Allow additional security groups to be included in worker launch configurations (#112)

mr-joshua · max-rocket-internet · commit 018064477087 · 2018-09-04T17:09:24.000+02:00
* Allow additional security groups to be included for all workers and each worker group #47 * update changelog with reference to issue and be more descriptive * Update CHANGELOG.md * address pr comments and rebase * rebase * fix bug introduced by PR#115 that sets the AMI id to the default value of "" always * rebase * align default value of additional_security_group_ids to be pulled from local var workers_group_defaults_defaults
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,9 @@ project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 
 - add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks)
-- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks)
+- expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) 
+- add optional input `worker_additional_security_group_ids` to allow one or more additional security groups to be added to all worker launch configurations - #47 (by @hhobbsh @mr-joshua)
+- add optional input `additional_security_group_ids` to allow one or more additional security groups to be added to a specific worker launch configuration - #47 (by @mr-joshua)
 
 ### Changed
 
diff --git a/README.md b/README.md
@@ -114,6 +114,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | subnets | A list of subnets to place the EKS cluster and workers within. | list | - | yes |
 | tags | A map of tags to add to all resources. | map | `<map>` | no |
 | vpc_id | VPC where the cluster and workers will be deployed. | string | - | yes |
+| worker_additional_security_group_ids | A list of additional security group ids to attach to worker instances | list | `<list>` | no |
 | worker_group_count | The number of maps contained within the worker_groups list. | string | `1` | no |
 | worker_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `<list>` | no |
 | worker_security_group_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no |
diff --git a/examples/eks_test_fixture/main.tf b/examples/eks_test_fixture/main.tf
@@ -36,10 +36,15 @@ locals {
   # )}"
 
   worker_groups = "${list(
-                  map("instance_type","t2.small",
-                      "additional_userdata","echo foo bar",
-                      "subnets", "${join(",", module.vpc.private_subnets)}",
-                      ),
+    map("instance_type","t2.small",
+      "additional_userdata","echo foo bar",
+      "subnets", "${join(",", module.vpc.private_subnets)}",
+    ),
+    map("instance_type","t2.small",
+      "additional_userdata","echo foo bar",
+      "subnets", "${join(",", module.vpc.private_subnets)}",
+      "additional_security_group_ids", "${aws_security_group.worker_group_mgmt_one.id},${aws_security_group.worker_group_mgmt_two.id}"
+    )
   )}"
   tags = "${map("Environment", "test",
                 "GithubRepo", "terraform-aws-eks",
@@ -53,6 +58,54 @@ resource "random_string" "suffix" {
   special = false
 }
 
+resource "aws_security_group" "worker_group_mgmt_one" {
+  name_prefix = "worker_group_mgmt_one"
+  description = "SG to be applied to all *nix machines"
+  vpc_id      = "${module.vpc.vpc_id}"
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "10.0.0.0/8",
+    ]
+  }
+}
+
+resource "aws_security_group" "worker_group_mgmt_two" {
+  name_prefix = "worker_group_mgmt_two"
+  vpc_id      = "${module.vpc.vpc_id}"
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "192.168.0.0/16",
+    ]
+  }
+}
+
+resource "aws_security_group" "all_worker_mgmt" {
+  name_prefix = "all_worker_management"
+  vpc_id      = "${module.vpc.vpc_id}"
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16",
+    ]
+  }
+}
+
 module "vpc" {
   source             = "terraform-aws-modules/vpc/aws"
   version            = "1.14.0"
@@ -67,14 +120,15 @@ module "vpc" {
 }
 
 module "eks" {
-  source             = "../.."
-  cluster_name       = "${local.cluster_name}"
-  subnets            = ["${module.vpc.private_subnets}"]
-  tags               = "${local.tags}"
-  vpc_id             = "${module.vpc.vpc_id}"
-  worker_groups      = "${local.worker_groups}"
-  worker_group_count = "1"
-  map_roles          = "${var.map_roles}"
-  map_users          = "${var.map_users}"
-  map_accounts       = "${var.map_accounts}"
+  source                               = "../.."
+  cluster_name                         = "${local.cluster_name}"
+  subnets                              = ["${module.vpc.private_subnets}"]
+  tags                                 = "${local.tags}"
+  vpc_id                               = "${module.vpc.vpc_id}"
+  worker_groups                        = "${local.worker_groups}"
+  worker_group_count                   = "2"
+  worker_additional_security_group_ids = ["${aws_security_group.all_worker_mgmt.id}"]
+  map_roles                            = "${var.map_roles}"
+  map_users                            = "${var.map_users}"
+  map_accounts                         = "${var.map_accounts}"
 }
diff --git a/local.tf b/local.tf
@@ -9,25 +9,26 @@ locals {
   kubeconfig_name          = "${var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name}"
 
