Merge pull request #1136 from justinsb/add_test_for_private_networking

Adding testing for weave private networking (depends on #1114)
2016-12-12 10:29:01 -07:00 · 2016-12-12 10:29:01 -07:00 · 8b60317b3f
parent 3f0bd708d1 e779d63eee
commit 8b60317b3f
13 changed files with 675 additions and 30 deletions
--- a/cloudmock/aws/mockroute53/unimplemented.go
+++ b/cloudmock/aws/mockroute53/unimplemented.go
@ -205,22 +205,6 @@ func (m *MockRoute53) GetHealthCheckStatus(*route53.GetHealthCheckStatusInput) (
 	panic("MockRoute53 function not implemented")
 	return nil, nil
 }
-func (m *MockRoute53) GetHostedZoneRequest(*route53.GetHostedZoneInput) (*request.Request, *route53.GetHostedZoneOutput) {
-	panic("MockRoute53 function not implemented")
-	return nil, nil
-}
-func (m *MockRoute53) GetHostedZone(*route53.GetHostedZoneInput) (*route53.GetHostedZoneOutput, error) {
-	panic("MockRoute53 function not implemented")
-	return nil, nil
-}
-func (m *MockRoute53) GetHostedZoneCountRequest(*route53.GetHostedZoneCountInput) (*request.Request, *route53.GetHostedZoneCountOutput) {
-	panic("MockRoute53 function not implemented")
-	return nil, nil
-}
-func (m *MockRoute53) GetHostedZoneCount(*route53.GetHostedZoneCountInput) (*route53.GetHostedZoneCountOutput, error) {
-	panic("MockRoute53 function not implemented")
-	return nil, nil
-}
 func (m *MockRoute53) GetReusableDelegationSetRequest(*route53.GetReusableDelegationSetInput) (*request.Request, *route53.GetReusableDelegationSetOutput) {
 	panic("MockRoute53 function not implemented")
 	return nil, nil
--- a/cloudmock/aws/mockroute53/zones.go
+++ b/cloudmock/aws/mockroute53/zones.go
@ -20,18 +20,60 @@ import (
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/golang/glog"
+	"github.com/aws/aws-sdk-go/aws"
+	"fmt"
+	"strings"
 )

 type zoneInfo struct {
 }

+func (m *MockRoute53) GetHostedZoneRequest(*route53.GetHostedZoneInput) (*request.Request, *route53.GetHostedZoneOutput) {
+	panic("MockRoute53 GetHostedZoneRequest not implemented")
+	return nil, nil
+}
+func (m *MockRoute53) GetHostedZone(request *route53.GetHostedZoneInput) (*route53.GetHostedZoneOutput, error) {
+	glog.Infof("GetHostedZone %v", request)
+
+	findID := aws.StringValue(request.Id)
+	if !strings.Contains(findID, "/") {
+		findID = "/hostedzone/" + findID
+	}
+
+	for _, z := range m.Zones {
+		if *z.Id != findID {
+			continue
+		}
+
+		copy := *z
+		response := &route53.GetHostedZoneOutput{
+			// DelegationSet ???
+			HostedZone: &copy,
+			// VPCs
+		}
+		return response, nil
+	}
+
+	// TODO: Correct error
+	return nil, fmt.Errorf("NOT FOUND")
+}
+
+func (m *MockRoute53) GetHostedZoneCountRequest(*route53.GetHostedZoneCountInput) (*request.Request, *route53.GetHostedZoneCountOutput) {
+	panic("MockRoute53 GetHostedZoneCountRequest not implemented")
+	return nil, nil
+}
+func (m *MockRoute53) GetHostedZoneCount(*route53.GetHostedZoneCountInput) (*route53.GetHostedZoneCountOutput, error) {
+	panic("MockRoute53 GetHostedZoneCount not implemented")
+	return nil, nil
+}
+
 func (m *MockRoute53) ListHostedZonesRequest(*route53.ListHostedZonesInput) (*request.Request, *route53.ListHostedZonesOutput) {
-	panic("MockRoute53 function not implemented")
+	panic("MockRoute53 ListHostedZonesRequest not implemented")
 	return nil, nil
 }

 func (m *MockRoute53) ListHostedZones(*route53.ListHostedZonesInput) (*route53.ListHostedZonesOutput, error) {
-	panic("MockRoute53 function not implemented")
+	panic("MockRoute53 ListHostedZones not implemented")
 	return nil, nil
 }

