diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go index 415e827e80..7e771c97fa 100644 --- a/pkg/model/awsmodel/api_loadbalancer.go +++ b/pkg/model/awsmodel/api_loadbalancer.go @@ -283,7 +283,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { Egress: fi.Bool(true), SecurityGroup: lbSG, } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } // Allow traffic into the ELB from KubernetesAPIAccess CIDRs @@ -298,7 +298,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { SecurityGroup: lbSG, ToPort: fi.Int64(443), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) // Allow ICMP traffic required for PMTU discovery c.AddTask(&awstasks.SecurityGroupRule{ @@ -331,7 +331,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { SecurityGroup: masterGroup.Task, ToPort: fi.Int64(443), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) // Allow ICMP traffic required for PMTU discovery c.AddTask(&awstasks.SecurityGroupRule{ diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go index c2c345fc3f..c63413270b 100644 --- a/pkg/model/bastion.go +++ b/pkg/model/bastion.go @@ -84,7 +84,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { Egress: fi.Bool(true), CIDR: s("0.0.0.0/0"), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } // Allow incoming SSH traffic to bastions, through the ELB @@ -99,7 +99,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { FromPort: i64(22), ToPort: i64(22), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } // Allow bastion nodes to SSH to masters @@ -114,7 +114,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { FromPort: i64(22), ToPort: i64(22), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } } @@ -130,7 +130,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { FromPort: i64(22), ToPort: i64(22), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } } @@ -159,7 +159,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { CIDR: s("0.0.0.0/0"), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } // Allow external access to ELB @@ -174,7 +174,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error { ToPort: i64(22), CIDR: s(sshAccess), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } var elbSubnets []*awstasks.Subnet diff --git a/pkg/model/external_access.go b/pkg/model/external_access.go index a89d37fdc6..84d68aad5b 100644 --- a/pkg/model/external_access.go +++ b/pkg/model/external_access.go @@ -71,7 +71,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error { ToPort: i64(22), CIDR: s(sshAccess), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } for _, nodeGroup := range nodeGroups { @@ -85,7 +85,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error { ToPort: i64(22), CIDR: s(sshAccess), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } } } @@ -140,7 +140,7 @@ func (b *ExternalAccessModelBuilder) Build(c *fi.ModelBuilderContext) error { ToPort: i64(443), CIDR: s(apiAccess), } - c.AddTask(t) + b.AddDirectionalGroupRule(c, t) } } } diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go index 6ad1a1a8f7..4223096724 100644 --- a/pkg/model/firewall.go +++ b/pkg/model/firewall.go @@ -442,6 +442,6 @@ func generateName(o *awstasks.SecurityGroupRule) string { src = fi.StringValue(o.SecurityGroup.Name) } - return fmt.Sprintf("%s-%s-%s-%dto%d-%s", src, direction, + return fmt.Sprintf("from-%s-%s-%s-%dto%d-%s", src, direction, proto, fi.Int64Value(o.FromPort), fi.Int64Value(o.ToPort), dst) } diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf index 749b9863d3..700a455568 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf +++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf @@ -699,7 +699,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-bastionuserdata-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-bastionuserdata-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-bastionuserdata-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-bastionuserdata-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -708,16 +726,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -726,7 +735,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-bastionuserdata-example-com-ingress-tcp-22to22-bastion-bastionuserdata-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-ingress-tcp-22to22-masters-bastionuserdata-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-bastionuserdata-example-com.id @@ -735,7 +762,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-bastionuserdata-example-com-ingress-tcp-22to22-nodes-bastionuserdata-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id @@ -744,13 +771,94 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-bastionuserdata-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-bastionuserdata-example-com-ingress-all-0to0-masters-bastionuserdata-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-bastionuserdata-example-com-ingress-all-0to0-nodes-bastionuserdata-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-ingress-4-0to0-masters-bastionuserdata-example-com" { + from_port = 0 + protocol = "4" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-ingress-all-0to0-nodes-bastionuserdata-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-ingress-tcp-1to2379-masters-bastionuserdata-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-ingress-tcp-2382to4000-masters-bastionuserdata-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-ingress-tcp-4003to65535-masters-bastionuserdata-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-bastionuserdata-example-com-ingress-udp-1to65535-masters-bastionuserdata-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-bastionuserdata-example-com.id + source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -771,114 +879,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-bastionuserdata-example-com-ingress-all-0to0-masters-bastionuserdata-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-bastionuserdata-example-com-ingress-all-0to0-nodes-bastionuserdata-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-ingress-4-0to0-masters-bastionuserdata-example-com" { - from_port = 0 - protocol = "4" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-ingress-all-0to0-nodes-bastionuserdata-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-ingress-tcp-1to2379-masters-bastionuserdata-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-ingress-tcp-2382to4000-masters-bastionuserdata-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-ingress-tcp-4003to65535-masters-bastionuserdata-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-bastionuserdata-example-com-ingress-udp-1to65535-masters-bastionuserdata-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.nodes-bastionuserdata-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-bastionuserdata-example-com.id - source_security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-bastionuserdata-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-bastionuserdata-example-com" { description = "Security group for api ELB" name = "api-elb.bastionuserdata.example.com" diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index eba41fb315..072bbbcf67 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -573,7 +573,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmasterscomplexexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommasterscomplexexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -585,7 +585,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodescomplexexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodescomplexexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -597,7 +597,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsapielb111024": { + "AWSEC2SecurityGroupIngressfrom111024ingresstcp443to443masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -609,7 +609,31 @@ "CidrIp": "1.1.1.0/24" } }, - "AWSEC2SecurityGroupIngresshttpsapielb20010850040": { + "AWSEC2SecurityGroupIngressfrom111132ingresstcp22to22masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "1.1.1.1/32" + } + }, + "AWSEC2SecurityGroupIngressfrom111132ingresstcp22to22nodescomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "1.1.1.1/32" + } + }, + "AWSEC2SecurityGroupIngressfrom20010850040ingresstcp443to443masterscomplexexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -621,6 +645,128 @@ "CidrIpv6": "2001:0:8500::/40" } }, + "AWSEC2SecurityGroupIngressfrom2001085a348ingresstcp22to22masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIpv6": "2001:0:85a3::/48" + } + }, + "AWSEC2SecurityGroupIngressfrom2001085a348ingresstcp22to22nodescomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIpv6": "2001:0:85a3::/48" + } + }, + "AWSEC2SecurityGroupIngressfrommasterscomplexexamplecomingressall0to0masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfrommasterscomplexexamplecomingressall0to0nodescomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingressall0to0nodescomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingresstcp1to2379masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 1, + "ToPort": 2379, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingresstcp2382to4000masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 2382, + "ToPort": 4000, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingresstcp4003to65535masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 4003, + "ToPort": 65535, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodescomplexexamplecomingressudp1to65535masterscomplexexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" + }, + "FromPort": 1, + "ToPort": 65535, + "IpProtocol": "udp" + } + }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -681,34 +827,6 @@ "CidrIpv6": "2001:0:8500::/40" } }, - "AWSEC2SecurityGroupIngressmasterscomplexexamplecomingressall0to0masterscomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressmasterscomplexexamplecomingressall0to0nodescomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, "AWSEC2SecurityGroupIngressnodeporttcpexternaltonode102030024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -757,124 +875,6 @@ "CidrIp": "1.2.3.4/32" } }, - "AWSEC2SecurityGroupIngressnodescomplexexamplecomingressall0to0nodescomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodescomplexexamplecomingresstcp1to2379masterscomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 1, - "ToPort": 2379, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodescomplexexamplecomingresstcp2382to4000masterscomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 2382, - "ToPort": 4000, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodescomplexexamplecomingresstcp4003to65535masterscomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 4003, - "ToPort": 65535, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodescomplexexamplecomingressudp1to65535masterscomplexexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 1, - "ToPort": 65535, - "IpProtocol": "udp" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltomaster111132": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "1.1.1.1/32" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltomaster2001085a348": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscomplexexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIpv6": "2001:0:85a3::/48" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode111132": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "1.1.1.1/32" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode2001085a348": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodescomplexexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIpv6": "2001:0:85a3::/48" - } - }, "AWSEC2SecurityGroupIngresstcpapi111024": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf index d8146e5ee5..7ab28c8caf 100644 --- a/tests/integration/update_cluster/complex/kubernetes.tf +++ b/tests/integration/update_cluster/complex/kubernetes.tf @@ -566,7 +566,7 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.complex-example-com.id } -resource "aws_security_group_rule" "https-api-elb-1-1-1-0--24" { +resource "aws_security_group_rule" "from-1-1-1-0--24-ingress-tcp-443to443-masters-complex-example-com" { cidr_blocks = ["1.1.1.0/24"] from_port = 443 protocol = "tcp" @@ -575,7 +575,25 @@ resource "aws_security_group_rule" "https-api-elb-1-1-1-0--24" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-2001_0_8500__--40" { +resource "aws_security_group_rule" "from-1-1-1-1--32-ingress-tcp-22to22-masters-complex-example-com" { + cidr_blocks = ["1.1.1.1/32"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-1-1-1-1--32-ingress-tcp-22to22-nodes-complex-example-com" { + cidr_blocks = ["1.1.1.1/32"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-2001_0_8500__--40-ingress-tcp-443to443-masters-complex-example-com" { cidr_blocks = ["2001:0:8500::/40"] from_port = 443 protocol = "tcp" @@ -584,6 +602,105 @@ resource "aws_security_group_rule" "https-api-elb-2001_0_8500__--40" { type = "ingress" } +resource "aws_security_group_rule" "from-2001_0_85a3__--48-ingress-tcp-22to22-masters-complex-example-com" { + cidr_blocks = ["2001:0:85a3::/48"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-2001_0_85a3__--48-ingress-tcp-22to22-nodes-complex-example-com" { + cidr_blocks = ["2001:0:85a3::/48"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-complex-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-complex-example-com-ingress-all-0to0-masters-complex-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-complex-example-com-ingress-all-0to0-nodes-complex-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-complex-example-com.id + source_security_group_id = aws_security_group.masters-complex-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-complex-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-complex-example-com-ingress-all-0to0-nodes-complex-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-complex-example-com.id + source_security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-complex-example-com-ingress-tcp-1to2379-masters-complex-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-complex-example-com-ingress-tcp-2382to4000-masters-complex-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-complex-example-com-ingress-tcp-4003to65535-masters-complex-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-complex-example-com-ingress-udp-1to65535-masters-complex-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-complex-example-com.id + source_security_group_id = aws_security_group.nodes-complex-example-com.id + to_port = 65535 + type = "ingress" +} + resource "aws_security_group_rule" "https-elb-to-master" { cidr_blocks = ["172.20.0.0/16"] from_port = 443 @@ -629,33 +746,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-2001_0_8500__--40" { type = "ingress" } -resource "aws_security_group_rule" "masters-complex-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-complex-example-com-ingress-all-0to0-masters-complex-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-complex-example-com.id - source_security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-complex-example-com-ingress-all-0to0-nodes-complex-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-complex-example-com.id - source_security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 0 - type = "ingress" -} - resource "aws_security_group_rule" "nodeport-tcp-external-to-node-1-2-3-4--32" { cidr_blocks = ["1.2.3.4/32"] from_port = 28000 @@ -692,96 +782,6 @@ resource "aws_security_group_rule" "nodeport-udp-external-to-node-10-20-30-0--24 type = "ingress" } -resource "aws_security_group_rule" "nodes-complex-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-complex-example-com-ingress-all-0to0-nodes-complex-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-complex-example-com.id - source_security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-complex-example-com-ingress-tcp-1to2379-masters-complex-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - source_security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-complex-example-com-ingress-tcp-2382to4000-masters-complex-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - source_security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-complex-example-com-ingress-tcp-4003to65535-masters-complex-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - source_security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-complex-example-com-ingress-udp-1to65535-masters-complex-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-complex-example-com.id - source_security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-master-1-1-1-1--32" { - cidr_blocks = ["1.1.1.1/32"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-master-2001_0_85a3__--48" { - cidr_blocks = ["2001:0:85a3::/48"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-complex-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-1-1-1-1--32" { - cidr_blocks = ["1.1.1.1/32"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-2001_0_85a3__--48" { - cidr_blocks = ["2001:0:85a3::/48"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-complex-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group_rule" "tcp-api-1-1-1-0--24" { cidr_blocks = ["1.1.1.0/24"] from_port = 8443 diff --git a/tests/integration/update_cluster/compress/kubernetes.tf b/tests/integration/update_cluster/compress/kubernetes.tf index fe4a903dd2..2ff60579ad 100644 --- a/tests/integration/update_cluster/compress/kubernetes.tf +++ b/tests/integration/update_cluster/compress/kubernetes.tf @@ -418,7 +418,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.compress-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-compress-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-compress-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-compress-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-compress-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-compress-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -427,7 +445,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-compress-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-compress-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -436,7 +454,7 @@ resource "aws_security_group_rule" "masters-compress-example-com-egress-all-0to0 type = "egress" } -resource "aws_security_group_rule" "masters-compress-example-com-ingress-all-0to0-masters-compress-example-com" { +resource "aws_security_group_rule" "from-masters-compress-example-com-ingress-all-0to0-masters-compress-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-compress-example-com.id @@ -445,7 +463,7 @@ resource "aws_security_group_rule" "masters-compress-example-com-ingress-all-0to type = "ingress" } -resource "aws_security_group_rule" "masters-compress-example-com-ingress-all-0to0-nodes-compress-example-com" { +resource "aws_security_group_rule" "from-masters-compress-example-com-ingress-all-0to0-nodes-compress-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-compress-example-com.id @@ -454,7 +472,7 @@ resource "aws_security_group_rule" "masters-compress-example-com-ingress-all-0to type = "ingress" } -resource "aws_security_group_rule" "nodes-compress-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-compress-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -463,7 +481,7 @@ resource "aws_security_group_rule" "nodes-compress-example-com-egress-all-0to0-0 type = "egress" } -resource "aws_security_group_rule" "nodes-compress-example-com-ingress-all-0to0-nodes-compress-example-com" { +resource "aws_security_group_rule" "from-nodes-compress-example-com-ingress-all-0to0-nodes-compress-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-compress-example-com.id @@ -472,7 +490,7 @@ resource "aws_security_group_rule" "nodes-compress-example-com-ingress-all-0to0- type = "ingress" } -resource "aws_security_group_rule" "nodes-compress-example-com-ingress-tcp-1to2379-masters-compress-example-com" { +resource "aws_security_group_rule" "from-nodes-compress-example-com-ingress-tcp-1to2379-masters-compress-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-compress-example-com.id @@ -481,7 +499,7 @@ resource "aws_security_group_rule" "nodes-compress-example-com-ingress-tcp-1to23 type = "ingress" } -resource "aws_security_group_rule" "nodes-compress-example-com-ingress-tcp-2382to4000-masters-compress-example-com" { +resource "aws_security_group_rule" "from-nodes-compress-example-com-ingress-tcp-2382to4000-masters-compress-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-compress-example-com.id @@ -490,7 +508,7 @@ resource "aws_security_group_rule" "nodes-compress-example-com-ingress-tcp-2382t type = "ingress" } -resource "aws_security_group_rule" "nodes-compress-example-com-ingress-tcp-4003to65535-masters-compress-example-com" { +resource "aws_security_group_rule" "from-nodes-compress-example-com-ingress-tcp-4003to65535-masters-compress-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-compress-example-com.id @@ -499,7 +517,7 @@ resource "aws_security_group_rule" "nodes-compress-example-com-ingress-tcp-4003t type = "ingress" } -resource "aws_security_group_rule" "nodes-compress-example-com-ingress-udp-1to65535-masters-compress-example-com" { +resource "aws_security_group_rule" "from-nodes-compress-example-com-ingress-udp-1to65535-masters-compress-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-compress-example-com.id @@ -508,24 +526,6 @@ resource "aws_security_group_rule" "nodes-compress-example-com-ingress-udp-1to65 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-compress-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-compress-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-compress-example-com" { description = "Security group for masters" name = "masters.compress.example.com" diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 2bd730d21b..19dae3ec61 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -473,7 +473,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmasterscontainerdexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommasterscontainerdexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -485,7 +485,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodescontainerdexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodescontainerdexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -497,7 +497,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22masterscontainerdexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscontainerdexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodescontainerdexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescontainerdexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -509,7 +533,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmasterscontainerdexamplecomingressall0to0masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfrommasterscontainerdexamplecomingressall0to0masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -523,7 +547,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmasterscontainerdexamplecomingressall0to0nodescontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfrommasterscontainerdexamplecomingressall0to0nodescontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -537,7 +561,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingress40to0masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingress40to0masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -551,7 +575,7 @@ "IpProtocol": "4" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingressall0to0nodescontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingressall0to0nodescontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -565,7 +589,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingresstcp1to2379masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingresstcp1to2379masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -579,7 +603,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingresstcp2382to4000masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingresstcp2382to4000masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -593,7 +617,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingresstcp4003to65535masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingresstcp4003to65535masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -607,7 +631,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingressudp1to65535masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingressudp1to65535masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -621,30 +645,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscontainerdexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodescontainerdexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmasterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 2bd730d21b..19dae3ec61 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -473,7 +473,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmasterscontainerdexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommasterscontainerdexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -485,7 +485,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodescontainerdexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodescontainerdexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -497,7 +497,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22masterscontainerdexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterscontainerdexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodescontainerdexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodescontainerdexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -509,7 +533,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmasterscontainerdexamplecomingressall0to0masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfrommasterscontainerdexamplecomingressall0to0masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -523,7 +547,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmasterscontainerdexamplecomingressall0to0nodescontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfrommasterscontainerdexamplecomingressall0to0nodescontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -537,7 +561,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingress40to0masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingress40to0masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -551,7 +575,7 @@ "IpProtocol": "4" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingressall0to0nodescontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingressall0to0nodescontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -565,7 +589,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingresstcp1to2379masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingresstcp1to2379masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -579,7 +603,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingresstcp2382to4000masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingresstcp2382to4000masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -593,7 +617,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingresstcp4003to65535masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingresstcp4003to65535masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -607,7 +631,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodescontainerdexamplecomingressudp1to65535masterscontainerdexamplecom": { + "AWSEC2SecurityGroupIngressfromnodescontainerdexamplecomingressudp1to65535masterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -621,30 +645,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterscontainerdexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodescontainerdexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmasterscontainerdexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index 885c454e81..545ce2d535 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -473,7 +473,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmastersdockerexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommastersdockerexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -485,7 +485,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesdockerexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesdockerexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -497,7 +497,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22mastersdockerexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersdockerexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodesdockerexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesdockerexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443mastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -509,7 +533,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersdockerexamplecomingressall0to0mastersdockerexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersdockerexamplecomingressall0to0mastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -523,7 +547,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmastersdockerexamplecomingressall0to0nodesdockerexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersdockerexamplecomingressall0to0nodesdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -537,7 +561,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesdockerexamplecomingressall0to0nodesdockerexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesdockerexamplecomingressall0to0nodesdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -551,7 +575,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesdockerexamplecomingresstcp1to2379mastersdockerexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesdockerexamplecomingresstcp1to2379mastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -565,7 +589,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesdockerexamplecomingresstcp2382to4000mastersdockerexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesdockerexamplecomingresstcp2382to4000mastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -579,7 +603,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesdockerexamplecomingresstcp4003to65535mastersdockerexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesdockerexamplecomingresstcp4003to65535mastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -593,7 +617,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesdockerexamplecomingressudp1to65535mastersdockerexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesdockerexamplecomingressudp1to65535mastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -607,30 +631,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersdockerexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesdockerexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmastersdockerexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/existing_iam/kubernetes.tf b/tests/integration/update_cluster/existing_iam/kubernetes.tf index 6f5699cef7..230d1e448f 100644 --- a/tests/integration/update_cluster/existing_iam/kubernetes.tf +++ b/tests/integration/update_cluster/existing_iam/kubernetes.tf @@ -696,7 +696,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.existing-iam-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-existing-iam-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-existing-iam-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-existing-iam-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-existing-iam-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-existing-iam-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -705,7 +723,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-existing-iam-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-existing-iam-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -714,7 +732,7 @@ resource "aws_security_group_rule" "masters-existing-iam-example-com-egress-all- type = "egress" } -resource "aws_security_group_rule" "masters-existing-iam-example-com-ingress-all-0to0-masters-existing-iam-example-com" { +resource "aws_security_group_rule" "from-masters-existing-iam-example-com-ingress-all-0to0-masters-existing-iam-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-existing-iam-example-com.id @@ -723,7 +741,7 @@ resource "aws_security_group_rule" "masters-existing-iam-example-com-ingress-all type = "ingress" } -resource "aws_security_group_rule" "masters-existing-iam-example-com-ingress-all-0to0-nodes-existing-iam-example-com" { +resource "aws_security_group_rule" "from-masters-existing-iam-example-com-ingress-all-0to0-nodes-existing-iam-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-existing-iam-example-com.id @@ -732,7 +750,7 @@ resource "aws_security_group_rule" "masters-existing-iam-example-com-ingress-all type = "ingress" } -resource "aws_security_group_rule" "nodes-existing-iam-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-existing-iam-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -741,7 +759,7 @@ resource "aws_security_group_rule" "nodes-existing-iam-example-com-egress-all-0t type = "egress" } -resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-all-0to0-nodes-existing-iam-example-com" { +resource "aws_security_group_rule" "from-nodes-existing-iam-example-com-ingress-all-0to0-nodes-existing-iam-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-existing-iam-example-com.id @@ -750,7 +768,7 @@ resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-all-0 type = "ingress" } -resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-tcp-1to2379-masters-existing-iam-example-com" { +resource "aws_security_group_rule" "from-nodes-existing-iam-example-com-ingress-tcp-1to2379-masters-existing-iam-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-existing-iam-example-com.id @@ -759,7 +777,7 @@ resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-tcp-1 type = "ingress" } -resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-tcp-2382to4000-masters-existing-iam-example-com" { +resource "aws_security_group_rule" "from-nodes-existing-iam-example-com-ingress-tcp-2382to4000-masters-existing-iam-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-existing-iam-example-com.id @@ -768,7 +786,7 @@ resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-tcp-2 type = "ingress" } -resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-tcp-4003to65535-masters-existing-iam-example-com" { +resource "aws_security_group_rule" "from-nodes-existing-iam-example-com-ingress-tcp-4003to65535-masters-existing-iam-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-existing-iam-example-com.id @@ -777,7 +795,7 @@ resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-tcp-4 type = "ingress" } -resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-udp-1to65535-masters-existing-iam-example-com" { +resource "aws_security_group_rule" "from-nodes-existing-iam-example-com-ingress-udp-1to65535-masters-existing-iam-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-existing-iam-example-com.id @@ -786,24 +804,6 @@ resource "aws_security_group_rule" "nodes-existing-iam-example-com-ingress-udp-1 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-existing-iam-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-existing-iam-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-existing-iam-example-com" { description = "Security group for masters" name = "masters.existing-iam.example.com" diff --git a/tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json b/tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json index e3ee41f372..22b7ec6845 100644 --- a/tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json +++ b/tests/integration/update_cluster/existing_iam_cloudformation/cloudformation.json @@ -469,7 +469,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmastersminimalexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommastersminimalexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -481,7 +481,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesminimalexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesminimalexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -493,7 +493,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22mastersminimalexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersminimalexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodesminimalexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesminimalexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -505,7 +529,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersminimalexamplecomingressall0to0mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersminimalexamplecomingressall0to0mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -519,7 +543,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmastersminimalexamplecomingressall0to0nodesminimalexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersminimalexamplecomingressall0to0nodesminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -533,7 +557,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingressall0to0nodesminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingressall0to0nodesminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -547,7 +571,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingresstcp1to2379mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingresstcp1to2379mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -561,7 +585,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingresstcp2382to4000mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingresstcp2382to4000mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -575,7 +599,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingresstcp4003to65535mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingresstcp4003to65535mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -589,7 +613,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingressudp1to65535mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingressudp1to65535mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -603,30 +627,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersminimalexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesminimalexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/existing_sg/kubernetes.tf b/tests/integration/update_cluster/existing_sg/kubernetes.tf index be730e0134..aec32420bf 100644 --- a/tests/integration/update_cluster/existing_sg/kubernetes.tf +++ b/tests/integration/update_cluster/existing_sg/kubernetes.tf @@ -798,7 +798,52 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.existingsg-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-existingsg-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-sg-master-1a-Master" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = "sg-master-1a" + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-sg-master-1b-Master" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = "sg-master-1b" + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-sg-nodes-Node" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = "sg-nodes" + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-existingsg-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = "sg-elb" + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-existingsg-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -807,13 +852,265 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-existingsg-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = "sg-elb" - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-existingsg-example-com-ingress-all-0to0-masters-existingsg-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-existingsg-example-com-ingress-all-0to0-sg-master-1a-Master" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1a" + source_security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-existingsg-example-com-ingress-all-0to0-sg-master-1b-Master" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1b" + source_security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-existingsg-example-com-ingress-all-0to0-sg-nodes-Node" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-nodes" + source_security_group_id = aws_security_group.masters-existingsg-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1a-Master-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1a" + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-sg-master-1a-Master-ingress-all-0to0-masters-existingsg-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-master-1a" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1a-Master-ingress-all-0to0-sg-master-1a-Master" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-master-1a" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1a-Master-ingress-all-0to0-sg-master-1b-Master" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-master-1a" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1a-Master-ingress-all-0to0-sg-nodes-Node" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-nodes" + source_security_group_id = "sg-master-1a" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1b-Master-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1b" + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-sg-master-1b-Master-ingress-all-0to0-masters-existingsg-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-master-1b" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1b-Master-ingress-all-0to0-sg-master-1a-Master" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-master-1b" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1b-Master-ingress-all-0to0-sg-master-1b-Master" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-master-1b" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-master-1b-Master-ingress-all-0to0-sg-nodes-Node" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-nodes" + source_security_group_id = "sg-master-1b" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = "sg-nodes" + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-all-0to0-sg-nodes-Node" { + from_port = 0 + protocol = "-1" + security_group_id = "sg-nodes" + source_security_group_id = "sg-nodes" + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-1to2379-masters-existingsg-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-nodes" + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-1to2379-sg-master-1a-Master" { + from_port = 1 + protocol = "tcp" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-nodes" + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-1to2379-sg-master-1b-Master" { + from_port = 1 + protocol = "tcp" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-nodes" + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-2382to4000-masters-existingsg-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-nodes" + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-2382to4000-sg-master-1a-Master" { + from_port = 2382 + protocol = "tcp" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-nodes" + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-2382to4000-sg-master-1b-Master" { + from_port = 2382 + protocol = "tcp" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-nodes" + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-4003to65535-masters-existingsg-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-nodes" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-4003to65535-sg-master-1a-Master" { + from_port = 4003 + protocol = "tcp" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-nodes" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-tcp-4003to65535-sg-master-1b-Master" { + from_port = 4003 + protocol = "tcp" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-nodes" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-udp-1to65535-masters-existingsg-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-existingsg-example-com.id + source_security_group_id = "sg-nodes" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-udp-1to65535-sg-master-1a-Master" { + from_port = 1 + protocol = "udp" + security_group_id = "sg-master-1a" + source_security_group_id = "sg-nodes" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-sg-nodes-Node-ingress-udp-1to65535-sg-master-1b-Master" { + from_port = 1 + protocol = "udp" + security_group_id = "sg-master-1b" + source_security_group_id = "sg-nodes" + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -852,303 +1149,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-existingsg-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-existingsg-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-existingsg-example-com-ingress-all-0to0-masters-existingsg-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = aws_security_group.masters-existingsg-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-existingsg-example-com-ingress-all-0to0-sg-master-1a-Master" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1a" - source_security_group_id = aws_security_group.masters-existingsg-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-existingsg-example-com-ingress-all-0to0-sg-master-1b-Master" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1b" - source_security_group_id = aws_security_group.masters-existingsg-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-existingsg-example-com-ingress-all-0to0-sg-nodes-Node" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-nodes" - source_security_group_id = aws_security_group.masters-existingsg-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1a-Master-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1a" - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "sg-master-1a-Master-ingress-all-0to0-masters-existingsg-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = "sg-master-1a" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1a-Master-ingress-all-0to0-sg-master-1a-Master" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1a" - source_security_group_id = "sg-master-1a" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1a-Master-ingress-all-0to0-sg-master-1b-Master" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1b" - source_security_group_id = "sg-master-1a" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1a-Master-ingress-all-0to0-sg-nodes-Node" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-nodes" - source_security_group_id = "sg-master-1a" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1b-Master-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1b" - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "sg-master-1b-Master-ingress-all-0to0-masters-existingsg-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = "sg-master-1b" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1b-Master-ingress-all-0to0-sg-master-1a-Master" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1a" - source_security_group_id = "sg-master-1b" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1b-Master-ingress-all-0to0-sg-master-1b-Master" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-master-1b" - source_security_group_id = "sg-master-1b" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-master-1b-Master-ingress-all-0to0-sg-nodes-Node" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-nodes" - source_security_group_id = "sg-master-1b" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = "sg-nodes" - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-all-0to0-sg-nodes-Node" { - from_port = 0 - protocol = "-1" - security_group_id = "sg-nodes" - source_security_group_id = "sg-nodes" - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-1to2379-masters-existingsg-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = "sg-nodes" - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-1to2379-sg-master-1a-Master" { - from_port = 1 - protocol = "tcp" - security_group_id = "sg-master-1a" - source_security_group_id = "sg-nodes" - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-1to2379-sg-master-1b-Master" { - from_port = 1 - protocol = "tcp" - security_group_id = "sg-master-1b" - source_security_group_id = "sg-nodes" - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-2382to4000-masters-existingsg-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = "sg-nodes" - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-2382to4000-sg-master-1a-Master" { - from_port = 2382 - protocol = "tcp" - security_group_id = "sg-master-1a" - source_security_group_id = "sg-nodes" - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-2382to4000-sg-master-1b-Master" { - from_port = 2382 - protocol = "tcp" - security_group_id = "sg-master-1b" - source_security_group_id = "sg-nodes" - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-4003to65535-masters-existingsg-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = "sg-nodes" - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-4003to65535-sg-master-1a-Master" { - from_port = 4003 - protocol = "tcp" - security_group_id = "sg-master-1a" - source_security_group_id = "sg-nodes" - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-tcp-4003to65535-sg-master-1b-Master" { - from_port = 4003 - protocol = "tcp" - security_group_id = "sg-master-1b" - source_security_group_id = "sg-nodes" - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-udp-1to65535-masters-existingsg-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-existingsg-example-com.id - source_security_group_id = "sg-nodes" - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-udp-1to65535-sg-master-1a-Master" { - from_port = 1 - protocol = "udp" - security_group_id = "sg-master-1a" - source_security_group_id = "sg-nodes" - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "sg-nodes-Node-ingress-udp-1to65535-sg-master-1b-Master" { - from_port = 1 - protocol = "udp" - security_group_id = "sg-master-1b" - source_security_group_id = "sg-nodes" - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-existingsg-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0-sg-master-1a" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = "sg-master-1a" - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0-sg-master-1b" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = "sg-master-1b" - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0-sg-nodes" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = "sg-nodes" - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-existingsg-example-com" { description = "Security group for masters" name = "masters.existingsg.example.com" diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index d090a1a145..759148e8c7 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -488,7 +488,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmastersexternallbexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommastersexternallbexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -500,7 +500,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesexternallbexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesexternallbexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -512,7 +512,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22mastersexternallbexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersexternallbexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodesexternallbexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesexternallbexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443mastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -524,7 +548,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersexternallbexamplecomingressall0to0mastersexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersexternallbexamplecomingressall0to0mastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -538,7 +562,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmastersexternallbexamplecomingressall0to0nodesexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersexternallbexamplecomingressall0to0nodesexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -552,7 +576,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesexternallbexamplecomingressall0to0nodesexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesexternallbexamplecomingressall0to0nodesexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -566,7 +590,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesexternallbexamplecomingresstcp1to2379mastersexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesexternallbexamplecomingresstcp1to2379mastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -580,7 +604,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesexternallbexamplecomingresstcp2382to4000mastersexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesexternallbexamplecomingresstcp2382to4000mastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -594,7 +618,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesexternallbexamplecomingresstcp4003to65535mastersexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesexternallbexamplecomingresstcp4003to65535mastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -608,7 +632,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesexternallbexamplecomingressudp1to65535mastersexternallbexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesexternallbexamplecomingressudp1to65535mastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -622,30 +646,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersexternallbexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesexternallbexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmastersexternallbexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/externallb/kubernetes.tf b/tests/integration/update_cluster/externallb/kubernetes.tf index 388398753d..1cc39c73c7 100644 --- a/tests/integration/update_cluster/externallb/kubernetes.tf +++ b/tests/integration/update_cluster/externallb/kubernetes.tf @@ -434,7 +434,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.externallb-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-externallb-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-externallb-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-externallb-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-externallb-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-externallb-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -443,7 +461,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-externallb-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-externallb-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -452,7 +470,7 @@ resource "aws_security_group_rule" "masters-externallb-example-com-egress-all-0t type = "egress" } -resource "aws_security_group_rule" "masters-externallb-example-com-ingress-all-0to0-masters-externallb-example-com" { +resource "aws_security_group_rule" "from-masters-externallb-example-com-ingress-all-0to0-masters-externallb-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-externallb-example-com.id @@ -461,7 +479,7 @@ resource "aws_security_group_rule" "masters-externallb-example-com-ingress-all-0 type = "ingress" } -resource "aws_security_group_rule" "masters-externallb-example-com-ingress-all-0to0-nodes-externallb-example-com" { +resource "aws_security_group_rule" "from-masters-externallb-example-com-ingress-all-0to0-nodes-externallb-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-externallb-example-com.id @@ -470,7 +488,7 @@ resource "aws_security_group_rule" "masters-externallb-example-com-ingress-all-0 type = "ingress" } -resource "aws_security_group_rule" "nodes-externallb-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-externallb-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -479,7 +497,7 @@ resource "aws_security_group_rule" "nodes-externallb-example-com-egress-all-0to0 type = "egress" } -resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-all-0to0-nodes-externallb-example-com" { +resource "aws_security_group_rule" "from-nodes-externallb-example-com-ingress-all-0to0-nodes-externallb-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-externallb-example-com.id @@ -488,7 +506,7 @@ resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-all-0to type = "ingress" } -resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-tcp-1to2379-masters-externallb-example-com" { +resource "aws_security_group_rule" "from-nodes-externallb-example-com-ingress-tcp-1to2379-masters-externallb-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-externallb-example-com.id @@ -497,7 +515,7 @@ resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-tcp-1to type = "ingress" } -resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-tcp-2382to4000-masters-externallb-example-com" { +resource "aws_security_group_rule" "from-nodes-externallb-example-com-ingress-tcp-2382to4000-masters-externallb-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-externallb-example-com.id @@ -506,7 +524,7 @@ resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-tcp-238 type = "ingress" } -resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-tcp-4003to65535-masters-externallb-example-com" { +resource "aws_security_group_rule" "from-nodes-externallb-example-com-ingress-tcp-4003to65535-masters-externallb-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-externallb-example-com.id @@ -515,7 +533,7 @@ resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-tcp-400 type = "ingress" } -resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-udp-1to65535-masters-externallb-example-com" { +resource "aws_security_group_rule" "from-nodes-externallb-example-com-ingress-udp-1to65535-masters-externallb-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-externallb-example-com.id @@ -524,24 +542,6 @@ resource "aws_security_group_rule" "nodes-externallb-example-com-ingress-udp-1to type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-externallb-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-externallb-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-externallb-example-com" { description = "Security group for masters" name = "masters.externallb.example.com" diff --git a/tests/integration/update_cluster/externalpolicies/kubernetes.tf b/tests/integration/update_cluster/externalpolicies/kubernetes.tf index 5264276392..a9cb2ee5e9 100644 --- a/tests/integration/update_cluster/externalpolicies/kubernetes.tf +++ b/tests/integration/update_cluster/externalpolicies/kubernetes.tf @@ -530,7 +530,34 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.externalpolicies-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-externalpolicies-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-externalpolicies-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-externalpolicies-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-externalpolicies-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-externalpolicies-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -539,13 +566,85 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-externalpolicies-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-externalpolicies-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-externalpolicies-example-com-ingress-all-0to0-masters-externalpolicies-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + source_security_group_id = aws_security_group.masters-externalpolicies-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-externalpolicies-example-com-ingress-all-0to0-nodes-externalpolicies-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + source_security_group_id = aws_security_group.masters-externalpolicies-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-externalpolicies-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-externalpolicies-example-com-ingress-all-0to0-nodes-externalpolicies-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-externalpolicies-example-com-ingress-tcp-1to2379-masters-externalpolicies-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-externalpolicies-example-com-ingress-tcp-2382to4000-masters-externalpolicies-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-externalpolicies-example-com-ingress-tcp-4003to65535-masters-externalpolicies-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-externalpolicies-example-com-ingress-udp-1to65535-masters-externalpolicies-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-externalpolicies-example-com.id + source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -566,33 +665,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-externalpolicies-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-externalpolicies-example-com-ingress-all-0to0-masters-externalpolicies-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - source_security_group_id = aws_security_group.masters-externalpolicies-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-externalpolicies-example-com-ingress-all-0to0-nodes-externalpolicies-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - source_security_group_id = aws_security_group.masters-externalpolicies-example-com.id - to_port = 0 - type = "ingress" -} - resource "aws_security_group_rule" "nodeport-tcp-external-to-node-1-2-3-4--32" { cidr_blocks = ["1.2.3.4/32"] from_port = 28000 @@ -629,78 +701,6 @@ resource "aws_security_group_rule" "nodeport-udp-external-to-node-10-20-30-0--24 type = "ingress" } -resource "aws_security_group_rule" "nodes-externalpolicies-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-externalpolicies-example-com-ingress-all-0to0-nodes-externalpolicies-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-externalpolicies-example-com-ingress-tcp-1to2379-masters-externalpolicies-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-externalpolicies-example-com-ingress-tcp-2382to4000-masters-externalpolicies-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-externalpolicies-example-com-ingress-tcp-4003to65535-masters-externalpolicies-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-externalpolicies-example-com-ingress-udp-1to65535-masters-externalpolicies-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - source_security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-externalpolicies-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-externalpolicies-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-externalpolicies-example-com" { description = "Security group for api ELB" name = "api-elb.externalpolicies.example.com" diff --git a/tests/integration/update_cluster/ha/kubernetes.tf b/tests/integration/update_cluster/ha/kubernetes.tf index 1e34a1d6f1..f4e56f8ab7 100644 --- a/tests/integration/update_cluster/ha/kubernetes.tf +++ b/tests/integration/update_cluster/ha/kubernetes.tf @@ -758,7 +758,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.ha-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-ha-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-ha-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-ha-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-ha-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-ha-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -767,7 +785,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-ha-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-ha-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -776,7 +794,7 @@ resource "aws_security_group_rule" "masters-ha-example-com-egress-all-0to0-0-0-0 type = "egress" } -resource "aws_security_group_rule" "masters-ha-example-com-ingress-all-0to0-masters-ha-example-com" { +resource "aws_security_group_rule" "from-masters-ha-example-com-ingress-all-0to0-masters-ha-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-ha-example-com.id @@ -785,7 +803,7 @@ resource "aws_security_group_rule" "masters-ha-example-com-ingress-all-0to0-mast type = "ingress" } -resource "aws_security_group_rule" "masters-ha-example-com-ingress-all-0to0-nodes-ha-example-com" { +resource "aws_security_group_rule" "from-masters-ha-example-com-ingress-all-0to0-nodes-ha-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-ha-example-com.id @@ -794,7 +812,7 @@ resource "aws_security_group_rule" "masters-ha-example-com-ingress-all-0to0-node type = "ingress" } -resource "aws_security_group_rule" "nodes-ha-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-ha-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -803,7 +821,7 @@ resource "aws_security_group_rule" "nodes-ha-example-com-egress-all-0to0-0-0-0-0 type = "egress" } -resource "aws_security_group_rule" "nodes-ha-example-com-ingress-all-0to0-nodes-ha-example-com" { +resource "aws_security_group_rule" "from-nodes-ha-example-com-ingress-all-0to0-nodes-ha-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-ha-example-com.id @@ -812,7 +830,7 @@ resource "aws_security_group_rule" "nodes-ha-example-com-ingress-all-0to0-nodes- type = "ingress" } -resource "aws_security_group_rule" "nodes-ha-example-com-ingress-tcp-1to2379-masters-ha-example-com" { +resource "aws_security_group_rule" "from-nodes-ha-example-com-ingress-tcp-1to2379-masters-ha-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-ha-example-com.id @@ -821,7 +839,7 @@ resource "aws_security_group_rule" "nodes-ha-example-com-ingress-tcp-1to2379-mas type = "ingress" } -resource "aws_security_group_rule" "nodes-ha-example-com-ingress-tcp-2382to4000-masters-ha-example-com" { +resource "aws_security_group_rule" "from-nodes-ha-example-com-ingress-tcp-2382to4000-masters-ha-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-ha-example-com.id @@ -830,7 +848,7 @@ resource "aws_security_group_rule" "nodes-ha-example-com-ingress-tcp-2382to4000- type = "ingress" } -resource "aws_security_group_rule" "nodes-ha-example-com-ingress-tcp-4003to65535-masters-ha-example-com" { +resource "aws_security_group_rule" "from-nodes-ha-example-com-ingress-tcp-4003to65535-masters-ha-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-ha-example-com.id @@ -839,7 +857,7 @@ resource "aws_security_group_rule" "nodes-ha-example-com-ingress-tcp-4003to65535 type = "ingress" } -resource "aws_security_group_rule" "nodes-ha-example-com-ingress-udp-1to65535-masters-ha-example-com" { +resource "aws_security_group_rule" "from-nodes-ha-example-com-ingress-udp-1to65535-masters-ha-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-ha-example-com.id @@ -848,24 +866,6 @@ resource "aws_security_group_rule" "nodes-ha-example-com-ingress-udp-1to65535-ma type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-ha-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-ha-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-ha-example-com" { description = "Security group for masters" name = "masters.ha.example.com" diff --git a/tests/integration/update_cluster/launch_templates/cloudformation.json b/tests/integration/update_cluster/launch_templates/cloudformation.json index d04232e451..8acc65695a 100644 --- a/tests/integration/update_cluster/launch_templates/cloudformation.json +++ b/tests/integration/update_cluster/launch_templates/cloudformation.json @@ -488,7 +488,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmasterslaunchtemplatesexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommasterslaunchtemplatesexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -500,7 +500,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodeslaunchtemplatesexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodeslaunchtemplatesexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -512,7 +512,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22masterslaunchtemplatesexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmasterslaunchtemplatesexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodeslaunchtemplatesexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodeslaunchtemplatesexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443masterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -524,7 +548,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmasterslaunchtemplatesexamplecomingressall0to0masterslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfrommasterslaunchtemplatesexamplecomingressall0to0masterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -538,7 +562,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmasterslaunchtemplatesexamplecomingressall0to0nodeslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfrommasterslaunchtemplatesexamplecomingressall0to0nodeslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -552,7 +576,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodeslaunchtemplatesexamplecomingressall0to0nodeslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodeslaunchtemplatesexamplecomingressall0to0nodeslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -566,7 +590,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodeslaunchtemplatesexamplecomingresstcp1to2379masterslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodeslaunchtemplatesexamplecomingresstcp1to2379masterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -580,7 +604,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodeslaunchtemplatesexamplecomingresstcp2382to4000masterslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodeslaunchtemplatesexamplecomingresstcp2382to4000masterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -594,7 +618,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodeslaunchtemplatesexamplecomingresstcp4003to65535masterslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodeslaunchtemplatesexamplecomingresstcp4003to65535masterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -608,7 +632,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodeslaunchtemplatesexamplecomingressudp1to65535masterslaunchtemplatesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodeslaunchtemplatesexamplecomingressudp1to65535masterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -622,30 +646,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmasterslaunchtemplatesexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodeslaunchtemplatesexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmasterslaunchtemplatesexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/launch_templates/kubernetes.tf b/tests/integration/update_cluster/launch_templates/kubernetes.tf index 12bcdf0961..a781330c7d 100644 --- a/tests/integration/update_cluster/launch_templates/kubernetes.tf +++ b/tests/integration/update_cluster/launch_templates/kubernetes.tf @@ -547,7 +547,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.launchtemplates-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-launchtemplates-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-launchtemplates-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-launchtemplates-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-launchtemplates-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-launchtemplates-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -556,7 +574,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-launchtemplates-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-launchtemplates-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -565,7 +583,7 @@ resource "aws_security_group_rule" "masters-launchtemplates-example-com-egress-a type = "egress" } -resource "aws_security_group_rule" "masters-launchtemplates-example-com-ingress-all-0to0-masters-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-masters-launchtemplates-example-com-ingress-all-0to0-masters-launchtemplates-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-launchtemplates-example-com.id @@ -574,7 +592,7 @@ resource "aws_security_group_rule" "masters-launchtemplates-example-com-ingress- type = "ingress" } -resource "aws_security_group_rule" "masters-launchtemplates-example-com-ingress-all-0to0-nodes-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-masters-launchtemplates-example-com-ingress-all-0to0-nodes-launchtemplates-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-launchtemplates-example-com.id @@ -583,7 +601,7 @@ resource "aws_security_group_rule" "masters-launchtemplates-example-com-ingress- type = "ingress" } -resource "aws_security_group_rule" "nodes-launchtemplates-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-launchtemplates-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -592,7 +610,7 @@ resource "aws_security_group_rule" "nodes-launchtemplates-example-com-egress-all type = "egress" } -resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-all-0to0-nodes-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-nodes-launchtemplates-example-com-ingress-all-0to0-nodes-launchtemplates-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-launchtemplates-example-com.id @@ -601,7 +619,7 @@ resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-al type = "ingress" } -resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-tcp-1to2379-masters-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-nodes-launchtemplates-example-com-ingress-tcp-1to2379-masters-launchtemplates-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-launchtemplates-example-com.id @@ -610,7 +628,7 @@ resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-tc type = "ingress" } -resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-tcp-2382to4000-masters-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-nodes-launchtemplates-example-com-ingress-tcp-2382to4000-masters-launchtemplates-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-launchtemplates-example-com.id @@ -619,7 +637,7 @@ resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-tc type = "ingress" } -resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-tcp-4003to65535-masters-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-nodes-launchtemplates-example-com-ingress-tcp-4003to65535-masters-launchtemplates-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-launchtemplates-example-com.id @@ -628,7 +646,7 @@ resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-tc type = "ingress" } -resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-udp-1to65535-masters-launchtemplates-example-com" { +resource "aws_security_group_rule" "from-nodes-launchtemplates-example-com-ingress-udp-1to65535-masters-launchtemplates-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-launchtemplates-example-com.id @@ -637,24 +655,6 @@ resource "aws_security_group_rule" "nodes-launchtemplates-example-com-ingress-ud type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-launchtemplates-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-launchtemplates-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-launchtemplates-example-com" { description = "Security group for masters" name = "masters.launchtemplates.example.com" diff --git a/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json b/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json index 584b8524f3..ab0c1e3f1f 100644 --- a/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json +++ b/tests/integration/update_cluster/minimal-cloudformation/cloudformation.json @@ -473,7 +473,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmastersminimalexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommastersminimalexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -485,7 +485,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesminimalexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesminimalexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -497,7 +497,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22mastersminimalexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersminimalexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodesminimalexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesminimalexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -509,7 +533,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersminimalexamplecomingressall0to0mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersminimalexamplecomingressall0to0mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -523,7 +547,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmastersminimalexamplecomingressall0to0nodesminimalexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersminimalexamplecomingressall0to0nodesminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -537,7 +561,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingressall0to0nodesminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingressall0to0nodesminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -551,7 +575,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingresstcp1to2379mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingresstcp1to2379mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -565,7 +589,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingresstcp2382to4000mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingresstcp2382to4000mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -579,7 +603,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingresstcp4003to65535mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingresstcp4003to65535mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -593,7 +617,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesminimalexamplecomingressudp1to65535mastersminimalexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesminimalexamplecomingressudp1to65535mastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -607,30 +631,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersminimalexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesminimalexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmastersminimalexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/minimal-gp3/kubernetes.tf b/tests/integration/update_cluster/minimal-gp3/kubernetes.tf index ec95665224..d6dd118cd7 100644 --- a/tests/integration/update_cluster/minimal-gp3/kubernetes.tf +++ b/tests/integration/update_cluster/minimal-gp3/kubernetes.tf @@ -434,7 +434,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.minimal-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-minimal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-minimal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-minimal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -443,7 +461,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -452,7 +470,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-egress-all-0to0- type = "egress" } -resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -461,7 +479,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-minimal-example-com.id @@ -470,7 +488,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -479,7 +497,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-egress-all-0to0-0- type = "egress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-minimal-example-com.id @@ -488,7 +506,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-all-0to0-n type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -497,7 +515,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-1to237 type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -506,7 +524,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-2382to type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -515,7 +533,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-4003to type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -524,24 +542,6 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-udp-1to655 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-minimal-example-com" { description = "Security group for masters" name = "masters.minimal.example.com" diff --git a/tests/integration/update_cluster/minimal-json/kubernetes.tf.json b/tests/integration/update_cluster/minimal-json/kubernetes.tf.json index eab6596c8e..490b449a5f 100644 --- a/tests/integration/update_cluster/minimal-json/kubernetes.tf.json +++ b/tests/integration/update_cluster/minimal-json/kubernetes.tf.json @@ -517,7 +517,27 @@ } }, "aws_security_group_rule": { - "https-external-to-master-0-0-0-0--0": { + "from-0-0-0-0--0-ingress-tcp-22to22-masters-minimal-json-example-com": { + "type": "ingress", + "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", + "from_port": 22, + "to_port": 22, + "protocol": "tcp", + "cidr_blocks": [ + "0.0.0.0/0" + ] + }, + "from-0-0-0-0--0-ingress-tcp-22to22-nodes-minimal-json-example-com": { + "type": "ingress", + "security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", + "from_port": 22, + "to_port": 22, + "protocol": "tcp", + "cidr_blocks": [ + "0.0.0.0/0" + ] + }, + "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "from_port": 443, @@ -527,7 +547,7 @@ "0.0.0.0/0" ] }, - "masters-minimal-json-example-com-egress-all-0to0-0-0-0-0--0": { + "from-masters-minimal-json-example-com-egress-all-0to0-0-0-0-0--0": { "type": "egress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "from_port": 0, @@ -537,7 +557,7 @@ "0.0.0.0/0" ] }, - "masters-minimal-json-example-com-ingress-all-0to0-masters-minimal-json-example-com": { + "from-masters-minimal-json-example-com-ingress-all-0to0-masters-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", @@ -545,7 +565,7 @@ "to_port": 0, "protocol": "-1" }, - "masters-minimal-json-example-com-ingress-all-0to0-nodes-minimal-json-example-com": { + "from-masters-minimal-json-example-com-ingress-all-0to0-nodes-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", @@ -553,7 +573,7 @@ "to_port": 0, "protocol": "-1" }, - "nodes-minimal-json-example-com-egress-all-0to0-0-0-0-0--0": { + "from-nodes-minimal-json-example-com-egress-all-0to0-0-0-0-0--0": { "type": "egress", "security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", "from_port": 0, @@ -563,7 +583,7 @@ "0.0.0.0/0" ] }, - "nodes-minimal-json-example-com-ingress-all-0to0-nodes-minimal-json-example-com": { + "from-nodes-minimal-json-example-com-ingress-all-0to0-nodes-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", @@ -571,7 +591,7 @@ "to_port": 0, "protocol": "-1" }, - "nodes-minimal-json-example-com-ingress-tcp-1to2379-masters-minimal-json-example-com": { + "from-nodes-minimal-json-example-com-ingress-tcp-1to2379-masters-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", @@ -579,7 +599,7 @@ "to_port": 2379, "protocol": "tcp" }, - "nodes-minimal-json-example-com-ingress-tcp-2382to4000-masters-minimal-json-example-com": { + "from-nodes-minimal-json-example-com-ingress-tcp-2382to4000-masters-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", @@ -587,7 +607,7 @@ "to_port": 4000, "protocol": "tcp" }, - "nodes-minimal-json-example-com-ingress-tcp-4003to65535-masters-minimal-json-example-com": { + "from-nodes-minimal-json-example-com-ingress-tcp-4003to65535-masters-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", @@ -595,33 +615,13 @@ "to_port": 65535, "protocol": "tcp" }, - "nodes-minimal-json-example-com-ingress-udp-1to65535-masters-minimal-json-example-com": { + "from-nodes-minimal-json-example-com-ingress-udp-1to65535-masters-minimal-json-example-com": { "type": "ingress", "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", "source_security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", "from_port": 1, "to_port": 65535, "protocol": "udp" - }, - "ssh-external-to-master-0-0-0-0--0": { - "type": "ingress", - "security_group_id": "${aws_security_group.masters-minimal-json-example-com.id}", - "from_port": 22, - "to_port": 22, - "protocol": "tcp", - "cidr_blocks": [ - "0.0.0.0/0" - ] - }, - "ssh-external-to-node-0-0-0-0--0": { - "type": "ingress", - "security_group_id": "${aws_security_group.nodes-minimal-json-example-com.id}", - "from_port": 22, - "to_port": 22, - "protocol": "tcp", - "cidr_blocks": [ - "0.0.0.0/0" - ] } }, "aws_subnet": { diff --git a/tests/integration/update_cluster/minimal/kubernetes.tf b/tests/integration/update_cluster/minimal/kubernetes.tf index 818066478c..6bec4a1482 100644 --- a/tests/integration/update_cluster/minimal/kubernetes.tf +++ b/tests/integration/update_cluster/minimal/kubernetes.tf @@ -430,7 +430,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.minimal-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-minimal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-minimal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-minimal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -439,7 +457,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -448,7 +466,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-egress-all-0to0- type = "egress" } -resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -457,7 +475,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-minimal-example-com.id @@ -466,7 +484,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -475,7 +493,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-egress-all-0to0-0- type = "egress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-minimal-example-com.id @@ -484,7 +502,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-all-0to0-n type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -493,7 +511,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-1to237 type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -502,7 +520,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-2382to type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -511,7 +529,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-4003to type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -520,24 +538,6 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-udp-1to655 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-minimal-example-com" { description = "Security group for masters" name = "masters.minimal.example.com" diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index afb1598ac7..16506e7208 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -902,7 +902,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmastersmixedinstancesexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommastersmixedinstancesexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -914,7 +914,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesmixedinstancesexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesmixedinstancesexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -926,7 +926,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22mastersmixedinstancesexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersmixedinstancesexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodesmixedinstancesexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesmixedinstancesexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -938,7 +962,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersmixedinstancesexamplecomingressall0to0mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersmixedinstancesexamplecomingressall0to0mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -952,7 +976,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmastersmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -966,7 +990,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -980,7 +1004,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingresstcp1to2379mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingresstcp1to2379mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -994,7 +1018,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingresstcp2382to4000mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingresstcp2382to4000mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -1008,7 +1032,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingresstcp4003to65535mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingresstcp4003to65535mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -1022,7 +1046,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingressudp1to65535mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingressudp1to65535mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -1036,30 +1060,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersmixedinstancesexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesmixedinstancesexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/mixed_instances/kubernetes.tf b/tests/integration/update_cluster/mixed_instances/kubernetes.tf index 0cdb6d2712..19ec35c16e 100644 --- a/tests/integration/update_cluster/mixed_instances/kubernetes.tf +++ b/tests/integration/update_cluster/mixed_instances/kubernetes.tf @@ -776,7 +776,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.mixedinstances-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-mixedinstances-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-mixedinstances-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-mixedinstances-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-mixedinstances-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-mixedinstances-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -785,7 +803,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -794,7 +812,7 @@ resource "aws_security_group_rule" "masters-mixedinstances-example-com-egress-al type = "egress" } -resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-all-0to0-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-masters-mixedinstances-example-com-ingress-all-0to0-masters-mixedinstances-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -803,7 +821,7 @@ resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-a type = "ingress" } -resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-masters-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-mixedinstances-example-com.id @@ -812,7 +830,7 @@ resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-a type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -821,7 +839,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-egress-all- type = "egress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-mixedinstances-example-com.id @@ -830,7 +848,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-all type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp-1to2379-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-tcp-1to2379-masters-mixedinstances-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -839,7 +857,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp-2382to4000-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-tcp-2382to4000-masters-mixedinstances-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -848,7 +866,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp-4003to65535-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-tcp-4003to65535-masters-mixedinstances-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -857,7 +875,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-udp-1to65535-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-udp-1to65535-masters-mixedinstances-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -866,24 +884,6 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-udp type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-mixedinstances-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-mixedinstances-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-mixedinstances-example-com" { description = "Security group for masters" name = "masters.mixedinstances.example.com" diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index ae46624c86..6b4fc2660c 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -903,7 +903,7 @@ ] } }, - "AWSEC2SecurityGroupEgressmastersmixedinstancesexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrommastersmixedinstancesexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -915,7 +915,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesmixedinstancesexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesmixedinstancesexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -927,7 +927,31 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngresshttpsexternaltomaster00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22mastersmixedinstancesexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersmixedinstancesexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22nodesmixedinstancesexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesmixedinstancesexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -939,7 +963,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersmixedinstancesexamplecomingressall0to0mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersmixedinstancesexamplecomingressall0to0mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -953,7 +977,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressmastersmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfrommastersmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -967,7 +991,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingressall0to0nodesmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -981,7 +1005,7 @@ "IpProtocol": "-1" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingresstcp1to2379mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingresstcp1to2379mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -995,7 +1019,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingresstcp2382to4000mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingresstcp2382to4000mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -1009,7 +1033,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingresstcp4003to65535mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingresstcp4003to65535mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -1023,7 +1047,7 @@ "IpProtocol": "tcp" } }, - "AWSEC2SecurityGroupIngressnodesmixedinstancesexamplecomingressudp1to65535mastersmixedinstancesexamplecom": { + "AWSEC2SecurityGroupIngressfromnodesmixedinstancesexamplecomingressudp1to65535mastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -1037,30 +1061,6 @@ "IpProtocol": "udp" } }, - "AWSEC2SecurityGroupIngresssshexternaltomaster00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersmixedinstancesexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltonode00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesmixedinstancesexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupmastersmixedinstancesexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf b/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf index a3cede6769..fb49d16eb8 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf +++ b/tests/integration/update_cluster/mixed_instances_spot/kubernetes.tf @@ -776,7 +776,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.mixedinstances-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-mixedinstances-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-mixedinstances-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-mixedinstances-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-mixedinstances-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-mixedinstances-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -785,7 +803,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -794,7 +812,7 @@ resource "aws_security_group_rule" "masters-mixedinstances-example-com-egress-al type = "egress" } -resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-all-0to0-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-masters-mixedinstances-example-com-ingress-all-0to0-masters-mixedinstances-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -803,7 +821,7 @@ resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-a type = "ingress" } -resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-masters-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-mixedinstances-example-com.id @@ -812,7 +830,7 @@ resource "aws_security_group_rule" "masters-mixedinstances-example-com-ingress-a type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -821,7 +839,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-egress-all- type = "egress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-all-0to0-nodes-mixedinstances-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-mixedinstances-example-com.id @@ -830,7 +848,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-all