diff --git a/terraform/modules/eks/eks-cluster.tf b/terraform/modules/eks/eks-cluster.tf index c8c13d38..1c12c0a5 100644 --- a/terraform/modules/eks/eks-cluster.tf +++ b/terraform/modules/eks/eks-cluster.tf @@ -77,7 +77,6 @@ resource "aws_cloudwatch_log_group" "eks-logs" { } resource "aws_eks_cluster" "eks" { - depends_on = ["aws_cloudwatch_log_group.eks-logs"] name = "${var.cluster-name}" @@ -86,10 +85,10 @@ resource "aws_eks_cluster" "eks" { enabled_cluster_log_types = "${var.enabled_cluster_log_types}" vpc_config { - security_group_ids = ["${aws_security_group.eks-cluster.id}"] - subnet_ids = ["${split(",", var.vpc["create"] ? join(",", concat(aws_subnet.eks-private.*.id, aws_subnet.eks.*.id)) : join(",", concat(split(",", var.vpc["private_subnets_id"]),split(",", var.vpc["public_subnets_id"]))))}"] + security_group_ids = ["${aws_security_group.eks-cluster.id}"] + subnet_ids = ["${split(",", var.vpc["create"] ? join(",", concat(aws_subnet.eks-private.*.id, aws_subnet.eks.*.id)) : join(",", concat(split(",", var.vpc["private_subnets_id"]),split(",", var.vpc["public_subnets_id"]))))}"] endpoint_private_access = "${var.endpoint_private_access}" - endpoint_public_access = "${var.endpoint_public_access}" + endpoint_public_access = "${var.endpoint_public_access}" } version = "${var.kubernetes_version}" diff --git a/terraform/modules/eks/eks-worker-nodes.tf b/terraform/modules/eks/eks-worker-nodes.tf index 36d5a2b6..ef1f9321 100644 --- a/terraform/modules/eks/eks-worker-nodes.tf +++ b/terraform/modules/eks/eks-worker-nodes.tf @@ -27,7 +27,7 @@ data "template_file" "eks-node" { b64_cluster_ca = "${aws_eks_cluster.eks.certificate_authority.0.data}" cluster_name = "${var.cluster-name}" kubelet_extra_args = "${lookup(var.node-pools[count.index],"kubelet_extra_args")}" - extra_user_data = "${lookup(var.node-pools[count.index],"extra_user_data")}" + extra_user_data = "${lookup(var.node-pools[count.index],"extra_user_data")}" } } @@ -85,11 +85,11 @@ resource "aws_autoscaling_group" "eks" { map("key", "eks:node-pool:name", "value", "${lookup(var.node-pools[count.index],"name")}", "propagate_at_launch", true) ), var.node-pools-tags[count.index]) - }" + }", ] lifecycle { create_before_destroy = true - ignore_changes = ["desired_capacity"] + ignore_changes = ["desired_capacity"] } } diff --git a/terraform/modules/eks/eks-worker-sg.tf b/terraform/modules/eks/eks-worker-sg.tf index 2bd78fa8..acf9edf6 100644 --- a/terraform/modules/eks/eks-worker-sg.tf +++ b/terraform/modules/eks/eks-worker-sg.tf @@ -19,13 +19,13 @@ resource "aws_security_group" "eks-node" { } resource "aws_security_group_rule" "eks-node-ingress-self" { - description = "Allow node to communicate with each other" - from_port = 0 - protocol = "-1" - security_group_id = "${aws_security_group.eks-node.id}" - source_security_group_id = "${aws_security_group.eks-node.id}" - to_port = 65535 - type = "ingress" + description = "Allow node to communicate with each other" + from_port = 0 + protocol = "-1" + security_group_id = "${aws_security_group.eks-node.id}" + to_port = 65535 + type = "ingress" + self = true } resource "aws_security_group_rule" "eks-node-ingress-cluster" { @@ -48,6 +48,17 @@ resource "aws_security_group_rule" "eks-node-ingress-cluster-443" { type = "ingress" } +resource "aws_security_group_rule" "eks-node-ingress-cluster-ssh" { + count = "${var.ssh_remote_security_group_id == "" ? 0 : 1}" + description = "Allow worker Kubelets and pods to receive SSH communication from a remote security group" + from_port = 22 + protocol = "tcp" + security_group_id = "${aws_security_group.eks-node.id}" + source_security_group_id = "${var.var.ssh_remote_security_group_id}" + to_port = 22 + type = "ingress" +} + output "eks-node-sg" { value = "${aws_security_group.eks-node.id}" } diff --git a/terraform/modules/eks/variables.tf b/terraform/modules/eks/variables.tf index d146afb8..6b0445aa 100644 --- a/terraform/modules/eks/variables.tf +++ b/terraform/modules/eks/variables.tf @@ -101,7 +101,7 @@ variable "endpoint_private_access" { } variable "enabled_cluster_log_types" { - type = "list" + type = "list" default = [] } @@ -110,10 +110,14 @@ variable "cluster_log_retention_in_days" { } variable "allowed_cidr_blocks" { - type = "list" + type = "list" default = ["0.0.0.0/0"] } +variable "ssh_remote_security_group_id" { + default = "" +} + variable "map_users" { type = "string" }