@ -50,11 +92,11 @@ func (m *MockRoute53) ListHostedZonesPages(request *route53.ListHostedZonesInput
 }

 func (m *MockRoute53) ListHostedZonesByNameRequest(*route53.ListHostedZonesByNameInput) (*request.Request, *route53.ListHostedZonesByNameOutput) {
-	panic("MockRoute53 function not implemented")
+	panic("MockRoute53 ListHostedZonesByNameRequest not implemented")
 	return nil, nil
 }

 func (m *MockRoute53) ListHostedZonesByName(*route53.ListHostedZonesByNameInput) (*route53.ListHostedZonesByNameOutput, error) {
-	panic("MockRoute53 function not implemented")
+	panic("MockRoute53 ListHostedZonesByName not implemented")
 	return nil, nil
 }
--- a/cmd/kops/integration_test.go
+++ b/cmd/kops/integration_test.go
@ -53,6 +53,11 @@ func TestMinimal_141(t *testing.T) {
 	runTest(t, "minimal-141.example.com", "../../tests/integration/minimal-141")
 }

+// TestPrivateWeave runs the test on a configuration with private topology, weave networking
+func TestPrivateWeave(t *testing.T) {
+	runTest(t, "privateweave.example.com", "../../tests/integration/privateweave")
+}
+
 func runTest(t *testing.T, clusterName string, srcDir string) {
 	var stdout bytes.Buffer

@ -71,12 +76,12 @@ func runTest(t *testing.T, clusterName string, srcDir string) {
 	cloud.MockRoute53 = mockRoute53

 	mockRoute53.Zones = append(mockRoute53.Zones, &route53.HostedZone{
-		Id:   aws.String("123"),
+		Id:   aws.String("/hostedzone/Z1AFAKE1ZON3YO"),
 		Name: aws.String("example.com."),
 	})

 	mockEC2.Images = append(mockEC2.Images, &ec2.Image{
-		ImageId: aws.String("ami-12345"),
+		ImageId: aws.String("ami-12345678"),
 		Name:    aws.String("k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21"),
 		OwnerId: aws.String(awsup.WellKnownAccountKopeio),
 	})
--- a/tests/integration/minimal-141/kubernetes.tf
+++ b/tests/integration/minimal-141/kubernetes.tf
@ -117,7 +117,7 @@ resource "aws_key_pair" "kubernetes-minimal-141-example-com-c4a6ed9aa889b9e2c39c

 resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-141-example-com" {
  name_prefix = "master-us-test-1a.masters.minimal-141.example.com-"
-  image_id = "ami-12345"
+  image_id = "ami-12345678"
  instance_type = "m3.medium"
  key_name = "${aws_key_pair.kubernetes-minimal-141-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
  iam_instance_profile = "${aws_iam_instance_profile.masters-minimal-141-example-com.id}"
@ -140,7 +140,7 @@ resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-141-examp

 resource "aws_launch_configuration" "nodes-minimal-141-example-com" {
  name_prefix = "nodes.minimal-141.example.com-"
-  image_id = "ami-12345"
+  image_id = "ami-12345678"
  instance_type = "t2.medium"
  key_name = "${aws_key_pair.kubernetes-minimal-141-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
  iam_instance_profile = "${aws_iam_instance_profile.nodes-minimal-141-example-com.id}"
--- a/tests/integration/minimal/kubernetes.tf
+++ b/tests/integration/minimal/kubernetes.tf
@ -117,7 +117,7 @@ resource "aws_key_pair" "kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663

 resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-example-com" {
  name_prefix = "master-us-test-1a.masters.minimal.example.com-"
-  image_id = "ami-12345"
+  image_id = "ami-12345678"
  instance_type = "m3.medium"
  key_name = "${aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
  iam_instance_profile = "${aws_iam_instance_profile.masters-minimal-example-com.id}"
@ -140,7 +140,7 @@ resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-example-c

 resource "aws_launch_configuration" "nodes-minimal-example-com" {
  name_prefix = "nodes.minimal.example.com-"
-  image_id = "ami-12345"
+  image_id = "ami-12345678"
  instance_type = "t2.medium"
  key_name = "${aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
  iam_instance_profile = "${aws_iam_instance_profile.nodes-minimal-example-com.id}"
--- a/tests/integration/privateweave/id_rsa.pub
+++ b/tests/integration/privateweave/id_rsa.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ==
--- a/tests/integration/privateweave/in.yaml
+++ b/tests/integration/privateweave/in.yaml
@ -0,0 +1,78 @@
+apiVersion: kops/v1alpha1
+kind: Cluster
+metadata:
+  creationTimestamp: "2016-12-12T04:13:14Z"
+  name: privateweave.example.com
+spec:
+  adminAccess:
+  - 0.0.0.0/0
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://clusters.example.com/privateweave.example.com
+  etcdClusters:
+  - etcdMembers:
+    - name: us-test-1a
+      zone: us-test-1a
+    name: main
+  - etcdMembers:
+    - name: us-test-1a
+      zone: us-test-1a
+    name: events
+  kubernetesVersion: v1.4.6
+  masterInternalName: api.internal.privateweave.example.com
+  masterPublicName: api.privateweave.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    weave: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  topology:
+    bastion:
+      enable: true
+      idleTimeout: 120
+      machineType: t2.medium
+    masters: private
+    nodes: private
+  zones:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    privateCIDR: 172.20.4.0/22
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2016-12-12T04:13:15Z"
+  name: master-us-test-1a
+  labels:
+    kops.k8s.io/cluster: privateweave.example.com
+spec:
+  associatePublicIp: true
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  zones:
+  - us-test-1a
+
+---
+
+apiVersion: kops/v1alpha1
+kind: InstanceGroup
+metadata:
+  creationTimestamp: "2016-12-12T04:13:15Z"
+  name: nodes
+  labels:
+    kops.k8s.io/cluster: privateweave.example.com
+spec:
+  associatePublicIp: true
+  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
+  machineType: t2.medium
+  maxSize: 2
+  minSize: 2
+  role: Node
+  zones:
+  - us-test-1a
+
+
--- a/tests/integration/privateweave/kubernetes.tf
+++ b/tests/integration/privateweave/kubernetes.tf
@ -0,0 +1,529 @@
+resource "aws_autoscaling_attachment" "bastion-privateweave-example-com" {
+  elb = "${aws_elb.bastion-privateweave-example-com.id}"
+  autoscaling_group_name = "${aws_autoscaling_group.bastion-privateweave-example-com.id}"
+}
+
+resource "aws_autoscaling_attachment" "master-us-test-1a-masters-privateweave-example-com" {
+  elb = "${aws_elb.api-privateweave-example-com.id}"
+  autoscaling_group_name = "${aws_autoscaling_group.master-us-test-1a-masters-privateweave-example-com.id}"
+}
+
+resource "aws_autoscaling_group" "bastion-privateweave-example-com" {
+  name = "bastion.privateweave.example.com"
+  launch_configuration = "${aws_launch_configuration.bastion-privateweave-example-com.id}"
+  max_size = 1
+  min_size = 1
+  vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"]
+  tag = {
+    key = "KubernetesCluster"
+    value = "privateweave.example.com"
+    propagate_at_launch = true
+  }
+  tag = {
+    key = "Name"
+    value = "bastion.privateweave.example.com"
+    propagate_at_launch = true
+  }
+}
+
+resource "aws_autoscaling_group" "master-us-test-1a-masters-privateweave-example-com" {
+  name = "master-us-test-1a.masters.privateweave.example.com"
+  launch_configuration = "${aws_launch_configuration.master-us-test-1a-masters-privateweave-example-com.id}"
+  max_size = 1
+  min_size = 1
+  vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"]
+  tag = {
+    key = "KubernetesCluster"
+    value = "privateweave.example.com"
+    propagate_at_launch = true
+  }
+  tag = {
+    key = "Name"
+    value = "master-us-test-1a.masters.privateweave.example.com"
+    propagate_at_launch = true
+  }
+  tag = {
+    key = "k8s.io/role/master"
+    value = "1"
+    propagate_at_launch = true
+  }
+}
+
+resource "aws_autoscaling_group" "nodes-privateweave-example-com" {
+  name = "nodes.privateweave.example.com"
+  launch_configuration = "${aws_launch_configuration.nodes-privateweave-example-com.id}"
