From 3f1ee1e8209d91c4859f8ee10bd5026ec19aac35 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Tue, 3 Oct 2023 22:31:02 -0700 Subject: [PATCH] hack/update-expected.sh --- .../bastionadditional_user-data/kubernetes.tf | 87 ++++++++++++- .../update_cluster/complex/kubernetes.tf | 118 +++++++++++------- .../update_cluster/existing_sg/kubernetes.tf | 54 ++++++++ .../externalpolicies/kubernetes.tf | 18 +++ .../minimal-dns-none/kubernetes.tf | 70 +++++++---- .../minimal-ipv6-calico/kubernetes.tf | 61 +++++++-- .../minimal-ipv6-cilium/kubernetes.tf | 61 +++++++-- .../kubernetes.tf | 61 +++++++-- .../update_cluster/minimal-ipv6/kubernetes.tf | 61 +++++++-- .../private-shared-ip/kubernetes.tf | 87 ++++++++++++- .../private-shared-subnet/kubernetes.tf | 87 ++++++++++++- .../privatecalico/kubernetes.tf | 93 ++++++++++++-- .../update_cluster/privatecanal/kubernetes.tf | 87 ++++++++++++- .../privatecilium-eni/kubernetes.tf | 87 ++++++++++++- .../privatecilium/kubernetes.tf | 87 ++++++++++++- .../privatecilium2/kubernetes.tf | 87 ++++++++++++- .../privateciliumadvanced/kubernetes.tf | 87 ++++++++++++- .../update_cluster/privatedns1/kubernetes.tf | 89 ++++++++++++- .../update_cluster/privatedns2/kubernetes.tf | 87 ++++++++++++- .../privateflannel/kubernetes.tf | 87 ++++++++++++- .../privatekopeio/kubernetes.tf | 93 ++++++++++++-- .../shared_vpc_ipv6/kubernetes.tf | 61 +++++++-- .../update_cluster/unmanaged/kubernetes.tf | 93 ++++++++++++-- 23 files changed, 1584 insertions(+), 219 deletions(-) diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf index 1d8b98ed37..0209bd70b9 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf +++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf @@ -773,6 +773,7 @@ resource "aws_lb" "bastion-bastionuserdata-example-com" { internal = false load_balancer_type = "network" name = "bastion-bastionuserdata-e-4grhsv" + security_groups = [aws_security_group.bastion-elb-bastionuserdata-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-bastionuserdata-example-com.id } @@ -1075,6 +1076,17 @@ resource "aws_security_group" "bastion-bastionuserdata-example-com" { vpc_id = aws_vpc.bastionuserdata-example-com.id } +resource "aws_security_group" "bastion-elb-bastionuserdata-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.bastionuserdata.example.com" + tags = { + "KubernetesCluster" = "bastionuserdata.example.com" + "Name" = "bastion-elb.bastionuserdata.example.com" + "kubernetes.io/cluster/bastionuserdata.example.com" = "owned" + } + vpc_id = aws_vpc.bastionuserdata-example-com.id +} + resource "aws_security_group" "masters-bastionuserdata-example-com" { description = "Security group for masters" name = "masters.bastionuserdata.example.com" @@ -1097,11 +1109,11 @@ resource "aws_security_group" "nodes-bastionuserdata-example-com" { vpc_id = aws_vpc.bastionuserdata-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-bastionuserdata-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-bastionuserdata-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id to_port = 22 type = "ingress" } @@ -1115,11 +1127,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-bastionuserdata-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-bastionuserdata-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id to_port = 22 type = "ingress" } @@ -1160,6 +1172,15 @@ resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-egr type = "egress" } +resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-ingress-icmp-3to4-bastion-elb-bastionuserdata-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-ingress-tcp-22to22-masters-bastionuserdata-example-com" { from_port = 22 protocol = "tcp" @@ -1178,6 +1199,42 @@ resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-ing type = "ingress" } +resource "aws_security_group_rule" "from-bastion-elb-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-bastionuserdata-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-bastionuserdata-example-com-ingress-icmp-3to4-bastion-bastionuserdata-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-bastionuserdata-example-com-ingress-tcp-22to22-bastion-bastionuserdata-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-masters-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1295,11 +1352,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.api-elb-bastionuserdata-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id to_port = 4 type = "ingress" } @@ -1308,7 +1383,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf index 49f5ffe9d6..5c65a98dd0 100644 --- a/tests/integration/update_cluster/complex/kubernetes.tf +++ b/tests/integration/update_cluster/complex/kubernetes.tf @@ -638,6 +638,7 @@ resource "aws_lb" "api-complex-example-com" { internal = false load_balancer_type = "network" name = "api-complex-example-com-vd3t5n" + security_groups = ["sg-exampleid5", "sg-exampleid6", aws_security_group.api-elb-complex-example-com.id] subnet_mapping { allocation_id = "eipalloc-012345a678b9cdefa" subnet_id = aws_subnet.us-test-1a-complex-example-com.id @@ -1027,20 +1028,20 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-com type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-complex-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-complex-example-com" { from_port = 443 prefix_list_ids = ["pl-44444444"] protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id + security_group_id = aws_security_group.api-elb-complex-example-com.id to_port = 443 type = "ingress" } -resource "aws_security_group_rule" "from-1-1-1-0--24-ingress-tcp-443to443-masters-complex-example-com" { +resource "aws_security_group_rule" "from-1-1-1-0--24-ingress-tcp-443to443-api-elb-complex-example-com" { cidr_blocks = ["1.1.1.0/24"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id + security_group_id = aws_security_group.api-elb-complex-example-com.id to_port = 443 type = "ingress" } @@ -1063,6 +1064,24 @@ resource "aws_security_group_rule" "from-1-1-1-1--32-ingress-tcp-22to22-nodes-co type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-complex-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-complex-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-complex-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1163,41 +1182,59 @@ resource "aws_security_group_rule" "from-nodes-complex-example-com-ingress-udp-1 } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "https-lb-to-master-10-1-0-0--16" { - cidr_blocks = ["10.1.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 443 - type = "ingress" -} - -resource "aws_security_group_rule" "https-lb-to-master-10-2-0-0--16" { - cidr_blocks = ["10.2.