From 7acceda663a4004feb8fe8bc2070f3df034d6f8a Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Thu, 25 May 2023 11:05:41 +0200 Subject: [PATCH 1/3] Set max firewall name to 36 This to be able to have longer and unique names. The firewall API supports 64 charters Solves #1527 Signed-off-by: Edvin Norling --- autogen/main/firewall.tf.tmpl | 16 ++++++++-------- firewall.tf | 14 +++++++------- .../beta-autopilot-private-cluster/firewall.tf | 16 ++++++++-------- .../beta-autopilot-public-cluster/firewall.tf | 16 ++++++++-------- .../firewall.tf | 16 ++++++++-------- modules/beta-private-cluster/firewall.tf | 16 ++++++++-------- .../firewall.tf | 16 ++++++++-------- modules/beta-public-cluster/firewall.tf | 16 ++++++++-------- .../private-cluster-update-variant/firewall.tf | 14 +++++++------- modules/private-cluster/firewall.tf | 14 +++++++------- 10 files changed, 77 insertions(+), 77 deletions(-) diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index 64d4df3bda..90efd57d37 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -70,7 +70,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -105,7 +105,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -137,7 +137,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -166,7 +166,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -192,7 +192,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -227,7 +227,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -254,7 +254,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/firewall.tf b/firewall.tf index a754fda5c6..94cec9e103 100644 --- a/firewall.tf +++ b/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -63,7 +63,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -93,7 +93,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -122,7 +122,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -148,7 +148,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -183,7 +183,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -210,7 +210,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-autopilot-private-cluster/firewall.tf b/modules/beta-autopilot-private-cluster/firewall.tf index 96eecab803..4701c82a2c 100644 --- a/modules/beta-autopilot-private-cluster/firewall.tf +++ b/modules/beta-autopilot-private-cluster/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -64,7 +64,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -93,7 +93,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -120,7 +120,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -149,7 +149,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -175,7 +175,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -210,7 +210,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -237,7 +237,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-autopilot-public-cluster/firewall.tf b/modules/beta-autopilot-public-cluster/firewall.tf index df15a02367..1e61965ca2 100644 --- a/modules/beta-autopilot-public-cluster/firewall.tf +++ b/modules/beta-autopilot-public-cluster/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -67,7 +67,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -99,7 +99,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -129,7 +129,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -158,7 +158,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -184,7 +184,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -219,7 +219,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -246,7 +246,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf index 96eecab803..4701c82a2c 100644 --- a/modules/beta-private-cluster-update-variant/firewall.tf +++ b/modules/beta-private-cluster-update-variant/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -64,7 +64,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -93,7 +93,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -120,7 +120,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -149,7 +149,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -175,7 +175,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -210,7 +210,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -237,7 +237,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf index 96eecab803..4701c82a2c 100644 --- a/modules/beta-private-cluster/firewall.tf +++ b/modules/beta-private-cluster/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -64,7 +64,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -93,7 +93,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -120,7 +120,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -149,7 +149,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -175,7 +175,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -210,7 +210,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -237,7 +237,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf index df15a02367..1e61965ca2 100644 --- a/modules/beta-public-cluster-update-variant/firewall.tf +++ b/modules/beta-public-cluster-update-variant/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -67,7 +67,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -99,7 +99,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -129,7 +129,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -158,7 +158,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -184,7 +184,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -219,7 +219,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -246,7 +246,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index df15a02367..1e61965ca2 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -67,7 +67,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-tpu-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -99,7 +99,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -129,7 +129,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -158,7 +158,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -184,7 +184,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -219,7 +219,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -246,7 +246,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf index d9507532c3..a5d89cefe0 100644 --- a/modules/private-cluster-update-variant/firewall.tf +++ b/modules/private-cluster-update-variant/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -60,7 +60,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -87,7 +87,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -116,7 +116,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -142,7 +142,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -177,7 +177,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -204,7 +204,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index d9507532c3..a5d89cefe0 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -26,7 +26,7 @@ *****************************************/ resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-intra-cluster-egress" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -60,7 +60,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks" + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -87,7 +87,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -116,7 +116,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -142,7 +142,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -177,7 +177,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-inkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -204,7 +204,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-exkubelet" + name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network From d5d2718bb6446a53389236c5c416351bdaf08924 Mon Sep 17 00:00:00 2001 From: Edvin Norling Date: Tue, 13 Jun 2023 08:33:30 +0200 Subject: [PATCH 2/3] Update safer tests Signed-off-by: Edvin Norling --- test/integration/safer_cluster/safer_cluster_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/safer_cluster/safer_cluster_test.go b/test/integration/safer_cluster/safer_cluster_test.go index 1d87c878ed..0f7761bbac 100644 --- a/test/integration/safer_cluster/safer_cluster_test.go +++ b/test/integration/safer_cluster/safer_cluster_test.go @@ -63,8 +63,8 @@ func TestSaferCluster(t *testing.T) { for _, pth := range validateJSONPaths { g.JSONEq(assert, op, pth) } - gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-intra-cluster-egress", projectId, clusterName[:25]) - gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-webhooks", projectId, clusterName[:25]) + gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-intra-cluster-egress", projectId, clusterName[:36]) + gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-webhooks", projectId, clusterName[:36]) }) bpt.Test() From d924ad64b047444991735f1dfe3644c2423be758 Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Tue, 13 Jun 2023 23:08:35 -0500 Subject: [PATCH 3/3] skip trimming cluster name --- test/integration/safer_cluster/safer_cluster_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/safer_cluster/safer_cluster_test.go b/test/integration/safer_cluster/safer_cluster_test.go index 0f7761bbac..79b482ff13 100644 --- a/test/integration/safer_cluster/safer_cluster_test.go +++ b/test/integration/safer_cluster/safer_cluster_test.go @@ -63,8 +63,8 @@ func TestSaferCluster(t *testing.T) { for _, pth := range validateJSONPaths { g.JSONEq(assert, op, pth) } - gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-intra-cluster-egress", projectId, clusterName[:36]) - gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-webhooks", projectId, clusterName[:36]) + gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-intra-cluster-egress", projectId, clusterName) + gcloud.Runf(t, "compute firewall-rules --project %s describe gke-%s-webhooks", projectId, clusterName) }) bpt.Test()