+  max_size = 2
+  min_size = 2
+  vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"]
+  tag = {
+    key = "KubernetesCluster"
+    value = "privateweave.example.com"
+    propagate_at_launch = true
+  }
+  tag = {
+    key = "Name"
+    value = "nodes.privateweave.example.com"
+    propagate_at_launch = true
+  }
+  tag = {
+    key = "k8s.io/role/node"
+    value = "1"
+    propagate_at_launch = true
+  }
+}
+
+resource "aws_ebs_volume" "us-test-1a-etcd-events-privateweave-example-com" {
+  availability_zone = "us-test-1a"
+  size = 20
+  type = "gp2"
+  encrypted = false
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "us-test-1a.etcd-events.privateweave.example.com"
+    "k8s.io/etcd/events" = "us-test-1a/us-test-1a"
+    "k8s.io/role/master" = "1"
+  }
+}
+
+resource "aws_ebs_volume" "us-test-1a-etcd-main-privateweave-example-com" {
+  availability_zone = "us-test-1a"
+  size = 20
+  type = "gp2"
+  encrypted = false
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "us-test-1a.etcd-main.privateweave.example.com"
+    "k8s.io/etcd/main" = "us-test-1a/us-test-1a"
+    "k8s.io/role/master" = "1"
+  }
+}
+
+resource "aws_eip" "us-test-1a-privateweave-example-com" {
+  vpc = true
+}
+
+resource "aws_elb" "api-privateweave-example-com" {
+  name = "api-privateweave"
+  listener = {
+    instance_port = 443
+    instance_protocol = "TCP"
+    lb_port = 443
+    lb_protocol = "TCP"
+  }
+  security_groups = ["${aws_security_group.api-elb-privateweave-example-com.id}"]
+  subnets = ["${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"]
+  health_check = {
+    target = "TCP:443"
+    healthy_threshold = 2
+    unhealthy_threshold = 2
+    interval = 10
+    timeout = 5
+  }
+}
+
+resource "aws_elb" "bastion-privateweave-example-com" {
+  name = "bastion-privateweave"
+  listener = {
+    instance_port = 22
+    instance_protocol = "TCP"
+    lb_port = 22
+    lb_protocol = "TCP"
+  }
+  security_groups = ["${aws_security_group.bastion-elb-privateweave-example-com.id}"]
+  subnets = ["${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"]
+  health_check = {
+    target = 
+    healthy_threshold = 
+    unhealthy_threshold = 
+    interval = 
+    timeout = 
+  }
+}
+
+resource "aws_iam_instance_profile" "masters-privateweave-example-com" {
+  name = "masters.privateweave.example.com"
+  roles = ["${aws_iam_role.masters-privateweave-example-com.name}"]
+}
+
+resource "aws_iam_instance_profile" "nodes-privateweave-example-com" {
+  name = "nodes.privateweave.example.com"
+  roles = ["${aws_iam_role.nodes-privateweave-example-com.name}"]
+}
+
+resource "aws_iam_role" "masters-privateweave-example-com" {
+  name = "masters.privateweave.example.com"
+  assume_role_policy = "${file("${path.module}/data/aws_iam_role_masters.privateweave.example.com_policy")}"
+}
+
+resource "aws_iam_role" "nodes-privateweave-example-com" {
+  name = "nodes.privateweave.example.com"
+  assume_role_policy = "${file("${path.module}/data/aws_iam_role_nodes.privateweave.example.com_policy")}"
+}
+
+resource "aws_iam_role_policy" "masters-privateweave-example-com" {
+  name = "masters.privateweave.example.com"
+  role = "${aws_iam_role.masters-privateweave-example-com.name}"
+  policy = "${file("${path.module}/data/aws_iam_role_policy_masters.privateweave.example.com_policy")}"
+}
+
+resource "aws_iam_role_policy" "nodes-privateweave-example-com" {
+  name = "nodes.privateweave.example.com"
+  role = "${aws_iam_role.nodes-privateweave-example-com.name}"
+  policy = "${file("${path.module}/data/aws_iam_role_policy_nodes.privateweave.example.com_policy")}"
+}
+
+resource "aws_internet_gateway" "privateweave-example-com" {
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "privateweave.example.com"
+  }
+}
+
+resource "aws_key_pair" "kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" {
+  key_name = "kubernetes.privateweave.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57"
+  public_key = "${file("${path.module}/data/aws_key_pair_kubernetes.privateweave.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key")}"
+}
+
+resource "aws_launch_configuration" "bastion-privateweave-example-com" {
+  name_prefix = "bastion.privateweave.example.com-"
+  image_id = "ami-12345678"
+  instance_type = "t2.medium"
+  key_name = "${aws_key_pair.kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
+  iam_instance_profile = "${aws_iam_instance_profile.masters-privateweave-example-com.id}"
+  security_groups = ["${aws_security_group.bastion-privateweave-example-com.id}"]
+  associate_public_ip_address = false
+  root_block_device = {
+    volume_type = "gp2"
+    volume_size = 20
+    delete_on_termination = true
+  }
