Refactoring phases to work in sequence properly

chrislovecnm · Oct 26, 2017 · dc338c4 · dc338c4
1 parent ceafc68
commit dc338c4
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 257 deletions.
diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go
@@ -35,7 +35,8 @@ const LoadBalancerDefaultIdleTimeout = 5 * time.Minute
 // APILoadBalancerBuilder builds a LoadBalancer for accessing the API
 type APILoadBalancerBuilder struct {
 	*AWSModelContext
-	Lifecycle *fi.Lifecycle
+	Lifecycle         *fi.Lifecycle
+	SecurityLifecycle *fi.Lifecycle
 }
 
 var _ fi.ModelBuilder = &APILoadBalancerBuilder{}
@@ -144,7 +145,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroup{
 			Name:      s(b.ELBSecurityGroupName("api")),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			VPC:              b.LinkToVPC(),
 			Description:      s("Security group for api ELB"),
@@ -157,7 +158,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("api-elb-egress"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToELBSecurityGroup("api"),
 			Egress:        fi.Bool(true),
@@ -171,7 +172,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess {
 			t := &awstasks.SecurityGroupRule{
 				Name:      s("https-api-elb-" + cidr),
-				Lifecycle: b.Lifecycle,
+				Lifecycle: b.SecurityLifecycle,
 
 				SecurityGroup: b.LinkToELBSecurityGroup("api"),
 				CIDR:          s(cidr),
@@ -187,7 +188,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("https-elb-to-master"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
 			SourceGroup:   b.LinkToELBSecurityGroup("api"),

diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go
@@ -35,7 +35,8 @@ const BastionELBDefaultIdleTimeout = 5 * time.Minute
 
 type BastionModelBuilder struct {
 	*KopsModelContext
-	Lifecycle *fi.Lifecycle
+	Lifecycle         *fi.Lifecycle
+	SecurityLifecycle *fi.Lifecycle
 }
 
 var _ fi.ModelBuilder = &BastionModelBuilder{}
@@ -56,7 +57,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroup{
 			Name:      s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			VPC:              b.LinkToVPC(),
 			Description:      s("Security group for bastion"),
@@ -69,7 +70,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-egress"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
 			Egress:        fi.Bool(true),
@@ -83,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("ssh-elb-to-bastion"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
 			SourceGroup:   b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
@@ -98,7 +99,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-to-master-ssh"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
 			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
@@ -113,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-to-node-ssh"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
 			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
@@ -128,7 +129,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroup{
 			Name:      s(b.ELBSecurityGroupName(BastionELBSecurityGroupPrefix)),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			VPC:              b.LinkToVPC(),
 			Description:      s("Security group for bastion ELB"),
@@ -141,7 +142,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("bastion-elb-egress"),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
 			Egress:        fi.Bool(true),
@@ -155,7 +156,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	for _, sshAccess := range b.Cluster.Spec.SSHAccess {
 		t := &awstasks.SecurityGroupRule{
 			Name:      s("ssh-external-to-bastion-elb-" + sshAccess),
-			Lifecycle: b.Lifecycle,
+			Lifecycle: b.SecurityLifecycle,
 
 			SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
 			Protocol:      s("tcp"),

diff --git a/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf
diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go
@@ -535,11 +535,11 @@ func (c *ApplyClusterCmd) Run() error {
 
 				l.Builders = append(l.Builders,
 					&model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
-					&awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: networkLifecycle},
-					&model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle},
-					&model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle},
-					&model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
-					&model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
+					&awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle},
+					&model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle},
+					&model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
+					&model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
+					&model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
 					&model.SSHKeyModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle},
 				)
 
@@ -563,9 +563,9 @@ func (c *ApplyClusterCmd) Run() error {
 				l.Builders = append(l.Builders,
 					&model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle},
 
-					&gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
-					&gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
-					&gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
+					&gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle},
+					&gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle},
+					&gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle},
 					&gcemodel.NetworkModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle},
 				)