   workers_group_defaults_defaults = {
-    name                 = "count.index"                   # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used.
-    ami_id               = "${data.aws_ami.eks_worker.id}" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI.
-    asg_desired_capacity = "1"                             # Desired worker capacity in the autoscaling group.
-    asg_max_size         = "3"                             # Maximum worker capacity in the autoscaling group.
-    asg_min_size         = "1"                             # Minimum worker capacity in the autoscaling group.
-    instance_type        = "m4.large"                      # Size of the workers instances.
-    spot_price           = ""                              # Cost of spot instance.
-    root_volume_size     = "100"                           # root volume size of workers instances.
-    root_volume_type     = "gp2"                           # root volume type of workers instances, can be 'standard', 'gp2', or 'io1'
-    root_iops            = "0"                             # The amount of provisioned IOPS. This must be set with a volume_type of "io1".
-    key_name             = ""                              # The key name that should be used for the instances in the autoscaling group
-    pre_userdata         = ""                              # userdata to pre-append to the default userdata.
-    additional_userdata  = ""                              # userdata to append to the default userdata.
-    ebs_optimized        = true                            # sets whether to use ebs optimization on supported types.
-    enable_monitoring    = true                            # Enables/disables detailed monitoring.
-    public_ip            = false                           # Associate a public ip address with a worker
-    kubelet_extra_args   = ""                              # This string is passed directly to kubelet if set. Useful for adding labels or taints.
-    subnets              = ""                              # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789
-    autoscaling_enabled  = false                           # Sets whether policy and matching tags will be added to allow autoscaling.
+    name                          = "count.index"                   # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used.
+    ami_id                        = "${data.aws_ami.eks_worker.id}" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI.
+    asg_desired_capacity          = "1"                             # Desired worker capacity in the autoscaling group.
+    asg_max_size                  = "3"                             # Maximum worker capacity in the autoscaling group.
+    asg_min_size                  = "1"                             # Minimum worker capacity in the autoscaling group.
+    instance_type                 = "m4.large"                      # Size of the workers instances.
+    spot_price                    = ""                              # Cost of spot instance.
+    root_volume_size              = "100"                           # root volume size of workers instances.
+    root_volume_type              = "gp2"                           # root volume type of workers instances, can be 'standard', 'gp2', or 'io1'
+    root_iops                     = "0"                             # The amount of provisioned IOPS. This must be set with a volume_type of "io1".
+    key_name                      = ""                              # The key name that should be used for the instances in the autoscaling group
+    pre_userdata                  = ""                              # userdata to pre-append to the default userdata.
+    additional_userdata           = ""                              # userdata to append to the default userdata.
+    ebs_optimized                 = true                            # sets whether to use ebs optimization on supported types.
+    enable_monitoring             = true                            # Enables/disables detailed monitoring.
+    public_ip                     = false                           # Associate a public ip address with a worker
+    kubelet_extra_args            = ""                              # This string is passed directly to kubelet if set. Useful for adding labels or taints.
+    subnets                       = ""                              # A comma delimited string of subnets to place the worker nodes in. i.e. subnet-123,subnet-456,subnet-789
+    autoscaling_enabled           = false                           # Sets whether policy and matching tags will be added to allow autoscaling.
+    additional_security_group_ids = ""                              # A comman delimited list of additional security group ids to include in worker launch config
   }
 
   workers_group_defaults = "${merge(local.workers_group_defaults_defaults, var.workers_group_defaults)}"
diff --git a/variables.tf b/variables.tf
@@ -91,6 +91,12 @@ variable "worker_security_group_id" {
   default     = ""
 }
 
+variable "worker_additional_security_group_ids" {
+  description = "A list of additional security group ids to attach to worker instances"
+  type        = "list"
+  default     = []
+}
+
 variable "worker_sg_ingress_from_port" {
   description = "Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443)."
   default     = "1025"
diff --git a/workers.tf b/workers.tf
@@ -24,7 +24,7 @@ resource "aws_autoscaling_group" "workers" {
 resource "aws_launch_configuration" "workers" {
   name_prefix                 = "${aws_eks_cluster.this.name}-${lookup(var.worker_groups[count.index], "name", count.index)}"
   associate_public_ip_address = "${lookup(var.worker_groups[count.index], "public_ip", lookup(local.workers_group_defaults, "public_ip"))}"
-  security_groups             = ["${local.worker_security_group_id}"]
+  security_groups             = ["${local.worker_security_group_id}", "${var.worker_additional_security_group_ids}", "${compact(split(",",lookup(var.worker_groups[count.index],"additional_security_group_ids",lookup(local.workers_group_defaults, "additional_security_group_ids"))))}"]
   iam_instance_profile        = "${aws_iam_instance_profile.workers.id}"
   image_id                    = "${lookup(var.worker_groups[count.index], "ami_id", lookup(local.workers_group_defaults, "ami_id"))}"
   instance_type               = "${lookup(var.worker_groups[count.index], "instance_type", lookup(local.workers_group_defaults, "instance_type"))}"