+  lifecycle = {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_launch_configuration" "master-us-test-1a-masters-privateweave-example-com" {
+  name_prefix = "master-us-test-1a.masters.privateweave.example.com-"
+  image_id = "ami-12345678"
+  instance_type = "m3.medium"
+  key_name = "${aws_key_pair.kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
+  iam_instance_profile = "${aws_iam_instance_profile.masters-privateweave-example-com.id}"
+  security_groups = ["${aws_security_group.masters-privateweave-example-com.id}"]
+  associate_public_ip_address = false
+  user_data = "${file("${path.module}/data/aws_launch_configuration_master-us-test-1a.masters.privateweave.example.com_user_data")}"
+  root_block_device = {
+    volume_type = "gp2"
+    volume_size = 20
+    delete_on_termination = true
+  }
+  ephemeral_block_device = {
+    device_name = "/dev/sdc"
+    virtual_name = "ephemeral0"
+  }
+  lifecycle = {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_launch_configuration" "nodes-privateweave-example-com" {
+  name_prefix = "nodes.privateweave.example.com-"
+  image_id = "ami-12345678"
+  instance_type = "t2.medium"
+  key_name = "${aws_key_pair.kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}"
+  iam_instance_profile = "${aws_iam_instance_profile.nodes-privateweave-example-com.id}"
+  security_groups = ["${aws_security_group.nodes-privateweave-example-com.id}"]
+  associate_public_ip_address = false
+  user_data = "${file("${path.module}/data/aws_launch_configuration_nodes.privateweave.example.com_user_data")}"
+  root_block_device = {
+    volume_type = "gp2"
+    volume_size = 20
+    delete_on_termination = true
+  }
+  lifecycle = {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_nat_gateway" "us-test-1a-privateweave-example-com" {
+  allocation_id = "${aws_eip.us-test-1a-privateweave-example-com.id}"
+  subnet_id = "${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"
+}
+
+resource "aws_route" "private-us-test-1a-privateweave-example-com" {
+  route_table_id = "${aws_route_table.private-us-test-1a-privateweave-example-com.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id = "${aws_nat_gateway.us-test-1a-privateweave-example-com.id}"
+}
+
+resource "aws_route" "wan" {
+  route_table_id = "${aws_route_table.main-privateweave-example-com.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id = "${aws_internet_gateway.privateweave-example-com.id}"
+}
+
+resource "aws_route53_record" "api-privateweave-example-com" {
+  name = "api.privateweave.example.com"
+  type = "A"
+  alias = {
+    name = "${aws_elb.api-privateweave-example-com.dns_name}"
+    zone_id = "${aws_elb.api-privateweave-example-com.zone_id}"
+    evaluate_target_health = false
+  }
+  zone_id = "/hostedzone/Z1AFAKE1ZON3YO"
+}
+
+resource "aws_route_table" "main-privateweave-example-com" {
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "main-privateweave.example.com"
+  }
+}
+
+resource "aws_route_table" "private-us-test-1a-privateweave-example-com" {
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "private-us-test-1a.privateweave.example.com"
+  }
+}
+
+resource "aws_route_table_association" "main-us-test-1a-privateweave-example-com" {
+  subnet_id = "${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"
+  route_table_id = "${aws_route_table.main-privateweave-example-com.id}"
+}
+
+resource "aws_route_table_association" "private-us-test-1a-privateweave-example-com" {
+  subnet_id = "${aws_subnet.private-us-test-1a-privateweave-example-com.id}"
+  route_table_id = "${aws_route_table.private-us-test-1a-privateweave-example-com.id}"
+}
+
+resource "aws_security_group" "api-elb-privateweave-example-com" {
+  name = "api-elb.privateweave.example.com"
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for api ELB"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "api-elb.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "bastion-elb-privateweave-example-com" {
+  name = "bastion-elb.privateweave.example.com"
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for bastion ELB"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "bastion-elb.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "bastion-privateweave-example-com" {
+  name = "bastion.privateweave.example.com"
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for bastion"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "bastion.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "masters-privateweave-example-com" {
+  name = "masters.privateweave.example.com"
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for masters"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "masters.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group" "nodes-privateweave-example-com" {