type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp-1to2379-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-tcp-1to2379-masters-mixedinstances-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -839,7 +857,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp-2382to4000-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-tcp-2382to4000-masters-mixedinstances-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -848,7 +866,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp-4003to65535-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-tcp-4003to65535-masters-mixedinstances-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -857,7 +875,7 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-tcp type = "ingress" } -resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-udp-1to65535-masters-mixedinstances-example-com" { +resource "aws_security_group_rule" "from-nodes-mixedinstances-example-com-ingress-udp-1to65535-masters-mixedinstances-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-mixedinstances-example-com.id @@ -866,24 +884,6 @@ resource "aws_security_group_rule" "nodes-mixedinstances-example-com-ingress-udp type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-mixedinstances-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-mixedinstances-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-mixedinstances-example-com" { description = "Security group for masters" name = "masters.mixedinstances.example.com" diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index d18780c7e0..ab9d1764f4 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -684,7 +684,7 @@ } } }, - "AWSEC2SecurityGroupEgressapielbegress": { + "AWSEC2SecurityGroupEgressfromapielbprivatesharedipexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -696,19 +696,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressbastionegress": { - "Type": "AWS::EC2::SecurityGroupEgress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupEgressbastionelbegress": { + "AWSEC2SecurityGroupEgressfrombastionelbprivatesharedipexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -720,7 +708,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressmastersprivatesharedipexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrombastionprivatesharedipexamplecomegressall0to000000": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupEgressfrommastersprivatesharedipexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -732,7 +732,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesprivatesharedipexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesprivatesharedipexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -744,35 +744,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontomasterssh": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22bastionelbprivatesharedipexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" + "Ref": "AWSEC2SecurityGroupbastionelbprivatesharedipexamplecom" }, "FromPort": 22, "ToPort": 22, - "IpProtocol": "tcp" + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontonodessh": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresshttpsapielb00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443apielbprivatesharedipexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -784,6 +768,146 @@ "CidrIp": "0.0.0.0/0" } }, + "AWSEC2SecurityGroupIngressfrombastionelbprivatesharedipexamplecomingresstcp22to22bastionprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionelbprivatesharedipexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivatesharedipexamplecomingresstcp22to22mastersprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivatesharedipexamplecomingresstcp22to22nodesprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivatesharedipexamplecomingressall0to0mastersprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivatesharedipexamplecomingressall0to0nodesprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatesharedipexamplecomingressall0to0nodesprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatesharedipexamplecomingresstcp1to2379mastersprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "FromPort": 1, + "ToPort": 2379, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatesharedipexamplecomingresstcp2382to4000mastersprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "FromPort": 2382, + "ToPort": 4000, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatesharedipexamplecomingresstcp4003to65535mastersprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "FromPort": 4003, + "ToPort": 65535, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatesharedipexamplecomingressudp1to65535mastersprivatesharedipexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" + }, + "FromPort": 1, + "ToPort": 65535, + "IpProtocol": "udp" + } + }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -810,130 +934,6 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersprivatesharedipexamplecomingressall0to0mastersprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressmastersprivatesharedipexamplecomingressall0to0nodesprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatesharedipexamplecomingressall0to0nodesprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatesharedipexamplecomingresstcp1to2379mastersprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "FromPort": 1, - "ToPort": 2379, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatesharedipexamplecomingresstcp2382to4000mastersprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "FromPort": 2382, - "ToPort": 4000, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatesharedipexamplecomingresstcp4003to65535mastersprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "FromPort": 4003, - "ToPort": 65535, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatesharedipexamplecomingressudp1to65535mastersprivatesharedipexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatesharedipexamplecom" - }, - "FromPort": 1, - "ToPort": 65535, - "IpProtocol": "udp" - } - }, - "AWSEC2SecurityGroupIngresssshelbtobastion": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatesharedipexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivatesharedipexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltobastionelb00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivatesharedipexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupapielbprivatesharedipexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf index 936b643539..6c92c8f17d 100644 --- a/tests/integration/update_cluster/private-shared-ip/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-ip/kubernetes.tf @@ -675,7 +675,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-private-shared-ip-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-private-shared-ip-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-private-shared-ip-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-private-shared-ip-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -684,16 +702,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -702,7 +711,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-private-shared-ip-example-com-ingress-tcp-22to22-bastion-private-shared-ip-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-ingress-tcp-22to22-masters-private-shared-ip-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-private-shared-ip-example-com.id @@ -711,7 +738,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-private-shared-ip-example-com-ingress-tcp-22to22-nodes-private-shared-ip-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id @@ -720,13 +747,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-private-shared-ip-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-private-shared-ip-example-com-ingress-all-0to0-masters-private-shared-ip-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-private-shared-ip-example-com-ingress-all-0to0-nodes-private-shared-ip-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-ip-example-com-ingress-all-0to0-nodes-private-shared-ip-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-ip-example-com-ingress-tcp-1to2379-masters-private-shared-ip-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-ip-example-com-ingress-tcp-2382to4000-masters-private-shared-ip-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-ip-example-com-ingress-tcp-4003to65535-masters-private-shared-ip-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-ip-example-com-ingress-udp-1to65535-masters-private-shared-ip-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-private-shared-ip-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -747,105 +846,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-private-shared-ip-example-com-ingress-all-0to0-masters-private-shared-ip-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-private-shared-ip-example-com-ingress-all-0to0-nodes-private-shared-ip-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-ip-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-private-shared-ip-example-com-ingress-all-0to0-nodes-private-shared-ip-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-ip-example-com-ingress-tcp-1to2379-masters-private-shared-ip-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-ip-example-com-ingress-tcp-2382to4000-masters-private-shared-ip-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-ip-example-com-ingress-tcp-4003to65535-masters-private-shared-ip-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-ip-example-com-ingress-udp-1to65535-masters-private-shared-ip-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-ip-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-private-shared-ip-example-com.id - source_security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-private-shared-ip-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-private-shared-ip-example-com" { description = "Security group for api ELB" name = "api-elb.private-shared-ip.example.com" diff --git a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf index b1b65483e5..2ff8098ed0 100644 --- a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf @@ -618,7 +618,25 @@ resource "aws_route53_record" "api-private-shared-subnet-example-com" { zone_id = "/hostedzone/Z1AFAKE1ZON3YO" } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-private-shared-subnet-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-private-shared-subnet-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-private-shared-subnet-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -627,16 +645,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -645,7 +654,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-private-shared-subnet-example-com-ingress-tcp-22to22-bastion-private-shared-subnet-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-com-ingress-tcp-22to22-masters-private-shared-subnet-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id @@ -654,7 +681,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-private-shared-subnet-example-com-ingress-tcp-22to22-nodes-private-shared-subnet-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id @@ -663,13 +690,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-private-shared-subnet-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-private-shared-subnet-example-com-ingress-all-0to0-masters-private-shared-subnet-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-private-shared-subnet-example-com-ingress-all-0to0-nodes-private-shared-subnet-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-subnet-example-com-ingress-all-0to0-nodes-private-shared-subnet-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-subnet-example-com-ingress-tcp-1to2379-masters-private-shared-subnet-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-subnet-example-com-ingress-tcp-2382to4000-masters-private-shared-subnet-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-subnet-example-com-ingress-tcp-4003to65535-masters-private-shared-subnet-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-private-shared-subnet-example-com-ingress-udp-1to65535-masters-private-shared-subnet-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id + source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -690,105 +789,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-private-shared-subnet-example-com-ingress-all-0to0-masters-private-shared-subnet-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-private-shared-subnet-example-com-ingress-all-0to0-nodes-private-shared-subnet-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-subnet-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-private-shared-subnet-example-com-ingress-all-0to0-nodes-private-shared-subnet-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-subnet-example-com-ingress-tcp-1to2379-masters-private-shared-subnet-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-subnet-example-com-ingress-tcp-2382to4000-masters-private-shared-subnet-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-subnet-example-com-ingress-tcp-4003to65535-masters-private-shared-subnet-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-private-shared-subnet-example-com-ingress-udp-1to65535-masters-private-shared-subnet-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.nodes-private-shared-subnet-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-private-shared-subnet-example-com.id - source_security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-private-shared-subnet-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-private-shared-subnet-example-com" { description = "Security group for api ELB" name = "api-elb.private-shared-subnet.example.com" diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index 5231a83699..4b4441bd66 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -757,7 +757,7 @@ } } }, - "AWSEC2SecurityGroupEgressapielbegress": { + "AWSEC2SecurityGroupEgressfromapielbprivatecalicoexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -769,19 +769,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressbastionegress": { - "Type": "AWS::EC2::SecurityGroupEgress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupEgressbastionelbegress": { + "AWSEC2SecurityGroupEgressfrombastionelbprivatecalicoexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -793,7 +781,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressmastersprivatecalicoexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrombastionprivatecalicoexamplecomegressall0to000000": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupEgressfrommastersprivatecalicoexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -805,7 +805,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesprivatecalicoexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesprivatecalicoexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -817,35 +817,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontomasterssh": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22bastionelbprivatecalicoexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" + "Ref": "AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom" }, "FromPort": 22, "ToPort": 22, - "IpProtocol": "tcp" + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontonodessh": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresshttpsapielb00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443apielbprivatecalicoexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -857,6 +841,160 @@ "CidrIp": "0.0.0.0/0" } }, + "AWSEC2SecurityGroupIngressfrombastionelbprivatecalicoexamplecomingresstcp22to22bastionprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivatecalicoexamplecomingresstcp22to22mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivatecalicoexamplecomingresstcp22to22nodesprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivatecalicoexamplecomingressall0to0mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivatecalicoexamplecomingressall0to0nodesprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatecalicoexamplecomingress40to0mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "FromPort": 0, + "ToPort": 65535, + "IpProtocol": "4" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatecalicoexamplecomingressall0to0nodesprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatecalicoexamplecomingresstcp1to2379mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "FromPort": 1, + "ToPort": 2379, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatecalicoexamplecomingresstcp2382to4000mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "FromPort": 2382, + "ToPort": 4000, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatecalicoexamplecomingresstcp4003to65535mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "FromPort": 4003, + "ToPort": 65535, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivatecalicoexamplecomingressudp1to65535mastersprivatecalicoexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" + }, + "FromPort": 1, + "ToPort": 65535, + "IpProtocol": "udp" + } + }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -883,144 +1021,6 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersprivatecalicoexamplecomingressall0to0mastersprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressmastersprivatecalicoexamplecomingressall0to0nodesprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatecalicoexamplecomingress40to0mastersprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "FromPort": 0, - "ToPort": 65535, - "IpProtocol": "4" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatecalicoexamplecomingressall0to0nodesprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatecalicoexamplecomingresstcp1to2379mastersprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "FromPort": 1, - "ToPort": 2379, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatecalicoexamplecomingresstcp2382to4000mastersprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "FromPort": 2382, - "ToPort": 4000, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatecalicoexamplecomingresstcp4003to65535mastersprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "FromPort": 4003, - "ToPort": 65535, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivatecalicoexamplecomingressudp1to65535mastersprivatecalicoexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivatecalicoexamplecom" - }, - "FromPort": 1, - "ToPort": 65535, - "IpProtocol": "udp" - } - }, - "AWSEC2SecurityGroupIngresssshelbtobastion": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivatecalicoexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltobastionelb00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupapielbprivatecalicoexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf index ead570ff49..c345d46152 100644 --- a/tests/integration/update_cluster/privatecalico/kubernetes.tf +++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf @@ -698,7 +698,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privatecalico-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecalico-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatecalico-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatecalico-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -707,16 +725,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -725,7 +734,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatecalico-example-com-ingress-tcp-22to22-bastion-privatecalico-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecalico-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatecalico-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-ingress-tcp-22to22-masters-privatecalico-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatecalico-example-com.id @@ -734,7 +761,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatecalico-example-com-ingress-tcp-22to22-nodes-privatecalico-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatecalico-example-com.id @@ -743,13 +770,94 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatecalico-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatecalico-example-com-ingress-all-0to0-masters-privatecalico-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.masters-privatecalico-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatecalico-example-com-ingress-all-0to0-nodes-privatecalico-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecalico-example-com.id + source_security_group_id = aws_security_group.masters-privatecalico-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-ingress-4-0to0-masters-privatecalico-example-com" { + from_port = 0 + protocol = "4" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-ingress-all-0to0-nodes-privatecalico-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecalico-example-com.id + source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-ingress-tcp-1to2379-masters-privatecalico-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-ingress-tcp-2382to4000-masters-privatecalico-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-ingress-tcp-4003to65535-masters-privatecalico-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecalico-example-com-ingress-udp-1to65535-masters-privatecalico-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatecalico-example-com.id + source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -770,114 +878,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatecalico-example-com-ingress-all-0to0-masters-privatecalico-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - source_security_group_id = aws_security_group.masters-privatecalico-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatecalico-example-com-ingress-all-0to0-nodes-privatecalico-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecalico-example-com.id - source_security_group_id = aws_security_group.masters-privatecalico-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-ingress-4-0to0-masters-privatecalico-example-com" { - from_port = 0 - protocol = "4" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-ingress-all-0to0-nodes-privatecalico-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecalico-example-com.id - source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-ingress-tcp-1to2379-masters-privatecalico-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-ingress-tcp-2382to4000-masters-privatecalico-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-ingress-tcp-4003to65535-masters-privatecalico-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecalico-example-com-ingress-udp-1to65535-masters-privatecalico-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatecalico-example-com.id - source_security_group_id = aws_security_group.nodes-privatecalico-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecalico-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatecalico-example-com" { description = "Security group for api ELB" name = "api-elb.privatecalico.example.com" diff --git a/tests/integration/update_cluster/privatecanal/kubernetes.tf b/tests/integration/update_cluster/privatecanal/kubernetes.tf index 2e71b06296..429214b2da 100644 --- a/tests/integration/update_cluster/privatecanal/kubernetes.tf +++ b/tests/integration/update_cluster/privatecanal/kubernetes.tf @@ -698,7 +698,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privatecanal-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecanal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatecanal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatecanal-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -707,16 +725,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -725,7 +734,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatecanal-example-com-ingress-tcp-22to22-bastion-privatecanal-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecanal-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatecanal-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-tcp-22to22-masters-privatecanal-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatecanal-example-com.id @@ -734,7 +761,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatecanal-example-com-ingress-tcp-22to22-nodes-privatecanal-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatecanal-example-com.id @@ -743,13 +770,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatecanal-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatecanal-example-com-ingress-all-0to0-masters-privatecanal-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + source_security_group_id = aws_security_group.masters-privatecanal-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatecanal-example-com-ingress-all-0to0-nodes-privatecanal-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecanal-example-com.id + source_security_group_id = aws_security_group.masters-privatecanal-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecanal-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-all-0to0-nodes-privatecanal-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecanal-example-com.id + source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-tcp-1to2379-masters-privatecanal-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-tcp-2382to4000-masters-privatecanal-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-tcp-4003to65535-masters-privatecanal-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecanal-example-com-ingress-udp-1to65535-masters-privatecanal-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatecanal-example-com.id + source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -770,105 +869,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatecanal-example-com-ingress-all-0to0-masters-privatecanal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatecanal-example-com-ingress-all-0to0-nodes-privatecanal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - source_security_group_id = aws_security_group.masters-privatecanal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecanal-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatecanal-example-com-ingress-all-0to0-nodes-privatecanal-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecanal-example-com-ingress-tcp-1to2379-masters-privatecanal-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecanal-example-com-ingress-tcp-2382to4000-masters-privatecanal-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecanal-example-com-ingress-tcp-4003to65535-masters-privatecanal-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecanal-example-com-ingress-udp-1to65535-masters-privatecanal-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatecanal-example-com.id - source_security_group_id = aws_security_group.nodes-privatecanal-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecanal-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatecanal-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatecanal-example-com" { description = "Security group for api ELB" name = "api-elb.privatecanal.example.com" diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index b976745718..47f2654ce9 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -757,7 +757,7 @@ } } }, - "AWSEC2SecurityGroupEgressapielbegress": { + "AWSEC2SecurityGroupEgressfromapielbprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -769,19 +769,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressbastionegress": { - "Type": "AWS::EC2::SecurityGroupEgress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupEgressbastionelbegress": { + "AWSEC2SecurityGroupEgressfrombastionelbprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -793,7 +781,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressmastersprivateciliumexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrombastionprivateciliumexamplecomegressall0to000000": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupEgressfrommastersprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -805,7 +805,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesprivateciliumexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -817,35 +817,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontomasterssh": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22bastionelbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" }, "FromPort": 22, "ToPort": 22, - "IpProtocol": "tcp" + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontonodessh": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresshttpsapielb00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443apielbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -857,6 +841,146 @@ "CidrIp": "0.0.0.0/0" } }, + "AWSEC2SecurityGroupIngressfrombastionelbprivateciliumexamplecomingresstcp22to22bastionprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivateciliumexamplecomingresstcp22to22mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivateciliumexamplecomingresstcp22to22nodesprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivateciliumexamplecomingressall0to0mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingresstcp1to2379mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 1, + "ToPort": 2379, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingresstcp2382to4000mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 2382, + "ToPort": 4000, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingresstcp4003to65535mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 4003, + "ToPort": 65535, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingressudp1to65535mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 1, + "ToPort": 65535, + "IpProtocol": "udp" + } + }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -883,130 +1007,6 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersprivateciliumexamplecomingressall0to0mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressmastersprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingresstcp1to2379mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 1, - "ToPort": 2379, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingresstcp2382to4000mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 2382, - "ToPort": 4000, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingresstcp4003to65535mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 4003, - "ToPort": 65535, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingressudp1to65535mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 1, - "ToPort": 65535, - "IpProtocol": "udp" - } - }, - "AWSEC2SecurityGroupIngresssshelbtobastion": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltobastionelb00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupapielbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/privatecilium/kubernetes.tf b/tests/integration/update_cluster/privatecilium/kubernetes.tf index 54074e3b92..506d08cbe6 100644 --- a/tests/integration/update_cluster/privatecilium/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium/kubernetes.tf @@ -698,7 +698,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privatecilium-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatecilium-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -707,16 +725,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -725,7 +734,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-tcp-22to22-bastion-privatecilium-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-masters-privatecilium-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatecilium-example-com.id @@ -734,7 +761,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-nodes-privatecilium-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatecilium-example-com.id @@ -743,13 +770,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatecilium-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatecilium-example-com-ingress-all-0to0-masters-privatecilium-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-tcp-1to2379-masters-privatecilium-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-tcp-2382to4000-masters-privatecilium-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-tcp-4003to65535-masters-privatecilium-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-udp-1to65535-masters-privatecilium-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -770,105 +869,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatecilium-example-com-ingress-all-0to0-masters-privatecilium-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.masters-privatecilium-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecilium-example-com.id - source_security_group_id = aws_security_group.masters-privatecilium-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-tcp-1to2379-masters-privatecilium-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-tcp-2382to4000-masters-privatecilium-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-tcp-4003to65535-masters-privatecilium-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-udp-1to65535-masters-privatecilium-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatecilium-example-com" { description = "Security group for api ELB" name = "api-elb.privatecilium.example.com" diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index b976745718..47f2654ce9 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -757,7 +757,7 @@ } } }, - "AWSEC2SecurityGroupEgressapielbegress": { + "AWSEC2SecurityGroupEgressfromapielbprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -769,19 +769,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressbastionegress": { - "Type": "AWS::EC2::SecurityGroupEgress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupEgressbastionelbegress": { + "AWSEC2SecurityGroupEgressfrombastionelbprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -793,7 +781,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressmastersprivateciliumexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrombastionprivateciliumexamplecomegressall0to000000": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupEgressfrommastersprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -805,7 +805,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesprivateciliumexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesprivateciliumexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -817,35 +817,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontomasterssh": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22bastionelbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" }, "FromPort": 22, "ToPort": 22, - "IpProtocol": "tcp" + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontonodessh": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresshttpsapielb00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443apielbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -857,6 +841,146 @@ "CidrIp": "0.0.0.0/0" } }, + "AWSEC2SecurityGroupIngressfrombastionelbprivateciliumexamplecomingresstcp22to22bastionprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivateciliumexamplecomingresstcp22to22mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivateciliumexamplecomingresstcp22to22nodesprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivateciliumexamplecomingressall0to0mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingresstcp1to2379mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 1, + "ToPort": 2379, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingresstcp2382to4000mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 2382, + "ToPort": 4000, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingresstcp4003to65535mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 4003, + "ToPort": 65535, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumexamplecomingressudp1to65535mastersprivateciliumexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" + }, + "FromPort": 1, + "ToPort": 65535, + "IpProtocol": "udp" + } + }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -883,130 +1007,6 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersprivateciliumexamplecomingressall0to0mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressmastersprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingressall0to0nodesprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingresstcp1to2379mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 1, - "ToPort": 2379, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingresstcp2382to4000mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 2382, - "ToPort": 4000, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingresstcp4003to65535mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 4003, - "ToPort": 65535, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumexamplecomingressudp1to65535mastersprivateciliumexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumexamplecom" - }, - "FromPort": 1, - "ToPort": 65535, - "IpProtocol": "udp" - } - }, - "AWSEC2SecurityGroupIngresssshelbtobastion": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltobastionelb00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupapielbprivateciliumexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/privatecilium2/kubernetes.tf b/tests/integration/update_cluster/privatecilium2/kubernetes.tf index 54074e3b92..506d08cbe6 100644 --- a/tests/integration/update_cluster/privatecilium2/kubernetes.tf +++ b/tests/integration/update_cluster/privatecilium2/kubernetes.tf @@ -698,7 +698,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privatecilium-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatecilium-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatecilium-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatecilium-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -707,16 +725,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -725,7 +734,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatecilium-example-com-ingress-tcp-22to22-bastion-privatecilium-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-masters-privatecilium-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatecilium-example-com.id @@ -734,7 +761,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatecilium-example-com-ingress-tcp-22to22-nodes-privatecilium-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatecilium-example-com.id @@ -743,13 +770,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatecilium-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatecilium-example-com-ingress-all-0to0-masters-privatecilium-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecilium-example-com.id + source_security_group_id = aws_security_group.masters-privatecilium-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-tcp-1to2379-masters-privatecilium-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-tcp-2382to4000-masters-privatecilium-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-tcp-4003to65535-masters-privatecilium-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatecilium-example-com-ingress-udp-1to65535-masters-privatecilium-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatecilium-example-com.id + source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -770,105 +869,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatecilium-example-com-ingress-all-0to0-masters-privatecilium-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.masters-privatecilium-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecilium-example-com.id - source_security_group_id = aws_security_group.masters-privatecilium-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-all-0to0-nodes-privatecilium-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-tcp-1to2379-masters-privatecilium-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-tcp-2382to4000-masters-privatecilium-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-tcp-4003to65535-masters-privatecilium-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatecilium-example-com-ingress-udp-1to65535-masters-privatecilium-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatecilium-example-com.id - source_security_group_id = aws_security_group.nodes-privatecilium-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatecilium-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatecilium-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatecilium-example-com" { description = "Security group for api ELB" name = "api-elb.privatecilium.example.com" diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index 9b2dd7c95c..ae964bb09f 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -757,7 +757,7 @@ } } }, - "AWSEC2SecurityGroupEgressapielbegress": { + "AWSEC2SecurityGroupEgressfromapielbprivateciliumadvancedexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -769,19 +769,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressbastionegress": { - "Type": "AWS::EC2::SecurityGroupEgress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1", - "CidrIp": "0.0.0.0/0" - } - }, - "AWSEC2SecurityGroupEgressbastionelbegress": { + "AWSEC2SecurityGroupEgressfrombastionelbprivateciliumadvancedexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -793,7 +781,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressmastersprivateciliumadvancedexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfrombastionprivateciliumadvancedexamplecomegressall0to000000": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1", + "CidrIp": "0.0.0.0/0" + } + }, + "AWSEC2SecurityGroupEgressfrommastersprivateciliumadvancedexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -805,7 +805,7 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupEgressnodesprivateciliumadvancedexamplecomegressall0to000000": { + "AWSEC2SecurityGroupEgressfromnodesprivateciliumadvancedexamplecomegressall0to000000": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { @@ -817,35 +817,19 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontomasterssh": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp22to22bastionelbprivateciliumadvancedexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" + "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumadvancedexamplecom" }, "FromPort": 22, "ToPort": 22, - "IpProtocol": "tcp" + "IpProtocol": "tcp", + "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressbastiontonodessh": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresshttpsapielb00000": { + "AWSEC2SecurityGroupIngressfrom00000ingresstcp443to443apielbprivateciliumadvancedexamplecom": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { @@ -857,6 +841,146 @@ "CidrIp": "0.0.0.0/0" } }, + "AWSEC2SecurityGroupIngressfrombastionelbprivateciliumadvancedexamplecomingresstcp22to22bastionprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumadvancedexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivateciliumadvancedexamplecomingresstcp22to22mastersprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrombastionprivateciliumadvancedexamplecomingresstcp22to22nodesprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" + }, + "FromPort": 22, + "ToPort": 22, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivateciliumadvancedexamplecomingressall0to0mastersprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfrommastersprivateciliumadvancedexamplecomingressall0to0nodesprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumadvancedexamplecomingressall0to0nodesprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "FromPort": 0, + "ToPort": 0, + "IpProtocol": "-1" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumadvancedexamplecomingresstcp1to2379mastersprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "FromPort": 1, + "ToPort": 2379, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumadvancedexamplecomingresstcp2383to4000mastersprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "FromPort": 2383, + "ToPort": 4000, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumadvancedexamplecomingresstcp4003to65535mastersprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "FromPort": 4003, + "ToPort": 65535, + "IpProtocol": "tcp" + } + }, + "AWSEC2SecurityGroupIngressfromnodesprivateciliumadvancedexamplecomingressudp1to65535mastersprivateciliumadvancedexamplecom": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" + }, + "SourceSecurityGroupId": { + "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" + }, + "FromPort": 1, + "ToPort": 65535, + "IpProtocol": "udp" + } + }, "AWSEC2SecurityGroupIngresshttpselbtomaster": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { @@ -883,130 +1007,6 @@ "CidrIp": "0.0.0.0/0" } }, - "AWSEC2SecurityGroupIngressmastersprivateciliumadvancedexamplecomingressall0to0mastersprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressmastersprivateciliumadvancedexamplecomingressall0to0nodesprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumadvancedexamplecomingressall0to0nodesprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "FromPort": 0, - "ToPort": 0, - "IpProtocol": "-1" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumadvancedexamplecomingresstcp1to2379mastersprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "FromPort": 1, - "ToPort": 2379, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumadvancedexamplecomingresstcp2383to4000mastersprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "FromPort": 2383, - "ToPort": 4000, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumadvancedexamplecomingresstcp4003to65535mastersprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "FromPort": 4003, - "ToPort": 65535, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngressnodesprivateciliumadvancedexamplecomingressudp1to65535mastersprivateciliumadvancedexamplecom": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupmastersprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupnodesprivateciliumadvancedexamplecom" - }, - "FromPort": 1, - "ToPort": 65535, - "IpProtocol": "udp" - } - }, - "AWSEC2SecurityGroupIngresssshelbtobastion": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionprivateciliumadvancedexamplecom" - }, - "SourceSecurityGroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumadvancedexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp" - } - }, - "AWSEC2SecurityGroupIngresssshexternaltobastionelb00000": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": { - "Ref": "AWSEC2SecurityGroupbastionelbprivateciliumadvancedexamplecom" - }, - "FromPort": 22, - "ToPort": 22, - "IpProtocol": "tcp", - "CidrIp": "0.0.0.0/0" - } - }, "AWSEC2SecurityGroupapielbprivateciliumadvancedexamplecom": { "Type": "AWS::EC2::SecurityGroup", "Properties": { diff --git a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf index 11bb18c9ef..25a8c80e27 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf +++ b/tests/integration/update_cluster/privateciliumadvanced/kubernetes.tf @@ -712,7 +712,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privateciliumadvanced-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privateciliumadvanced-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privateciliumadvanced-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privateciliumadvanced-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -721,16 +739,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -739,7 +748,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privateciliumadvanced-example-com-ingress-tcp-22to22-bastion-privateciliumadvanced-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-com-ingress-tcp-22to22-masters-privateciliumadvanced-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id @@ -748,7 +775,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privateciliumadvanced-example-com-ingress-tcp-22to22-nodes-privateciliumadvanced-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id @@ -757,13 +784,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privateciliumadvanced-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privateciliumadvanced-example-com-ingress-all-0to0-masters-privateciliumadvanced-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privateciliumadvanced-example-com-ingress-all-0to0-nodes-privateciliumadvanced-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privateciliumadvanced-example-com-ingress-all-0to0-nodes-privateciliumadvanced-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateciliumadvanced-example-com-ingress-tcp-1to2379-masters-privateciliumadvanced-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateciliumadvanced-example-com-ingress-tcp-2383to4000-masters-privateciliumadvanced-example-com" { + from_port = 2383 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateciliumadvanced-example-com-ingress-tcp-4003to65535-masters-privateciliumadvanced-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateciliumadvanced-example-com-ingress-udp-1to65535-masters-privateciliumadvanced-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id + source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -784,105 +883,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privateciliumadvanced-example-com-ingress-all-0to0-masters-privateciliumadvanced-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privateciliumadvanced-example-com-ingress-all-0to0-nodes-privateciliumadvanced-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateciliumadvanced-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privateciliumadvanced-example-com-ingress-all-0to0-nodes-privateciliumadvanced-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateciliumadvanced-example-com-ingress-tcp-1to2379-masters-privateciliumadvanced-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateciliumadvanced-example-com-ingress-tcp-2383to4000-masters-privateciliumadvanced-example-com" { - from_port = 2383 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateciliumadvanced-example-com-ingress-tcp-4003to65535-masters-privateciliumadvanced-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateciliumadvanced-example-com-ingress-udp-1to65535-masters-privateciliumadvanced-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.nodes-privateciliumadvanced-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privateciliumadvanced-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privateciliumadvanced-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privateciliumadvanced-example-com" { description = "Security group for api ELB" name = "api-elb.privateciliumadvanced.example.com" diff --git a/tests/integration/update_cluster/privatedns1/kubernetes.tf b/tests/integration/update_cluster/privatedns1/kubernetes.tf index 459a916d6a..5884cc7ddf 100644 --- a/tests/integration/update_cluster/privatedns1/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns1/kubernetes.tf @@ -777,7 +777,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privatedns1-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatedns1-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatedns1-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatedns1-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -786,16 +804,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatedns1-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -804,7 +813,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatedns1-example-com-ingress-tcp-22to22-bastion-privatedns1-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatedns1-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatedns1-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-ingress-tcp-22to22-masters-privatedns1-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatedns1-example-com.id @@ -813,7 +840,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatedns1-example-com-ingress-tcp-22to22-nodes-privatedns1-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatedns1-example-com.id @@ -822,13 +849,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatedns1-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatedns1-example-com-ingress-all-0to0-masters-privatedns1-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + source_security_group_id = aws_security_group.masters-privatedns1-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatedns1-example-com-ingress-all-0to0-nodes-privatedns1-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatedns1-example-com.id + source_security_group_id = aws_security_group.masters-privatedns1-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatedns1-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns1-example-com-ingress-all-0to0-nodes-privatedns1-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatedns1-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns1-example-com-ingress-tcp-1to2379-masters-privatedns1-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns1-example-com-ingress-tcp-2382to4000-masters-privatedns1-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns1-example-com-ingress-tcp-4003to65535-masters-privatedns1-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns1-example-com-ingress-udp-1to65535-masters-privatedns1-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatedns1-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -849,105 +948,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatedns1-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatedns1-example-com-ingress-all-0to0-masters-privatedns1-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatedns1-example-com.id - source_security_group_id = aws_security_group.masters-privatedns1-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatedns1-example-com-ingress-all-0to0-nodes-privatedns1-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatedns1-example-com.id - source_security_group_id = aws_security_group.masters-privatedns1-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns1-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatedns1-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatedns1-example-com-ingress-all-0to0-nodes-privatedns1-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatedns1-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns1-example-com-ingress-tcp-1to2379-masters-privatedns1-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatedns1-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns1-example-com-ingress-tcp-2382to4000-masters-privatedns1-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatedns1-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns1-example-com-ingress-tcp-4003to65535-masters-privatedns1-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatedns1-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns1-example-com-ingress-udp-1to65535-masters-privatedns1-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatedns1-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns1-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatedns1-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatedns1-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatedns1-example-com" { description = "Security group for api ELB" name = "api-elb.privatedns1.example.com" diff --git a/tests/integration/update_cluster/privatedns2/kubernetes.tf b/tests/integration/update_cluster/privatedns2/kubernetes.tf index 9694f372b0..f7ce284a2b 100644 --- a/tests/integration/update_cluster/privatedns2/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns2/kubernetes.tf @@ -684,7 +684,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privatedns2-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatedns2-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatedns2-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatedns2-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -693,16 +711,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatedns2-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -711,7 +720,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatedns2-example-com-ingress-tcp-22to22-bastion-privatedns2-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatedns2-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatedns2-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-ingress-tcp-22to22-masters-privatedns2-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatedns2-example-com.id @@ -720,7 +747,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatedns2-example-com-ingress-tcp-22to22-nodes-privatedns2-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatedns2-example-com.id @@ -729,13 +756,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatedns2-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatedns2-example-com-ingress-all-0to0-masters-privatedns2-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + source_security_group_id = aws_security_group.masters-privatedns2-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatedns2-example-com-ingress-all-0to0-nodes-privatedns2-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatedns2-example-com.id + source_security_group_id = aws_security_group.masters-privatedns2-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatedns2-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns2-example-com-ingress-all-0to0-nodes-privatedns2-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatedns2-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns2-example-com-ingress-tcp-1to2379-masters-privatedns2-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns2-example-com-ingress-tcp-2382to4000-masters-privatedns2-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns2-example-com-ingress-tcp-4003to65535-masters-privatedns2-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatedns2-example-com-ingress-udp-1to65535-masters-privatedns2-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatedns2-example-com.id + source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -756,105 +855,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatedns2-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatedns2-example-com-ingress-all-0to0-masters-privatedns2-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatedns2-example-com.id - source_security_group_id = aws_security_group.masters-privatedns2-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatedns2-example-com-ingress-all-0to0-nodes-privatedns2-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatedns2-example-com.id - source_security_group_id = aws_security_group.masters-privatedns2-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns2-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatedns2-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatedns2-example-com-ingress-all-0to0-nodes-privatedns2-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatedns2-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns2-example-com-ingress-tcp-1to2379-masters-privatedns2-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatedns2-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns2-example-com-ingress-tcp-2382to4000-masters-privatedns2-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatedns2-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns2-example-com-ingress-tcp-4003to65535-masters-privatedns2-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatedns2-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatedns2-example-com-ingress-udp-1to65535-masters-privatedns2-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatedns2-example-com.id - source_security_group_id = aws_security_group.nodes-privatedns2-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatedns2-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatedns2-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatedns2-example-com" { description = "Security group for api ELB" name = "api-elb.privatedns2.example.com" diff --git a/tests/integration/update_cluster/privateflannel/kubernetes.tf b/tests/integration/update_cluster/privateflannel/kubernetes.tf index 07f7de799c..e4ea36a0c9 100644 --- a/tests/integration/update_cluster/privateflannel/kubernetes.tf +++ b/tests/integration/update_cluster/privateflannel/kubernetes.tf @@ -698,7 +698,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privateflannel-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privateflannel-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privateflannel-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privateflannel-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -707,16 +725,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privateflannel-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -725,7 +734,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privateflannel-example-com-ingress-tcp-22to22-bastion-privateflannel-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privateflannel-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privateflannel-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-ingress-tcp-22to22-masters-privateflannel-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privateflannel-example-com.id @@ -734,7 +761,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privateflannel-example-com-ingress-tcp-22to22-nodes-privateflannel-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privateflannel-example-com.id @@ -743,13 +770,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privateflannel-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privateflannel-example-com-ingress-all-0to0-masters-privateflannel-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + source_security_group_id = aws_security_group.masters-privateflannel-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privateflannel-example-com-ingress-all-0to0-nodes-privateflannel-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateflannel-example-com.id + source_security_group_id = aws_security_group.masters-privateflannel-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateflannel-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privateflannel-example-com-ingress-all-0to0-nodes-privateflannel-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateflannel-example-com.id + source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateflannel-example-com-ingress-tcp-1to2379-masters-privateflannel-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateflannel-example-com-ingress-tcp-2382to4000-masters-privateflannel-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateflannel-example-com-ingress-tcp-4003to65535-masters-privateflannel-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateflannel-example-com-ingress-udp-1to65535-masters-privateflannel-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privateflannel-example-com.id + source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -770,105 +869,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privateflannel-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privateflannel-example-com-ingress-all-0to0-masters-privateflannel-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privateflannel-example-com.id - source_security_group_id = aws_security_group.masters-privateflannel-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privateflannel-example-com-ingress-all-0to0-nodes-privateflannel-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateflannel-example-com.id - source_security_group_id = aws_security_group.masters-privateflannel-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateflannel-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateflannel-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privateflannel-example-com-ingress-all-0to0-nodes-privateflannel-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateflannel-example-com.id - source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateflannel-example-com-ingress-tcp-1to2379-masters-privateflannel-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateflannel-example-com.id - source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateflannel-example-com-ingress-tcp-2382to4000-masters-privateflannel-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateflannel-example-com.id - source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateflannel-example-com-ingress-tcp-4003to65535-masters-privateflannel-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateflannel-example-com.id - source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateflannel-example-com-ingress-udp-1to65535-masters-privateflannel-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privateflannel-example-com.id - source_security_group_id = aws_security_group.nodes-privateflannel-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privateflannel-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privateflannel-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privateflannel-example-com" { description = "Security group for api ELB" name = "api-elb.privateflannel.example.com" diff --git a/tests/integration/update_cluster/privatekopeio/kubernetes.tf b/tests/integration/update_cluster/privatekopeio/kubernetes.tf index 4a951e0d8a..c663ee44ea 100644 --- a/tests/integration/update_cluster/privatekopeio/kubernetes.tf +++ b/tests/integration/update_cluster/privatekopeio/kubernetes.tf @@ -720,7 +720,25 @@ resource "aws_route" "route-private-us-test-1b-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1b-privatekopeio-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privatekopeio-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privatekopeio-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privatekopeio-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -729,16 +747,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -747,7 +756,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privatekopeio-example-com-ingress-tcp-22to22-bastion-privatekopeio-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privatekopeio-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-ingress-tcp-22to22-masters-privatekopeio-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privatekopeio-example-com.id @@ -756,7 +783,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privatekopeio-example-com-ingress-tcp-22to22-nodes-privatekopeio-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privatekopeio-example-com.id @@ -765,13 +792,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privatekopeio-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privatekopeio-example-com-ingress-all-0to0-masters-privatekopeio-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + source_security_group_id = aws_security_group.masters-privatekopeio-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privatekopeio-example-com-ingress-all-0to0-nodes-privatekopeio-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + source_security_group_id = aws_security_group.masters-privatekopeio-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privatekopeio-example-com-ingress-all-0to0-nodes-privatekopeio-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatekopeio-example-com-ingress-tcp-1to2379-masters-privatekopeio-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatekopeio-example-com-ingress-tcp-2382to4000-masters-privatekopeio-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatekopeio-example-com-ingress-tcp-4003to65535-masters-privatekopeio-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privatekopeio-example-com-ingress-udp-1to65535-masters-privatekopeio-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privatekopeio-example-com.id + source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -792,105 +891,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatekopeio-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privatekopeio-example-com-ingress-all-0to0-masters-privatekopeio-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privatekopeio-example-com.id - source_security_group_id = aws_security_group.masters-privatekopeio-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privatekopeio-example-com-ingress-all-0to0-nodes-privatekopeio-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - source_security_group_id = aws_security_group.masters-privatekopeio-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatekopeio-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privatekopeio-example-com-ingress-all-0to0-nodes-privatekopeio-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatekopeio-example-com-ingress-tcp-1to2379-masters-privatekopeio-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatekopeio-example-com.id - source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatekopeio-example-com-ingress-tcp-2382to4000-masters-privatekopeio-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatekopeio-example-com.id - source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatekopeio-example-com-ingress-tcp-4003to65535-masters-privatekopeio-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privatekopeio-example-com.id - source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privatekopeio-example-com-ingress-udp-1to65535-masters-privatekopeio-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privatekopeio-example-com.id - source_security_group_id = aws_security_group.nodes-privatekopeio-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privatekopeio-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privatekopeio-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privatekopeio-example-com" { description = "Security group for api ELB" name = "api-elb.privatekopeio.example.com" diff --git a/tests/integration/update_cluster/privateweave/kubernetes.tf b/tests/integration/update_cluster/privateweave/kubernetes.tf index ee4e3f8353..4f7ed966f7 100644 --- a/tests/integration/update_cluster/privateweave/kubernetes.tf +++ b/tests/integration/update_cluster/privateweave/kubernetes.tf @@ -698,7 +698,25 @@ resource "aws_route" "route-private-us-test-1a-0-0-0-0--0" { route_table_id = aws_route_table.private-us-test-1a-privateweave-example-com.id } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-privateweave-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-privateweave-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-privateweave-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-privateweave-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -707,16 +725,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-privateweave-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -725,7 +734,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-privateweave-example-com-ingress-tcp-22to22-bastion-privateweave-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-privateweave-example-com.id + source_security_group_id = aws_security_group.bastion-elb-privateweave-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-privateweave-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-privateweave-example-com-ingress-tcp-22to22-masters-privateweave-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-privateweave-example-com.id @@ -734,7 +761,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-privateweave-example-com-ingress-tcp-22to22-nodes-privateweave-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-privateweave-example-com.id @@ -743,13 +770,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-privateweave-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privateweave-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-privateweave-example-com-ingress-all-0to0-masters-privateweave-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-privateweave-example-com.id + source_security_group_id = aws_security_group.masters-privateweave-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-privateweave-example-com-ingress-all-0to0-nodes-privateweave-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateweave-example-com.id + source_security_group_id = aws_security_group.masters-privateweave-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateweave-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-privateweave-example-com-ingress-all-0to0-nodes-privateweave-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-privateweave-example-com.id + source_security_group_id = aws_security_group.nodes-privateweave-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateweave-example-com-ingress-tcp-1to2379-masters-privateweave-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateweave-example-com.id + source_security_group_id = aws_security_group.nodes-privateweave-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateweave-example-com-ingress-tcp-2382to4000-masters-privateweave-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateweave-example-com.id + source_security_group_id = aws_security_group.nodes-privateweave-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateweave-example-com-ingress-tcp-4003to65535-masters-privateweave-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-privateweave-example-com.id + source_security_group_id = aws_security_group.nodes-privateweave-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-privateweave-example-com-ingress-udp-1to65535-masters-privateweave-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-privateweave-example-com.id + source_security_group_id = aws_security_group.nodes-privateweave-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -770,105 +869,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privateweave-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-privateweave-example-com-ingress-all-0to0-masters-privateweave-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-privateweave-example-com.id - source_security_group_id = aws_security_group.masters-privateweave-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-privateweave-example-com-ingress-all-0to0-nodes-privateweave-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateweave-example-com.id - source_security_group_id = aws_security_group.masters-privateweave-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateweave-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateweave-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-privateweave-example-com-ingress-all-0to0-nodes-privateweave-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-privateweave-example-com.id - source_security_group_id = aws_security_group.nodes-privateweave-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateweave-example-com-ingress-tcp-1to2379-masters-privateweave-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateweave-example-com.id - source_security_group_id = aws_security_group.nodes-privateweave-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateweave-example-com-ingress-tcp-2382to4000-masters-privateweave-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateweave-example-com.id - source_security_group_id = aws_security_group.nodes-privateweave-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateweave-example-com-ingress-tcp-4003to65535-masters-privateweave-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-privateweave-example-com.id - source_security_group_id = aws_security_group.nodes-privateweave-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-privateweave-example-com-ingress-udp-1to65535-masters-privateweave-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-privateweave-example-com.id - source_security_group_id = aws_security_group.nodes-privateweave-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-privateweave-example-com.id - source_security_group_id = aws_security_group.bastion-elb-privateweave-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-privateweave-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-privateweave-example-com" { description = "Security group for api ELB" name = "api-elb.privateweave.example.com" diff --git a/tests/integration/update_cluster/public-jwks/kubernetes.tf b/tests/integration/update_cluster/public-jwks/kubernetes.tf index 2e33a382d9..3d4d211c5b 100644 --- a/tests/integration/update_cluster/public-jwks/kubernetes.tf +++ b/tests/integration/update_cluster/public-jwks/kubernetes.tf @@ -462,7 +462,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.minimal-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-minimal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-minimal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-minimal-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-minimal-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-minimal-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -471,7 +489,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -480,7 +498,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-egress-all-0to0- type = "egress" } -resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-masters-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -489,7 +507,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { +resource "aws_security_group_rule" "from-masters-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-minimal-example-com.id @@ -498,7 +516,7 @@ resource "aws_security_group_rule" "masters-minimal-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -507,7 +525,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-egress-all-0to0-0- type = "egress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-all-0to0-nodes-minimal-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-minimal-example-com.id @@ -516,7 +534,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-all-0to0-n type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-1to2379-masters-minimal-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -525,7 +543,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-1to237 type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-2382to4000-masters-minimal-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -534,7 +552,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-2382to type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-tcp-4003to65535-masters-minimal-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -543,7 +561,7 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-tcp-4003to type = "ingress" } -resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { +resource "aws_security_group_rule" "from-nodes-minimal-example-com-ingress-udp-1to65535-masters-minimal-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-minimal-example-com.id @@ -552,24 +570,6 @@ resource "aws_security_group_rule" "nodes-minimal-example-com-ingress-udp-1to655 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-minimal-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-minimal-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-minimal-example-com" { description = "Security group for masters" name = "masters.minimal.example.com" diff --git a/tests/integration/update_cluster/shared_subnet/kubernetes.tf b/tests/integration/update_cluster/shared_subnet/kubernetes.tf index f1aeda53f6..8a19201dce 100644 --- a/tests/integration/update_cluster/shared_subnet/kubernetes.tf +++ b/tests/integration/update_cluster/shared_subnet/kubernetes.tf @@ -395,7 +395,25 @@ resource "aws_launch_template" "nodes-sharedsubnet-example-com" { user_data = filebase64("${path.module}/data/aws_launch_template_nodes.sharedsubnet.example.com_user_data") } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-sharedsubnet-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-sharedsubnet-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-sharedsubnet-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-sharedsubnet-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-sharedsubnet-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -404,7 +422,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-sharedsubnet-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-sharedsubnet-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -413,7 +431,7 @@ resource "aws_security_group_rule" "masters-sharedsubnet-example-com-egress-all- type = "egress" } -resource "aws_security_group_rule" "masters-sharedsubnet-example-com-ingress-all-0to0-masters-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-masters-sharedsubnet-example-com-ingress-all-0to0-masters-sharedsubnet-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-sharedsubnet-example-com.id @@ -422,7 +440,7 @@ resource "aws_security_group_rule" "masters-sharedsubnet-example-com-ingress-all type = "ingress" } -resource "aws_security_group_rule" "masters-sharedsubnet-example-com-ingress-all-0to0-nodes-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-masters-sharedsubnet-example-com-ingress-all-0to0-nodes-sharedsubnet-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-sharedsubnet-example-com.id @@ -431,7 +449,7 @@ resource "aws_security_group_rule" "masters-sharedsubnet-example-com-ingress-all type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-sharedsubnet-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -440,7 +458,7 @@ resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-egress-all-0t type = "egress" } -resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-all-0to0-nodes-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedsubnet-example-com-ingress-all-0to0-nodes-sharedsubnet-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-sharedsubnet-example-com.id @@ -449,7 +467,7 @@ resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-all-0 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-tcp-1to2379-masters-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedsubnet-example-com-ingress-tcp-1to2379-masters-sharedsubnet-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-sharedsubnet-example-com.id @@ -458,7 +476,7 @@ resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-tcp-1 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-tcp-2382to4000-masters-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedsubnet-example-com-ingress-tcp-2382to4000-masters-sharedsubnet-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-sharedsubnet-example-com.id @@ -467,7 +485,7 @@ resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-tcp-2 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-tcp-4003to65535-masters-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedsubnet-example-com-ingress-tcp-4003to65535-masters-sharedsubnet-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-sharedsubnet-example-com.id @@ -476,7 +494,7 @@ resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-tcp-4 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-udp-1to65535-masters-sharedsubnet-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedsubnet-example-com-ingress-udp-1to65535-masters-sharedsubnet-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-sharedsubnet-example-com.id @@ -485,24 +503,6 @@ resource "aws_security_group_rule" "nodes-sharedsubnet-example-com-ingress-udp-1 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-sharedsubnet-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-sharedsubnet-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-sharedsubnet-example-com" { description = "Security group for masters" name = "masters.sharedsubnet.example.com" diff --git a/tests/integration/update_cluster/shared_vpc/kubernetes.tf b/tests/integration/update_cluster/shared_vpc/kubernetes.tf index a845dce585..444f0846f1 100644 --- a/tests/integration/update_cluster/shared_vpc/kubernetes.tf +++ b/tests/integration/update_cluster/shared_vpc/kubernetes.tf @@ -416,7 +416,25 @@ resource "aws_route" "route-0-0-0-0--0" { route_table_id = aws_route_table.sharedvpc-example-com.id } -resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-masters-sharedvpc-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.masters-sharedvpc-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-nodes-sharedvpc-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.nodes-sharedvpc-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-masters-sharedvpc-example-com" { cidr_blocks = ["0.0.0.0/0"] from_port = 443 protocol = "tcp" @@ -425,7 +443,7 @@ resource "aws_security_group_rule" "https-external-to-master-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-sharedvpc-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-sharedvpc-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -434,7 +452,7 @@ resource "aws_security_group_rule" "masters-sharedvpc-example-com-egress-all-0to type = "egress" } -resource "aws_security_group_rule" "masters-sharedvpc-example-com-ingress-all-0to0-masters-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-masters-sharedvpc-example-com-ingress-all-0to0-masters-sharedvpc-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.masters-sharedvpc-example-com.id @@ -443,7 +461,7 @@ resource "aws_security_group_rule" "masters-sharedvpc-example-com-ingress-all-0t type = "ingress" } -resource "aws_security_group_rule" "masters-sharedvpc-example-com-ingress-all-0to0-nodes-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-masters-sharedvpc-example-com-ingress-all-0to0-nodes-sharedvpc-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-sharedvpc-example-com.id @@ -452,7 +470,7 @@ resource "aws_security_group_rule" "masters-sharedvpc-example-com-ingress-all-0t type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedvpc-example-com-egress-all-0to0-0-0-0-0--0" { +resource "aws_security_group_rule" "from-nodes-sharedvpc-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -461,7 +479,7 @@ resource "aws_security_group_rule" "nodes-sharedvpc-example-com-egress-all-0to0- type = "egress" } -resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-all-0to0-nodes-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedvpc-example-com-ingress-all-0to0-nodes-sharedvpc-example-com" { from_port = 0 protocol = "-1" security_group_id = aws_security_group.nodes-sharedvpc-example-com.id @@ -470,7 +488,7 @@ resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-all-0to0 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-tcp-1to2379-masters-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedvpc-example-com-ingress-tcp-1to2379-masters-sharedvpc-example-com" { from_port = 1 protocol = "tcp" security_group_id = aws_security_group.masters-sharedvpc-example-com.id @@ -479,7 +497,7 @@ resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-tcp-1to2 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-tcp-2382to4000-masters-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedvpc-example-com-ingress-tcp-2382to4000-masters-sharedvpc-example-com" { from_port = 2382 protocol = "tcp" security_group_id = aws_security_group.masters-sharedvpc-example-com.id @@ -488,7 +506,7 @@ resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-tcp-2382 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-tcp-4003to65535-masters-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedvpc-example-com-ingress-tcp-4003to65535-masters-sharedvpc-example-com" { from_port = 4003 protocol = "tcp" security_group_id = aws_security_group.masters-sharedvpc-example-com.id @@ -497,7 +515,7 @@ resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-tcp-4003 type = "ingress" } -resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-udp-1to65535-masters-sharedvpc-example-com" { +resource "aws_security_group_rule" "from-nodes-sharedvpc-example-com-ingress-udp-1to65535-masters-sharedvpc-example-com" { from_port = 1 protocol = "udp" security_group_id = aws_security_group.masters-sharedvpc-example-com.id @@ -506,24 +524,6 @@ resource "aws_security_group_rule" "nodes-sharedvpc-example-com-ingress-udp-1to6 type = "ingress" } -resource "aws_security_group_rule" "ssh-external-to-master-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.masters-sharedvpc-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-node-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.nodes-sharedvpc-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "masters-sharedvpc-example-com" { description = "Security group for masters" name = "masters.sharedvpc.example.com" diff --git a/tests/integration/update_cluster/unmanaged/kubernetes.tf b/tests/integration/update_cluster/unmanaged/kubernetes.tf index 46a9f8316e..571f4a326d 100644 --- a/tests/integration/update_cluster/unmanaged/kubernetes.tf +++ b/tests/integration/update_cluster/unmanaged/kubernetes.tf @@ -623,7 +623,25 @@ resource "aws_route53_record" "api-unmanaged-example-com" { zone_id = "/hostedzone/Z1AFAKE1ZON3YO" } -resource "aws_security_group_rule" "api-elb-egress" { +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-22to22-bastion-elb-unmanaged-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb-unmanaged-example-com" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.api-elb-unmanaged-example-com.id + to_port = 443 + type = "ingress" +} + +resource "aws_security_group_rule" "from-api-elb-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -632,16 +650,7 @@ resource "aws_security_group_rule" "api-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-egress" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "bastion-elb-egress" { +resource "aws_security_group_rule" "from-bastion-elb-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] from_port = 0 protocol = "-1" @@ -650,7 +659,25 @@ resource "aws_security_group_rule" "bastion-elb-egress" { type = "egress" } -resource "aws_security_group_rule" "bastion-to-master-ssh" { +resource "aws_security_group_rule" "from-bastion-elb-unmanaged-example-com-ingress-tcp-22to22-bastion-unmanaged-example-com" { + from_port = 22 + protocol = "tcp" + security_group_id = aws_security_group.bastion-unmanaged-example-com.id + source_security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id + to_port = 22 + type = "ingress" +} + +resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.bastion-unmanaged-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-ingress-tcp-22to22-masters-unmanaged-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.masters-unmanaged-example-com.id @@ -659,7 +686,7 @@ resource "aws_security_group_rule" "bastion-to-master-ssh" { type = "ingress" } -resource "aws_security_group_rule" "bastion-to-node-ssh" { +resource "aws_security_group_rule" "from-bastion-unmanaged-example-com-ingress-tcp-22to22-nodes-unmanaged-example-com" { from_port = 22 protocol = "tcp" security_group_id = aws_security_group.nodes-unmanaged-example-com.id @@ -668,13 +695,85 @@ resource "aws_security_group_rule" "bastion-to-node-ssh" { type = "ingress" } -resource "aws_security_group_rule" "https-api-elb-0-0-0-0--0" { +resource "aws_security_group_rule" "from-masters-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { cidr_blocks = ["0.0.0.0/0"] - from_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.api-elb-unmanaged-example-com.id - to_port = 443 - type = "ingress" + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-masters-unmanaged-example-com-ingress-all-0to0-masters-unmanaged-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + source_security_group_id = aws_security_group.masters-unmanaged-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-masters-unmanaged-example-com-ingress-all-0to0-nodes-unmanaged-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-unmanaged-example-com.id + source_security_group_id = aws_security_group.masters-unmanaged-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-unmanaged-example-com.id + to_port = 0 + type = "egress" +} + +resource "aws_security_group_rule" "from-nodes-unmanaged-example-com-ingress-all-0to0-nodes-unmanaged-example-com" { + from_port = 0 + protocol = "-1" + security_group_id = aws_security_group.nodes-unmanaged-example-com.id + source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id + to_port = 0 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-unmanaged-example-com-ingress-tcp-1to2379-masters-unmanaged-example-com" { + from_port = 1 + protocol = "tcp" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id + to_port = 2379 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-unmanaged-example-com-ingress-tcp-2382to4000-masters-unmanaged-example-com" { + from_port = 2382 + protocol = "tcp" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id + to_port = 4000 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-unmanaged-example-com-ingress-tcp-4003to65535-masters-unmanaged-example-com" { + from_port = 4003 + protocol = "tcp" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "from-nodes-unmanaged-example-com-ingress-udp-1to65535-masters-unmanaged-example-com" { + from_port = 1 + protocol = "udp" + security_group_id = aws_security_group.masters-unmanaged-example-com.id + source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id + to_port = 65535 + type = "ingress" } resource "aws_security_group_rule" "https-elb-to-master" { @@ -695,105 +794,6 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { type = "ingress" } -resource "aws_security_group_rule" "masters-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-unmanaged-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "masters-unmanaged-example-com-ingress-all-0to0-masters-unmanaged-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.masters-unmanaged-example-com.id - source_security_group_id = aws_security_group.masters-unmanaged-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "masters-unmanaged-example-com-ingress-all-0to0-nodes-unmanaged-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-unmanaged-example-com.id - source_security_group_id = aws_security_group.masters-unmanaged-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-unmanaged-example-com-egress-all-0to0-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-unmanaged-example-com.id - to_port = 0 - type = "egress" -} - -resource "aws_security_group_rule" "nodes-unmanaged-example-com-ingress-all-0to0-nodes-unmanaged-example-com" { - from_port = 0 - protocol = "-1" - security_group_id = aws_security_group.nodes-unmanaged-example-com.id - source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id - to_port = 0 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-unmanaged-example-com-ingress-tcp-1to2379-masters-unmanaged-example-com" { - from_port = 1 - protocol = "tcp" - security_group_id = aws_security_group.masters-unmanaged-example-com.id - source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id - to_port = 2379 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-unmanaged-example-com-ingress-tcp-2382to4000-masters-unmanaged-example-com" { - from_port = 2382 - protocol = "tcp" - security_group_id = aws_security_group.masters-unmanaged-example-com.id - source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id - to_port = 4000 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-unmanaged-example-com-ingress-tcp-4003to65535-masters-unmanaged-example-com" { - from_port = 4003 - protocol = "tcp" - security_group_id = aws_security_group.masters-unmanaged-example-com.id - source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "nodes-unmanaged-example-com-ingress-udp-1to65535-masters-unmanaged-example-com" { - from_port = 1 - protocol = "udp" - security_group_id = aws_security_group.masters-unmanaged-example-com.id - source_security_group_id = aws_security_group.nodes-unmanaged-example-com.id - to_port = 65535 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-elb-to-bastion" { - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-unmanaged-example-com.id - source_security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id - to_port = 22 - type = "ingress" -} - -resource "aws_security_group_rule" "ssh-external-to-bastion-elb-0-0-0-0--0" { - cidr_blocks = ["0.0.0.0/0"] - from_port = 22 - protocol = "tcp" - security_group_id = aws_security_group.bastion-elb-unmanaged-example-com.id - to_port = 22 - type = "ingress" -} - resource "aws_security_group" "api-elb-unmanaged-example-com" { description = "Security group for api ELB" name = "api-elb.unmanaged.example.com"