cidrs - - security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id -} - resource "aws_iam_role" "cluster" { count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0 name_prefix = var.cluster_iam_role_name != "" ? null : var.cluster_name From e941aae9477fc4e2ca3329fd16ff87c7b6181a6d Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Fri, 28 May 2021 20:37:34 +0200 Subject: [PATCH 2/2] fixup --- data.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data.tf b/data.tf index 875ca5e8ee..f97692e53e 100644 --- a/data.tf +++ b/data.tf @@ -94,6 +94,7 @@ data "http" "wait_for_cluster" { depends_on = [ aws_eks_cluster.this, - aws_security_group_rule.cluster_private_access, + aws_security_group_rule.cluster_private_access_sg_source, + aws_security_group_rule.cluster_private_access_cidrs_source, ] }