+  name = "nodes.privateweave.example.com"
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  description = "Security group for nodes"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "nodes.privateweave.example.com"
+  }
+}
+
+resource "aws_security_group_rule" "all-bastion-to-master" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+}
+
+resource "aws_security_group_rule" "all-master-to-master" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+}
+
+resource "aws_security_group_rule" "all-master-to-node" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+}
+
+resource "aws_security_group_rule" "all-node-to-master" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+}
+
+resource "aws_security_group_rule" "all-node-to-node" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+}
+
+resource "aws_security_group_rule" "api-elb-egress" {
+  type = "egress"
+  security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "bastion-egress" {
+  type = "egress"
+  security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "bastion-elb-egress" {
+  type = "egress"
+  security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "bastion-to-master" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+}
+
+resource "aws_security_group_rule" "https-api-elb" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
+  from_port = 443
+  to_port = 443
+  protocol = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "kube-proxy-api-elb" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}"
+  from_port = 443
+  to_port = 443
+  protocol = "tcp"
+}
+
+resource "aws_security_group_rule" "master-egress" {
+  type = "egress"
+  security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "node-egress" {
+  type = "egress"
+  security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}"
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "ssh-external-to-bastion" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}"
+  source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
+  from_port = 22
+  to_port = 22
+  protocol = "tcp"
+}
+
+resource "aws_security_group_rule" "ssh-external-to-bastion-elb" {
+  type = "ingress"
+  security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}"
+  from_port = 22
+  to_port = 22
+  protocol = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_subnet" "private-us-test-1a-privateweave-example-com" {
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  cidr_block = "172.20.4.0/22"
+  availability_zone = "us-test-1a"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "private-us-test-1a.privateweave.example.com"
+  }
+}
+
+resource "aws_subnet" "utility-us-test-1a-privateweave-example-com" {
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  cidr_block = "172.20.32.0/19"
+  availability_zone = "us-test-1a"
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "utility-us-test-1a.privateweave.example.com"
+  }
+}
+
+resource "aws_vpc" "privateweave-example-com" {
+  cidr_block = "172.20.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support = true
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "privateweave.example.com"
+  }
+}
+
+resource "aws_vpc_dhcp_options" "privateweave-example-com" {
+  domain_name = "us-test-1.compute.internal"
+  domain_name_servers = ["AmazonProvidedDNS"]
+  tags = {
+    KubernetesCluster = "privateweave.example.com"
+    Name = "privateweave.example.com"
+  }
+}
+
+resource "aws_vpc_dhcp_options_association" "privateweave-example-com" {
+  vpc_id = "${aws_vpc.privateweave-example-com.id}"
+  dhcp_options_id = "${aws_vpc_dhcp_options.privateweave-example-com.id}"
+}
--- a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml
+++ b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml
@ -190,7 +190,7 @@ loadBalancer/api.{{ ClusterName }}:
  {{ end }}
  listeners:
    443: { instancePort: 443 }
-  scheme: internal
+  #scheme: internal
  healthCheck:
    target: TCP:443
    healthyThreshold: 2
--- a/upup/pkg/fi/cloudup/awstasks/dnszone.go
+++ b/upup/pkg/fi/cloudup/awstasks/dnszone.go
@ -86,7 +86,7 @@ func (e *DNSZone) findExisting(cloud awsup.AWSCloud) (*route53.HostedZone, error
 				}
 				// Otherwise continue ... maybe the name was not an id after all...
 			} else {
-				return nil, fmt.Errorf("error fetching DNS HostedZone %q: %v", *e.ID, err)
+				return nil, fmt.Errorf("error fetching DNS HostedZone %q: %v", findID, err)
 			}
 		} else {
 			return response.HostedZone, nil
--- a/upup/pkg/fi/cloudup/awstasks/load_balancer.go
+++ b/upup/pkg/fi/cloudup/awstasks/load_balancer.go
@ -362,9 +362,10 @@ func (_ *LoadBalancer) RenderTerraform(t *terraform.TerraformTarget, a, e, chang
 		elbName = e.Name
 	}

