Merge pull request #91 from worldcoin/lb-deletion-protection

feat: add enable_deletion_protection variable to control LB deletion protection

Author: tcharewicz

README.md

@@ -534,11 +534,13 @@ To remove the cluster you have to:
    ```
 
 1. Set these flags, the module will remove every usage of the Kubernetes provider and allow
-   you to remove the cluster module without any errors.
+   you to remove the cluster module without any errors. Setting `enable_deletion_protection = false`
+   disables deletion protection on the Traefik NLB/ALB load balancers so they can be removed by Terraform.
 
    ```yaml
-   efs_csi_driver_enabled = false
+   efs_csi_driver_enabled      = false
    kubernetes_provider_enabled = false
+   enable_deletion_protection  = false
    ```
 
 1. If above PR `apply` fails (possible reason: race condition - aws_auth removed too soon), remove all `kubernetes_*` resources from state:
@@ -549,8 +551,6 @@ To remove the cluster you have to:
    terraform state rm ...
    ```
 
-1. Manually remove LB deletion protection from AWS (both external and internal) before final delete
-
 1. if there are other clusters in the same region, remove `aws_cloudwatch_event_rule.spot_aws_health aws_cloudwatch_event_rule.spot_aws_ec2` from the state manually.
 
 1. Remove module invocation to finally delete cluster itself.

kubernetes-traefik-external.tf

@@ -93,7 +93,7 @@ resource "kubernetes_ingress_v1" "treafik_ingress" {
 }
 
 module "alb" {
-  source   = "git@github.com:worldcoin/terraform-aws-alb.git?ref=v1.3.2"
+  source   = "git@github.com:worldcoin/terraform-aws-alb.git?ref=v1.4.1"
   for_each = var.external_alb_enabled ? toset([local.external_alb_name]) : []
 
   # because of lenght limitation of LB name we need to remove prefix treafik from internal NLB
@@ -123,6 +123,8 @@ module "alb" {
   mtls_enabled   = var.open_to_all ? false : var.mtls_enabled
   mtls_s3_bucket = format("wld-mtls-ca-%s", var.region)
 
+  enable_deletion_protection = var.enable_deletion_protection
+
   datadog = {
     monitoring_notification_channel = var.monitoring_notification_channel
   }

kubernetes-traefik-internal.tf

@@ -70,7 +70,7 @@ resource "kubernetes_service_v1" "traefik_nlb" {
 }
 
 module "nlb" {
-  source = "git@github.com:worldcoin/terraform-aws-nlb.git?ref=v1.2.0"
+  source = "git@github.com:worldcoin/terraform-aws-nlb.git?ref=v1.3.0"
 
   for_each = var.internal_nlb_enabled ? toset([local.internal_nlb_name]) : []
 
@@ -89,4 +89,6 @@ module "nlb" {
   private_subnets = var.use_private_subnets_for_internal_nlb ? var.vpc_config.private_subnets : []
 
   extra_listeners = var.extra_nlb_listeners
+
+  enable_deletion_protection = var.enable_deletion_protection
 }

variables.tf

@@ -773,3 +773,9 @@ variable "mtls_enabled" {
   type        = bool
   default     = true
 }
+
+variable "enable_deletion_protection" {
+  description = "Whether to enable deletion protection on the Traefik NLB/ALB load balancers. Set to false before destroying the cluster."
+  type        = bool
+  default     = true
+}