diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go index b9240a82cc1e9..ac3147c4e52f3 100644 --- a/pkg/model/awsmodel/api_loadbalancer.go +++ b/pkg/model/awsmodel/api_loadbalancer.go @@ -35,7 +35,8 @@ const LoadBalancerDefaultIdleTimeout = 5 * time.Minute // APILoadBalancerBuilder builds a LoadBalancer for accessing the API type APILoadBalancerBuilder struct { *AWSModelContext - Lifecycle *fi.Lifecycle + Lifecycle *fi.Lifecycle + SecurityLifecycle *fi.Lifecycle } var _ fi.ModelBuilder = &APILoadBalancerBuilder{} @@ -144,7 +145,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroup{ Name: s(b.ELBSecurityGroupName("api")), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, VPC: b.LinkToVPC(), Description: s("Security group for api ELB"), @@ -157,7 +158,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("api-elb-egress"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup("api"), Egress: fi.Bool(true), @@ -171,7 +172,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess { t := &awstasks.SecurityGroupRule{ Name: s("https-api-elb-" + cidr), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup("api"), CIDR: s(cidr), @@ -187,7 +188,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("https-elb-to-master"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster), SourceGroup: b.LinkToELBSecurityGroup("api"), diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go index 361738a80b02d..4de117b27632a 100644 --- a/pkg/model/bastion.go +++ b/pkg/model/bastion.go @@ -35,7 +35,8 @@ const BastionELBDefaultIdleTimeout = 5 * time.Minute type BastionModelBuilder struct { *KopsModelContext - Lifecycle *fi.Lifecycle + Lifecycle *fi.Lifecycle + SecurityLifecycle *fi.Lifecycle } var _ fi.ModelBuilder = &BastionModelBuilder{} @@ -56,7 +57,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroup{ Name: s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, VPC: b.LinkToVPC(), Description: s("Security group for bastion"), @@ -69,7 +70,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-egress"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), Egress: fi.Bool(true), @@ -83,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("ssh-elb-to-bastion"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), SourceGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix), @@ -98,7 +99,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-to-master-ssh"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster), SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), @@ -113,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-to-node-ssh"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode), SourceGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion), @@ -128,7 +129,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroup{ Name: s(b.ELBSecurityGroupName(BastionELBSecurityGroupPrefix)), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, VPC: b.LinkToVPC(), Description: s("Security group for bastion ELB"), @@ -141,7 +142,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { { t := &awstasks.SecurityGroupRule{ Name: s("bastion-elb-egress"), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix), Egress: fi.Bool(true), @@ -155,7 +156,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { for _, sshAccess := range b.Cluster.Spec.SSHAccess { t := &awstasks.SecurityGroupRule{ Name: s("ssh-external-to-bastion-elb-" + sshAccess), - Lifecycle: b.Lifecycle, + Lifecycle: b.SecurityLifecycle, SecurityGroup: b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix), Protocol: s("tcp"), diff --git a/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf b/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf deleted file mode 100644 index e936392bc1b7f..0000000000000 --- a/tests/integration/update_cluster/lifecycle_phases/securitygroups-kubernetes.tf +++ /dev/null @@ -1,235 +0,0 @@ -output "bastion_security_group_ids" { - value = ["${aws_security_group.bastion-privateweave-example-com.id}"] -} - -output "cluster_name" { - value = "privateweave.example.com" -} - -output "master_security_group_ids" { - value = ["${aws_security_group.masters-privateweave-example-com.id}"] -} - -output "node_security_group_ids" { - value = ["${aws_security_group.nodes-privateweave-example-com.id}"] -} - -output "region" { - value = "us-test-1" -} - -provider "aws" { - region = "us-test-1" -} - -resource "aws_security_group" "api-elb-privateweave-example-com" { - name = "api-elb.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for api ELB" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "api-elb.privateweave.example.com" - } -} - -resource "aws_security_group" "bastion-elb-privateweave-example-com" { - name = "bastion-elb.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for bastion ELB" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "bastion-elb.privateweave.example.com" - } -} - -resource "aws_security_group" "bastion-privateweave-example-com" { - name = "bastion.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for bastion" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "bastion.privateweave.example.com" - } -} - -resource "aws_security_group" "masters-privateweave-example-com" { - name = "masters.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for masters" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "masters.privateweave.example.com" - } -} - -resource "aws_security_group" "nodes-privateweave-example-com" { - name = "nodes.privateweave.example.com" - vpc_id = "${aws_vpc.privateweave-example-com.id}" - description = "Security group for nodes" - - tags = { - KubernetesCluster = "privateweave.example.com" - Name = "nodes.privateweave.example.com" - } -} - -resource "aws_security_group_rule" "all-master-to-master" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" -} - -resource "aws_security_group_rule" "all-master-to-node" { - type = "ingress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" -} - -resource "aws_security_group_rule" "all-node-to-node" { - type = "ingress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" -} - -resource "aws_security_group_rule" "api-elb-egress" { - type = "egress" - security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "bastion-egress" { - type = "egress" - security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "bastion-elb-egress" { - type = "egress" - security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "bastion-to-master-ssh" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" -} - -resource "aws_security_group_rule" "bastion-to-node-ssh" { - type = "ingress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" -} - -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { - type = "ingress" - security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "https-elb-to-master" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" - from_port = 443 - to_port = 443 - protocol = "tcp" -} - -resource "aws_security_group_rule" "master-egress" { - type = "egress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "node-egress" { - type = "egress" - security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "node-to-master-tcp-1-4000" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 1 - to_port = 4000 - protocol = "tcp" -} - -resource "aws_security_group_rule" "node-to-master-tcp-4003-65535" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 4003 - to_port = 65535 - protocol = "tcp" -} - -resource "aws_security_group_rule" "node-to-master-udp-1-65535" { - type = "ingress" - security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" - from_port = 1 - to_port = 65535 - protocol = "udp" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - type = "ingress" - security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" - source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - type = "ingress" - security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -terraform = { - required_version = ">= 0.9.3" -} diff --git a/upup/pkg/fi/cloudup/apply_cluster.go b/upup/pkg/fi/cloudup/apply_cluster.go index 9b61a9585df58..79c493d4c6c58 100644 --- a/upup/pkg/fi/cloudup/apply_cluster.go +++ b/upup/pkg/fi/cloudup/apply_cluster.go @@ -535,11 +535,11 @@ func (c *ApplyClusterCmd) Run() error { l.Builders = append(l.Builders, &model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, - &awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: networkLifecycle}, - &model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle}, - &model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: networkLifecycle}, - &model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, - &model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, + &awsmodel.APILoadBalancerBuilder{AWSModelContext: awsModelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle}, + &model.BastionModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle, SecurityLifecycle: securityLifecycle}, + &model.DNSModelBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, + &model.ExternalAccessModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle}, + &model.FirewallModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle}, &model.SSHKeyModelBuilder{KopsModelContext: modelContext, Lifecycle: securityLifecycle}, ) @@ -563,9 +563,9 @@ func (c *ApplyClusterCmd) Run() error { l.Builders = append(l.Builders, &model.MasterVolumeBuilder{KopsModelContext: modelContext, Lifecycle: clusterLifecycle}, - &gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, - &gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, - &gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, + &gcemodel.APILoadBalancerBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle}, + &gcemodel.ExternalAccessModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle}, + &gcemodel.FirewallModelBuilder{GCEModelContext: gceModelContext, Lifecycle: securityLifecycle}, &gcemodel.NetworkModelBuilder{GCEModelContext: gceModelContext, Lifecycle: networkLifecycle}, )