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-1-1-1-0--24" { cidr_blocks = ["1.1.1.0/24"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-complex-example-com.id + security_group_id = aws_security_group.api-elb-complex-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-pl-44444444" { + from_port = 3 + prefix_list_ids = ["pl-44444444"] + protocol = "icmp" + security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-complex-example-com.id + source_security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-pl-44444444" { + from_port = -1 + prefix_list_ids = ["pl-44444444"] + protocol = "icmpv6" + security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = -1 + type = "ingress" +} + resource "aws_security_group_rule" "nodeport-tcp-external-to-node-1-2-3-4--32" { cidr_blocks = ["1.2.3.4/32"] from_port = 28000 @@ -1234,22 +1271,13 @@ resource "aws_security_group_rule" "nodeport-udp-external-to-node-10-20-30-0--24 type = "ingress" } -resource "aws_security_group_rule" "tcp-api-1-1-1-0--24" { - cidr_blocks = ["1.1.1.0/24"] - from_port = 8443 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 8443 - type = "ingress" -} - -resource "aws_security_group_rule" "tcp-api-pl-44444444" { - from_port = 8443 - prefix_list_ids = ["pl-44444444"] - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 8443 - type = "ingress" +resource "aws_security_group_rule" "tcp-api-cp" { + from_port = 8443 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.api-elb-complex-example-com.id + to_port = 8443 + type = "ingress" } resource "aws_sqs_queue" "complex-example-com-nth" { diff --git a/tests/integration/update_cluster/existing_sg/kubernetes.tf b/tests/integration/update_cluster/existing_sg/kubernetes.tf index 2dcaaff3c4..deb47bd0af 100644 --- a/tests/integration/update_cluster/existing_sg/kubernetes.tf +++ b/tests/integration/update_cluster/existing_sg/kubernetes.tf @@ -1643,6 +1643,60 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-sg-master-1a-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = "sg-elb" + source_security_group_id = "sg-master-1a" + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-cp-sg-master-1b-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = "sg-elb" + source_security_group_id = "sg-master-1b" + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = "sg-elb" + source_security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-elb" + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp-sg-master-1a" { + from_port = 3 + protocol = "icmp" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-elb" + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp-sg-master-1b" { + from_port = 3 + protocol = "icmp" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-elb" + to_port = 4 + type = "ingress" +} + resource "aws_sqs_queue" "existingsg-example-com-nth" { message_retention_seconds = 300 name = "existingsg-example-com-nth" diff --git a/tests/integration/update_cluster/externalpolicies/kubernetes.tf b/tests/integration/update_cluster/externalpolicies/kubernetes.tf index 8d9d7162fe..232fd1dd90 100644 --- a/tests/integration/update_cluster/externalpolicies/kubernetes.tf +++ b/tests/integration/update_cluster/externalpolicies/kubernetes.tf @@ -1052,6 +1052,24 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-externalpolicies-example-com.id + source_security_group_id = aws_security_group.masters-externalpolicies-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + source_security_group_id = aws_security_group.api-elb-externalpolicies-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "nodeport-tcp-external-to-node-1-2-3-4--32" { cidr_blocks = ["1.2.3.4/32"] from_port = 28000 diff --git a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf index 9866965c1f..df8650e663 100644 --- a/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-dns-none/kubernetes.tf @@ -572,6 +572,7 @@ resource "aws_lb" "api-minimal-example-com" { internal = false load_balancer_type = "network" name = "api-minimal-example-com-gecgf7" + security_groups = [aws_security_group.api-elb-minimal-example-com.id] subnet_mapping { subnet_id = aws_subnet.us-test-1a-minimal-example-com.id } @@ -864,11 +865,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-min type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-minimal-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id + security_group_id = aws_security_group.api-elb-minimal-example-com.id to_port = 443 type = "ingress" } @@ -891,15 +892,33 @@ resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal- type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-minimal-example-com" { from_port = 443 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id + security_group_id = aws_security_group.api-elb-minimal-example-com.id to_port = 443 type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-minimal-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-minimal-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1000,41 +1019,50 @@ resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-udp-1 } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-minimal-example-com.id + security_group_id = aws_security_group.api-elb-minimal-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-minimal-example-com.id + source_security_group_id = aws_security_group.masters-minimal-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-minimal-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.masters-minimal-example-com.id + security_group_id = aws_security_group.api-elb-minimal-example-com.id to_port = -1 type = "ingress" } -resource "aws_security_group_rule" "kops-controller-lb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 3988 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 3988 - type = "ingress" -} - resource "aws_sqs_queue" "minimal-example-com-nth" { message_retention_seconds = 300 name = "minimal-example-com-nth" diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf index fbe0131c2a..2576479b16 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf @@ -619,6 +619,7 @@ resource "aws_lb" "api-minimal-ipv6-example-com" { ip_address_type = "dualstack" load_balancer_type = "network" name = "api-minimal-ipv6-example--jhj9te" + security_groups = [aws_security_group.api-elb-minimal-ipv6-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-minimal-ipv6-example-com.id } @@ -1031,11 +1032,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-min type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } @@ -1058,15 +1059,33 @@ resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal- type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { from_port = 443 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1176,28 +1195,46 @@ resource "aws_security_group_rule" "from-nodes-minimal-ipv6-example-com-ingress- } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = -1 type = "ingress" } diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf index 47c64871ba..b95b25f989 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/kubernetes.tf @@ -619,6 +619,7 @@ resource "aws_lb" "api-minimal-ipv6-example-com" { ip_address_type = "dualstack" load_balancer_type = "network" name = "api-minimal-ipv6-example--jhj9te" + security_groups = [aws_security_group.api-elb-minimal-ipv6-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-minimal-ipv6-example-com.id } @@ -1031,11 +1032,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-min type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } @@ -1058,15 +1059,33 @@ resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal- type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { from_port = 443 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1167,28 +1186,46 @@ resource "aws_security_group_rule" "from-nodes-minimal-ipv6-example-com-ingress- } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = -1 type = "ingress" } diff --git a/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf index 0856492460..c22b297be9 100644 --- a/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6-no-subnet-prefix/kubernetes.tf @@ -619,6 +619,7 @@ resource "aws_lb" "api-minimal-ipv6-example-com" { ip_address_type = "dualstack" load_balancer_type = "network" name = "api-minimal-ipv6-example--jhj9te" + security_groups = [aws_security_group.api-elb-minimal-ipv6-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-minimal-ipv6-example-com.id } @@ -1023,11 +1024,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-min type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } @@ -1050,15 +1051,33 @@ resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal- type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { from_port = 443 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1159,28 +1178,46 @@ resource "aws_security_group_rule" "from-nodes-minimal-ipv6-example-com-ingress- } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = -1 type = "ingress" } diff --git a/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf b/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf index 70c3e63935..daf244dc4d 100644 --- a/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-ipv6/kubernetes.tf @@ -619,6 +619,7 @@ resource "aws_lb" "api-minimal-ipv6-example-com" { ip_address_type = "dualstack" load_balancer_type = "network" name = "api-minimal-ipv6-example--jhj9te" + security_groups = [aws_security_group.api-elb-minimal-ipv6-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-minimal-ipv6-example-com.id } @@ -1023,11 +1024,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-min type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } @@ -1050,15 +1051,33 @@ resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal- type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { from_port = 443 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1159,28 +1178,46 @@ resource "aws_security_group_rule" "from-nodes-minimal-ipv6-example-com-ingress- } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = -1 type = "ingress" } diff --git a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf index 7d82507542..8675c58304 100644 --- a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf @@ -754,6 +754,7 @@ resource "aws_lb" "bastion-private-shared-ip-example-com" { internal = false load_balancer_type = "network" name = "bastion-private-shared-ip-eepmph" + security_groups = [aws_security_group.bastion-elb-private-shared-ip-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-private-shared-ip-example-com.id } @@ -1037,6 +1038,17 @@ resource "aws_security_group" "api-elb-private-shared-ip-example-com" { vpc_id = "vpc-12345678" } +resource "aws_security_group" "bastion-elb-private-shared-ip-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.private-shared-ip.example.com" + tags = { + "KubernetesCluster" = "private-shared-ip.example.com" + "Name" = "bastion-elb.private-shared-ip.example.com" + "kubernetes.io/cluster/private-shared-ip.example.com" = "owned" + } + vpc_id = "vpc-12345678" +} + resource "aws_security_group" "bastion-private-shared-ip-example-com" { description = "Security group for bastion" name = "bastion.private-shared-ip.example.com" @@ -1070,11 +1082,11 @@ resource "aws_security_group" "nodes-private-shared-ip-example-com" { vpc_id = "vpc-12345678" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-private-shared-ip-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-private-shared-ip-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id to_port = 22 type = "ingress" } @@ -1088,11 +1100,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-private-shared-ip-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-private-shared-ip-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id to_port = 22 type = "ingress" } @@ -1115,6 +1127,42 @@ resource "aws_security_group_rule" "from-api-elb-private-shared-ip-example-com-e type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-private-shared-ip-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-private-shared-ip-example-com-ingress-icmp-3to4-bastion-private-shared-ip-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-private-shared-ip-example-com-ingress-tcp-22to22-bastion-private-shared-ip-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1133,6 +1181,15 @@ resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-e type = "egress" } +resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-ingress-icmp-3to4-bastion-elb-private-shared-ip-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-ingress-tcp-22to22-masters-private-shared-ip-example-com" { from_port = 22 protocol = "tcp" @@ -1268,11 +1325,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.api-elb-private-shared-ip-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id to_port = 4 type = "ingress" } @@ -1281,7 +1356,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf index 21cfaf33bb..3b48357183 100644 --- a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf @@ -749,6 +749,7 @@ resource "aws_lb" "bastion-private-shared-subnet-example-com" { internal = false load_balancer_type = "network" name = "bastion-private-shared-su-5ol32q" + security_groups = [aws_security_group.bastion-elb-private-shared-subnet-example-com.id] subnet_mapping { subnet_id = "subnet-abcdef" } @@ -974,6 +975,17 @@ resource "aws_security_group" "api-elb-private-shared-subnet-example-com" { vpc_id = "vpc-12345678" } +resource "aws_security_group" "bastion-elb-private-shared-subnet-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.private-shared-subnet.example.com" + tags = { + "KubernetesCluster" = "private-shared-subnet.example.com" + "Name" = "bastion-elb.private-shared-subnet.example.com" + "kubernetes.io/cluster/private-shared-subnet.example.com" = "owned" + } + vpc_id = "vpc-12345678" +} + resource "aws_security_group" "bastion-private-shared-subnet-example-com" { description = "Security group for bastion" name = "bastion.private-shared-subnet.example.com" @@ -1007,11 +1019,11 @@ resource "aws_security_group" "nodes-private-shared-subnet-example-com" { vpc_id = "vpc-12345678" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-private-shared-subnet-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-private-shared-subnet-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id to_port = 22 type = "ingress" } @@ -1025,11 +1037,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-private-shared-subnet-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-private-shared-subnet-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id to_port = 22 type = "ingress" } @@ -1052,6 +1064,42 @@ resource "aws_security_group_rule" "from-api-elb-private-shared-subnet-example-c type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-private-shared-subnet-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-private-shared-subnet-example-com-ingress-icmp-3to4-bastion-private-shared-subnet-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-private-shared-subnet-example-com-ingress-tcp-22to22-bastion-private-shared-subnet-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1070,6 +1118,15 @@ resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-c type = "egress" } +resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-com-ingress-icmp-3to4-bastion-elb-private-shared-subnet-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-com-ingress-tcp-22to22-masters-private-shared-subnet-example-com" { from_port = 22 protocol = "tcp" @@ -1205,11 +1262,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.api-elb-private-shared-subnet-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id to_port = 4 type = "ingress" } @@ -1218,7 +1293,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf index 1b6ca7e897..2c23d1615d 100644 --- a/tests/integration/update_cluster/privatecalico/kubernetes.tf +++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf @@ -768,6 +768,7 @@ resource "aws_lb" "bastion-privatecalico-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatecalico-exa-hocohm" + security_groups = [aws_security_group.bastion-elb-privatecalico-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatecalico-example-com.id } @@ -1067,6 +1068,17 @@ resource "aws_security_group" "api-elb-privatecalico-example-com" { vpc_id = aws_vpc.privatecalico-example-com.id } +resource "aws_security_group" "bastion-elb-privatecalico-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatecalico.example.com" + tags = { + "KubernetesCluster" = "privatecalico.example.com" + "Name" = "bastion-elb.privatecalico.example.com" + "kubernetes.io/cluster/privatecalico.example.com" = "owned" + } + vpc_id = aws_vpc.privatecalico-example-com.id +} + resource "aws_security_group" "bastion-privatecalico-example-com" { description = "Security group for bastion" name = "bastion.privatecalico.example.com" @@ -1100,11 +1112,11 @@ resource "aws_security_group" "nodes-privatecalico-example-com" { vpc_id = aws_vpc.privatecalico-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatecalico-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecalico-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id to_port = 22 type = "ingress" } @@ -1118,20 +1130,20 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatecalico-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatecalico-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id to_port = 22 type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-bastion-privatecalico-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-bastion-elb-privatecalico-example-com" { from_port = 22 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id to_port = 22 type = "ingress" } @@ -1163,6 +1175,42 @@ resource "aws_security_group_rule" "from-api-elb-privatecalico-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecalico-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecalico-example-com-ingress-icmp-3to4-bastion-privatecalico-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatecalico-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecalico-example-com-ingress-tcp-22to22-bastion-privatecalico-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecalico-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1181,6 +1229,15 @@ resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-ingress-icmp-3to4-bastion-elb-privatecalico-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + source_security_group_id = aws_security_group.bastion-privatecalico-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-ingress-tcp-22to22-masters-privatecalico-example-com" { from_port = 22 protocol = "tcp" @@ -1325,11 +1382,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatecalico-example-com.id + source_security_group_id = aws_security_group.masters-privatecalico-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.api-elb-privatecalico-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id to_port = 4 type = "ingress" } @@ -1338,7 +1413,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id to_port = 4 type = "ingress" } @@ -1356,7 +1431,7 @@ resource "aws_security_group_rule" "icmpv6-pmtu-ssh-nlb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id to_port = -1 type = "ingress" } diff --git a/tests/integration/update_cluster/privatecanal/kubernetes.tf b/tests/integration/update_cluster/privatecanal/kubernetes.tf index b9ccb0dc51..84cdfc2927 100644 --- a/tests/integration/update_cluster/privatecanal/kubernetes.tf +++ b/tests/integration/update_cluster/privatecanal/kubernetes.tf @@ -772,6 +772,7 @@ resource "aws_lb" "bastion-privatecanal-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatecanal-exam-hmhsp5" + security_groups = [aws_security_group.bastion-elb-privatecanal-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatecanal-example-com.id } @@ -1071,6 +1072,17 @@ resource "aws_security_group" "api-elb-privatecanal-example-com" { vpc_id = aws_vpc.privatecanal-example-com.id } +resource "aws_security_group" "bastion-elb-privatecanal-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatecanal.example.com" + tags = { + "KubernetesCluster" = "privatecanal.example.com" + "Name" = "bastion-elb.privatecanal.example.com" + "kubernetes.io/cluster/privatecanal.example.com" = "owned" + } + vpc_id = aws_vpc.privatecanal-example-com.id +} + resource "aws_security_group" "bastion-privatecanal-example-com" { description = "Security group for bastion" name = "bastion.privatecanal.example.com" @@ -1104,11 +1116,11 @@ resource "aws_security_group" "nodes-privatecanal-example-com" { vpc_id = aws_vpc.privatecanal-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatecanal-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecanal-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id to_port = 22 type = "ingress" } @@ -1122,11 +1134,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatecanal-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatecanal-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id to_port = 22 type = "ingress" } @@ -1149,6 +1161,42 @@ resource "aws_security_group_rule" "from-api-elb-privatecanal-example-com-egress type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-ingress-icmp-3to4-bastion-privatecanal-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatecanal-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-ingress-tcp-22to22-bastion-privatecanal-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecanal-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1167,6 +1215,15 @@ resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-egress type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-icmp-3to4-bastion-elb-privatecanal-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + source_security_group_id = aws_security_group.bastion-privatecanal-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-tcp-22to22-masters-privatecanal-example-com" { from_port = 22 protocol = "tcp" @@ -1302,11 +1359,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatecanal-example-com.id + source_security_group_id = aws_security_group.masters-privatecanal-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + source_security_group_id = aws_security_group.api-elb-privatecanal-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id to_port = 4 type = "ingress" } @@ -1315,7 +1390,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf b/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf index 289f5e2657..71e93ebb1d 100644 --- a/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium-eni/kubernetes.tf @@ -772,6 +772,7 @@ resource "aws_lb" "bastion-privatecilium-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatecilium-exa-l2ms01" + security_groups = [aws_security_group.bastion-elb-privatecilium-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatecilium-example-com.id } @@ -1063,6 +1064,17 @@ resource "aws_security_group" "api-elb-privatecilium-example-com" { vpc_id = aws_vpc.privatecilium-example-com.id } +resource "aws_security_group" "bastion-elb-privatecilium-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "bastion-elb.