+	internal := fi.StringValue(e.Scheme) == "internal"
 	tf := &terraformLoadBalancer{
 		Name:     elbName,
-		Internal: *e.Scheme == "internal",
+		Internal: internal,
 	}

 	for _, subnet := range e.Subnets {
--- a/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go
+++ b/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go
@ -100,7 +100,6 @@ func (s *LoadBalancerAttachment) CheckChanges(a, e, changes *LoadBalancerAttachm
 }

 func (_ *LoadBalancerAttachment) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *LoadBalancerAttachment) error {
-
 	if e.AutoscalingGroup != nil && e.Instance == nil {
 		request := &autoscaling.AttachLoadBalancersInput{}
 		request.AutoScalingGroupName = e.AutoscalingGroup.Name
--- a/upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go
+++ b/upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go
@ -24,6 +24,7 @@ import (
 	"github.com/golang/glog"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+	"k8s.io/kops/upup/pkg/fi/cloudup/terraform"
 )

 type LoadBalancerAccessLog struct {
@ -250,3 +251,8 @@ func (_ *LoadBalancerAttributes) RenderAWS(t *awsup.AWSAPITarget, a, e, changes

 	return nil
 }
+
+func (_ *LoadBalancerAttributes) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *LoadBalancerAttributes) error {
+	glog.Warning("LoadBalancerAttributes RenderTerraform not implemented")
+	return nil
+}
				`@ -0,0 +1 @@`
				`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ==`