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } + vpc_id = aws_vpc.privatecilium-example-com.id +} + resource "aws_security_group" "bastion-privatecilium-example-com" { description = "Security group for bastion" name = "bastion.privatecilium.example.com" @@ -1096,11 +1108,11 @@ resource "aws_security_group" "nodes-privatecilium-example-com" { vpc_id = aws_vpc.privatecilium-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatecilium-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 22 type = "ingress" } @@ -1114,11 +1126,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatecilium-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 22 type = "ingress" } @@ -1141,6 +1153,42 @@ resource "aws_security_group_rule" "from-api-elb-privatecilium-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-icmp-3to4-bastion-privatecilium-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-tcp-22to22-bastion-privatecilium-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1159,6 +1207,15 @@ resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-icmp-3to4-bastion-elb-privatecilium-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-masters-privatecilium-example-com" { from_port = 22 protocol = "tcp" @@ -1294,11 +1351,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 4 type = "ingress" } @@ -1307,7 +1382,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatecilium/kubernetes.tf b/tests/integration/update_cluster/privatecilium/kubernetes.tf index 289f5e2657..71e93ebb1d 100644 --- a/tests/integration/update_cluster/privatecilium/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium/kubernetes.tf @@ -772,6 +772,7 @@ resource "aws_lb" "bastion-privatecilium-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatecilium-exa-l2ms01" + security_groups = [aws_security_group.bastion-elb-privatecilium-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatecilium-example-com.id } @@ -1063,6 +1064,17 @@ resource "aws_security_group" "api-elb-privatecilium-example-com" { vpc_id = aws_vpc.privatecilium-example-com.id } +resource "aws_security_group" "bastion-elb-privatecilium-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "bastion-elb.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } + vpc_id = aws_vpc.privatecilium-example-com.id +} + resource "aws_security_group" "bastion-privatecilium-example-com" { description = "Security group for bastion" name = "bastion.privatecilium.example.com" @@ -1096,11 +1108,11 @@ resource "aws_security_group" "nodes-privatecilium-example-com" { vpc_id = aws_vpc.privatecilium-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatecilium-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 22 type = "ingress" } @@ -1114,11 +1126,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatecilium-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 22 type = "ingress" } @@ -1141,6 +1153,42 @@ resource "aws_security_group_rule" "from-api-elb-privatecilium-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-icmp-3to4-bastion-privatecilium-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-tcp-22to22-bastion-privatecilium-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1159,6 +1207,15 @@ resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-icmp-3to4-bastion-elb-privatecilium-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-masters-privatecilium-example-com" { from_port = 22 protocol = "tcp" @@ -1294,11 +1351,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 4 type = "ingress" } @@ -1307,7 +1382,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatecilium2/kubernetes.tf b/tests/integration/update_cluster/privatecilium2/kubernetes.tf index ff8b9e1dab..6b22a6111e 100644 --- a/tests/integration/update_cluster/privatecilium2/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium2/kubernetes.tf @@ -772,6 +772,7 @@ resource "aws_lb" "bastion-privatecilium-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatecilium-exa-l2ms01" + security_groups = [aws_security_group.bastion-elb-privatecilium-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatecilium-example-com.id } @@ -1079,6 +1080,17 @@ resource "aws_security_group" "api-elb-privatecilium-example-com" { vpc_id = aws_vpc.privatecilium-example-com.id } +resource "aws_security_group" "bastion-elb-privatecilium-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatecilium.example.com" + tags = { + "KubernetesCluster" = "privatecilium.example.com" + "Name" = "bastion-elb.privatecilium.example.com" + "kubernetes.io/cluster/privatecilium.example.com" = "owned" + } + vpc_id = aws_vpc.privatecilium-example-com.id +} + resource "aws_security_group" "bastion-privatecilium-example-com" { description = "Security group for bastion" name = "bastion.privatecilium.example.com" @@ -1112,11 +1124,11 @@ resource "aws_security_group" "nodes-privatecilium-example-com" { vpc_id = aws_vpc.privatecilium-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatecilium-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 22 type = "ingress" } @@ -1130,11 +1142,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatecilium-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 22 type = "ingress" } @@ -1157,6 +1169,42 @@ resource "aws_security_group_rule" "from-api-elb-privatecilium-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-icmp-3to4-bastion-privatecilium-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-tcp-22to22-bastion-privatecilium-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1175,6 +1223,15 @@ resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-icmp-3to4-bastion-elb-privatecilium-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-masters-privatecilium-example-com" { from_port = 22 protocol = "tcp" @@ -1310,11 +1367,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 4 type = "ingress" } @@ -1323,7 +1398,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf index 342f3d5f9f..5ae576329e 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf +++ b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf @@ -789,6 +789,7 @@ resource "aws_lb" "bastion-privateciliumadvanced-example-com" { internal = false load_balancer_type = "network" name = "bastion-privateciliumadva-0jni40" + security_groups = [aws_security_group.bastion-elb-privateciliumadvanced-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privateciliumadvanced-example-com.id } @@ -1096,6 +1097,17 @@ resource "aws_security_group" "api-elb-privateciliumadvanced-example-com" { vpc_id = aws_vpc.privateciliumadvanced-example-com.id } +resource "aws_security_group" "bastion-elb-privateciliumadvanced-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privateciliumadvanced.example.com" + tags = { + "KubernetesCluster" = "privateciliumadvanced.example.com" + "Name" = "bastion-elb.privateciliumadvanced.example.com" + "kubernetes.io/cluster/privateciliumadvanced.example.com" = "owned" + } + vpc_id = aws_vpc.privateciliumadvanced-example-com.id +} + resource "aws_security_group" "bastion-privateciliumadvanced-example-com" { description = "Security group for bastion" name = "bastion.privateciliumadvanced.example.com" @@ -1129,11 +1141,11 @@ resource "aws_security_group" "nodes-privateciliumadvanced-example-com" { vpc_id = aws_vpc.privateciliumadvanced-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privateciliumadvanced-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privateciliumadvanced-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id to_port = 22 type = "ingress" } @@ -1147,11 +1159,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privateciliumadvanced-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privateciliumadvanced-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id to_port = 22 type = "ingress" } @@ -1174,6 +1186,42 @@ resource "aws_security_group_rule" "from-api-elb-privateciliumadvanced-example-c type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privateciliumadvanced-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privateciliumadvanced-example-com-ingress-icmp-3to4-bastion-privateciliumadvanced-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privateciliumadvanced-example-com-ingress-tcp-22to22-bastion-privateciliumadvanced-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1192,6 +1240,15 @@ resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-c type = "egress" } +resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-com-ingress-icmp-3to4-bastion-elb-privateciliumadvanced-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-com-ingress-tcp-22to22-masters-privateciliumadvanced-example-com" { from_port = 22 protocol = "tcp" @@ -1327,11 +1384,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.api-elb-privateciliumadvanced-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id to_port = 4 type = "ingress" } @@ -1340,7 +1415,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatedns1/kubernetes.tf b/tests/integration/update_cluster/privatedns1/kubernetes.tf index 322d01d259..7cb63a4d39 100644 --- a/tests/integration/update_cluster/privatedns1/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns1/kubernetes.tf @@ -852,6 +852,7 @@ resource "aws_lb" "bastion-privatedns1-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatedns1-examp-mbgbef" + security_groups = [aws_security_group.bastion-elb-privatedns1-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatedns1-example-com.id } @@ -1152,6 +1153,19 @@ resource "aws_security_group" "api-elb-privatedns1-example-com" { vpc_id = aws_vpc.privatedns1-example-com.id } +resource "aws_security_group" "bastion-elb-privatedns1-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatedns1.example.com" + tags = { + "KubernetesCluster" = "privatedns1.example.com" + "Name" = "bastion-elb.privatedns1.example.com" + "Owner" = "John Doe" + "foo/bar" = "fib+baz" + "kubernetes.io/cluster/privatedns1.example.com" = "owned" + } + vpc_id = aws_vpc.privatedns1-example-com.id +} + resource "aws_security_group" "bastion-privatedns1-example-com" { description = "Security group for bastion" name = "bastion.privatedns1.example.com" @@ -1191,11 +1205,11 @@ resource "aws_security_group" "nodes-privatedns1-example-com" { vpc_id = aws_vpc.privatedns1-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatedns1-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatedns1-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatedns1-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id to_port = 22 type = "ingress" } @@ -1209,11 +1223,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatedns1-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatedns1-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatedns1-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id to_port = 22 type = "ingress" } @@ -1236,6 +1250,42 @@ resource "aws_security_group_rule" "from-api-elb-privatedns1-example-com-egress- type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatedns1-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatedns1-example-com-ingress-icmp-3to4-bastion-privatedns1-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatedns1-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatedns1-example-com-ingress-tcp-22to22-bastion-privatedns1-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatedns1-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1254,6 +1304,15 @@ resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-egress- type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-ingress-icmp-3to4-bastion-elb-privatedns1-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + source_security_group_id = aws_security_group.bastion-privatedns1-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-ingress-tcp-22to22-masters-privatedns1-example-com" { from_port = 22 protocol = "tcp" @@ -1389,11 +1448,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatedns1-example-com.id + source_security_group_id = aws_security_group.masters-privatedns1-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + source_security_group_id = aws_security_group.api-elb-privatedns1-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatedns1-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id to_port = 4 type = "ingress" } @@ -1402,7 +1479,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatedns1-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatedns2/kubernetes.tf b/tests/integration/update_cluster/privatedns2/kubernetes.tf index effe4fe337..0338a1d005 100644 --- a/tests/integration/update_cluster/privatedns2/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns2/kubernetes.tf @@ -763,6 +763,7 @@ resource "aws_lb" "bastion-privatedns2-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatedns2-examp-e704o2" + security_groups = [aws_security_group.bastion-elb-privatedns2-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatedns2-example-com.id } @@ -1046,6 +1047,17 @@ resource "aws_security_group" "api-elb-privatedns2-example-com" { vpc_id = "vpc-12345678" } +resource "aws_security_group" "bastion-elb-privatedns2-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatedns2.example.com" + tags = { + "KubernetesCluster" = "privatedns2.example.com" + "Name" = "bastion-elb.privatedns2.example.com" + "kubernetes.io/cluster/privatedns2.example.com" = "owned" + } + vpc_id = "vpc-12345678" +} + resource "aws_security_group" "bastion-privatedns2-example-com" { description = "Security group for bastion" name = "bastion.privatedns2.example.com" @@ -1079,11 +1091,11 @@ resource "aws_security_group" "nodes-privatedns2-example-com" { vpc_id = "vpc-12345678" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatedns2-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatedns2-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatedns2-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id to_port = 22 type = "ingress" } @@ -1097,11 +1109,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatedns2-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatedns2-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatedns2-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id to_port = 22 type = "ingress" } @@ -1124,6 +1136,42 @@ resource "aws_security_group_rule" "from-api-elb-privatedns2-example-com-egress- type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatedns2-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatedns2-example-com-ingress-icmp-3to4-bastion-privatedns2-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatedns2-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatedns2-example-com-ingress-tcp-22to22-bastion-privatedns2-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatedns2-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1142,6 +1190,15 @@ resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-egress- type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-ingress-icmp-3to4-bastion-elb-privatedns2-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + source_security_group_id = aws_security_group.bastion-privatedns2-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-ingress-tcp-22to22-masters-privatedns2-example-com" { from_port = 22 protocol = "tcp" @@ -1277,11 +1334,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatedns2-example-com.id + source_security_group_id = aws_security_group.masters-privatedns2-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + source_security_group_id = aws_security_group.api-elb-privatedns2-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatedns2-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id to_port = 4 type = "ingress" } @@ -1290,7 +1365,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatedns2-example-com.id + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privateflannel/kubernetes.tf b/tests/integration/update_cluster/privateflannel/kubernetes.tf index e55f5fb769..d835b398c5 100644 --- a/tests/integration/update_cluster/privateflannel/kubernetes.tf +++ b/tests/integration/update_cluster/privateflannel/kubernetes.tf @@ -772,6 +772,7 @@ resource "aws_lb" "bastion-privateflannel-example-com" { internal = false load_balancer_type = "network" name = "bastion-privateflannel-ex-753531" + security_groups = [aws_security_group.bastion-elb-privateflannel-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privateflannel-example-com.id } @@ -1071,6 +1072,17 @@ resource "aws_security_group" "api-elb-privateflannel-example-com" { vpc_id = aws_vpc.privateflannel-example-com.id } +resource "aws_security_group" "bastion-elb-privateflannel-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privateflannel.example.com" + tags = { + "KubernetesCluster" = "privateflannel.example.com" + "Name" = "bastion-elb.privateflannel.example.com" + "kubernetes.io/cluster/privateflannel.example.com" = "owned" + } + vpc_id = aws_vpc.privateflannel-example-com.id +} + resource "aws_security_group" "bastion-privateflannel-example-com" { description = "Security group for bastion" name = "bastion.privateflannel.example.com" @@ -1104,11 +1116,11 @@ resource "aws_security_group" "nodes-privateflannel-example-com" { vpc_id = aws_vpc.privateflannel-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privateflannel-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privateflannel-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privateflannel-example-com.id + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id to_port = 22 type = "ingress" } @@ -1122,11 +1134,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privateflannel-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privateflannel-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privateflannel-example-com.id + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id to_port = 22 type = "ingress" } @@ -1149,6 +1161,42 @@ resource "aws_security_group_rule" "from-api-elb-privateflannel-example-com-egre type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privateflannel-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privateflannel-example-com-ingress-icmp-3to4-bastion-privateflannel-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privateflannel-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privateflannel-example-com-ingress-tcp-22to22-bastion-privateflannel-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privateflannel-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1167,6 +1215,15 @@ resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-egre type = "egress" } +resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-ingress-icmp-3to4-bastion-elb-privateflannel-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + source_security_group_id = aws_security_group.bastion-privateflannel-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-ingress-tcp-22to22-masters-privateflannel-example-com" { from_port = 22 protocol = "tcp" @@ -1302,11 +1359,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privateflannel-example-com.id + source_security_group_id = aws_security_group.masters-privateflannel-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + source_security_group_id = aws_security_group.api-elb-privateflannel-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privateflannel-example-com.id + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id to_port = 4 type = "ingress" } @@ -1315,7 +1390,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privateflannel-example-com.id + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/privatekopeio/kubernetes.tf b/tests/integration/update_cluster/privatekopeio/kubernetes.tf index 50f6dae4a4..dc839f69b2 100644 --- a/tests/integration/update_cluster/privatekopeio/kubernetes.tf +++ b/tests/integration/update_cluster/privatekopeio/kubernetes.tf @@ -778,6 +778,7 @@ resource "aws_lb" "bastion-privatekopeio-example-com" { internal = false load_balancer_type = "network" name = "bastion-privatekopeio-exa-d8ef8e" + security_groups = [aws_security_group.bastion-elb-privatekopeio-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-privatekopeio-example-com.id } @@ -1088,6 +1089,17 @@ resource "aws_security_group" "api-elb-privatekopeio-example-com" { vpc_id = aws_vpc.privatekopeio-example-com.id } +resource "aws_security_group" "bastion-elb-privatekopeio-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.privatekopeio.example.com" + tags = { + "KubernetesCluster" = "privatekopeio.example.com" + "Name" = "bastion-elb.privatekopeio.example.com" + "kubernetes.io/cluster/privatekopeio.example.com" = "owned" + } + vpc_id = aws_vpc.privatekopeio-example-com.id +} + resource "aws_security_group" "bastion-privatekopeio-example-com" { description = "Security group for bastion" name = "bastion.privatekopeio.example.com" @@ -1121,11 +1133,11 @@ resource "aws_security_group" "nodes-privatekopeio-example-com" { vpc_id = aws_vpc.privatekopeio-example-com.id } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-privatekopeio-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatekopeio-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id to_port = 22 type = "ingress" } @@ -1139,20 +1151,20 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-privatekopeio-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-privatekopeio-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id to_port = 22 type = "ingress" } -resource "aws_security_group_rule" "from-172-20-8-0--22-ingress-tcp-22to22-bastion-privatekopeio-example-com" { +resource "aws_security_group_rule" "from-172-20-8-0--22-ingress-tcp-22to22-bastion-elb-privatekopeio-example-com" { cidr_blocks = ["172.20.8.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id to_port = 22 type = "ingress" } @@ -1175,6 +1187,42 @@ resource "aws_security_group_rule" "from-api-elb-privatekopeio-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatekopeio-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatekopeio-example-com-ingress-icmp-3to4-bastion-privatekopeio-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-privatekopeio-example-com-ingress-tcp-22to22-bastion-privatekopeio-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1193,6 +1241,15 @@ resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-egres type = "egress" } +resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-ingress-icmp-3to4-bastion-elb-privatekopeio-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + source_security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-ingress-tcp-22to22-masters-privatekopeio-example-com" { from_port = 22 protocol = "tcp" @@ -1328,11 +1385,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-privatekopeio-example-com.id + source_security_group_id = aws_security_group.masters-privatekopeio-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + source_security_group_id = aws_security_group.api-elb-privatekopeio-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id to_port = 4 type = "ingress" } @@ -1341,7 +1416,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id to_port = 4 type = "ingress" } @@ -1350,7 +1425,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-8-0--22" { cidr_blocks = ["172.20.8.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id to_port = 4 type = "ingress" } diff --git a/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf b/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf index 8c27088d14..cab1d640fe 100644 --- a/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf +++ b/tests/integration/update_cluster/shared_vpc_ipv6/kubernetes.tf @@ -601,6 +601,7 @@ resource "aws_lb" "api-minimal-ipv6-example-com" { ip_address_type = "dualstack" load_balancer_type = "network" name = "api-minimal-ipv6-example--jhj9te" + security_groups = [aws_security_group.api-elb-minimal-ipv6-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-minimal-ipv6-example-com.id } @@ -1005,11 +1006,11 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-min type = "ingress" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } @@ -1032,15 +1033,33 @@ resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-nodes-minimal- type = "ingress" } -resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-masters-minimal-ipv6-example-com" { +resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-minimal-ipv6-example-com" { from_port = 443 ipv6_cidr_blocks = ["::/0"] protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 443 type = "ingress" } +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-api-elb-minimal-ipv6-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 0 + type = "egress" +} + resource "aws_security_group_rule" "from-masters-minimal-ipv6-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1141,28 +1160,46 @@ resource "aws_security_group_rule" "from-nodes-minimal-ipv6-example-com-ingress- } resource "aws_security_group_rule" "https-elb-to-master" { - cidr_blocks = ["172.20.0.0/16"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id - to_port = 443 - type = "ingress" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 443 + type = "ingress" } resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = 4 type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + source_security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" { from_port = -1 ipv6_cidr_blocks = ["::/0"] protocol = "icmpv6" - security_group_id = aws_security_group.masters-minimal-ipv6-example-com.id + security_group_id = aws_security_group.api-elb-minimal-ipv6-example-com.id to_port = -1 type = "ingress" } diff --git a/tests/integration/update_cluster/unmanaged/kubernetes.tf b/tests/integration/update_cluster/unmanaged/kubernetes.tf index 67d32c6a59..70b6f3f850 100644 --- a/tests/integration/update_cluster/unmanaged/kubernetes.tf +++ b/tests/integration/update_cluster/unmanaged/kubernetes.tf @@ -754,6 +754,7 @@ resource "aws_lb" "bastion-unmanaged-example-com" { internal = false load_balancer_type = "network" name = "bastion-unmanaged-example-d7bn3d" + security_groups = [aws_security_group.bastion-elb-unmanaged-example-com.id] subnet_mapping { subnet_id = aws_subnet.utility-us-test-1a-unmanaged-example-com.id } @@ -982,6 +983,17 @@ resource "aws_security_group" "api-elb-unmanaged-example-com" { vpc_id = "vpc-12345678" } +resource "aws_security_group" "bastion-elb-unmanaged-example-com" { + description = "Security group for bastion ELB" + name = "bastion-elb.unmanaged.example.com" + tags = { + "KubernetesCluster" = "unmanaged.example.com" + "Name" = "bastion-elb.unmanaged.example.com" + "kubernetes.io/cluster/unmanaged.example.com" = "owned" + } + vpc_id = "vpc-12345678" +} + resource "aws_security_group" "bastion-unmanaged-example-com" { description = "Security group for bastion" name = "bastion.unmanaged.example.com" @@ -1015,11 +1027,11 @@ resource "aws_security_group" "nodes-unmanaged-example-com" { vpc_id = "vpc-12345678" } -resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-unmanaged-example-com" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-unmanaged-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id to_port = 22 type = "ingress" } @@ -1033,20 +1045,20 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb type = "ingress" } -resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-unmanaged-example-com" { +resource "aws_security_group_rule" "from-172-20-4-0--22-ingress-tcp-22to22-bastion-elb-unmanaged-example-com" { cidr_blocks = ["172.20.4.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id to_port = 22 type = "ingress" } -resource "aws_security_group_rule" "from-172-20-8-0--22-ingress-tcp-22to22-bastion-unmanaged-example-com" { +resource "aws_security_group_rule" "from-172-20-8-0--22-ingress-tcp-22to22-bastion-elb-unmanaged-example-com" { cidr_blocks = ["172.20.8.0/22"] from_port = 22 protocol = "tcp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id to_port = 22 type = "ingress" } @@ -1069,6 +1081,42 @@ resource "aws_security_group_rule" "from-api-elb-unmanaged-example-com-egress-al type = "egress" } +resource "aws_security_group_rule" "from-bastion-elb-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-unmanaged-example-com-egress-all-0to0-__--0" { + from_port = 0 + ipv6_cidr_blocks = ["::/0"] + protocol = "-1" + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-elb-unmanaged-example-com-ingress-icmp-3to4-bastion-unmanaged-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-unmanaged-example-com.id + source_security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-elb-unmanaged-example-com-ingress-tcp-22to22-bastion-unmanaged-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-unmanaged-example-com.id + source_security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + to_port = 22 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 @@ -1087,6 +1135,15 @@ resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-egress-al type = "egress" } +resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-ingress-icmp-3to4-bastion-elb-unmanaged-example-com" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + source_security_group_id = aws_security_group.bastion-unmanaged-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-ingress-tcp-22to22-masters-unmanaged-example-com" { from_port = 22 protocol = "tcp" @@ -1222,11 +1279,29 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } +resource "aws_security_group_rule" "icmp-pmtu-cp-to-elb" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.api-elb-unmanaged-example-com.id + source_security_group_id = aws_security_group.masters-unmanaged-example-com.id + to_port = 4 + type = "ingress" +} + +resource "aws_security_group_rule" "icmp-pmtu-elb-to-cp" { + from_port = 3 + protocol = "icmp" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + source_security_group_id = aws_security_group.api-elb-unmanaged-example-com.id + to_port = 4 + type = "ingress" +} + resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id to_port = 4 type = "ingress" } @@ -1235,7 +1310,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-4-0--22" { cidr_blocks = ["172.20.4.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id to_port = 4 type = "ingress" } @@ -1244,7 +1319,7 @@ resource "aws_security_group_rule" "icmp-pmtu-ssh-nlb-172-20-8-0--22" { cidr_blocks = ["172.20.8.0/22"] from_port = 3 protocol = "icmp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id to_port = 4 type = "ingress" }