Remove autoscaler permissions from worker role (cloudposse#34)

DreamLab · Sep 18, 2020 · 6d012b4 · 6d012b4
1 parent cab5114
commit 6d012b4
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -177,7 +177,7 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.13.0 |
+| terraform | >= 0.13.3 |
 | aws | >= 3.0 |
 | local | >= 1.3 |
 | random | >= 2.0 |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -3,7 +3,7 @@
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.13.0 |
+| terraform | >= 0.13.3 |
 | aws | >= 3.0 |
 | local | >= 1.3 |
 | random | >= 2.0 |

diff --git a/main.tf b/main.tf
@@ -58,6 +58,7 @@ data "aws_eks_cluster" "this" {
 
 # Support keeping 2 node groups in sync by extracting common variable settings
 locals {
+  ng_needs_remote_access = local.have_ssh_key && ! local.use_launch_template
   ng = {
     cluster_name    = var.cluster_name
     node_role_arn   = join("", aws_iam_role.default.*.arn)
@@ -78,9 +79,9 @@ locals {
     }
 
     # Configure remote access via Launch Template if we are using one
-    need_remote_access        = local.have_ssh_key && ! local.use_launch_template
-    ec2_ssh_key               = var.ec2_ssh_key
-    source_security_group_ids = var.source_security_group_ids
+    need_remote_access        = local.ng_needs_remote_access
+    ec2_ssh_key               = local.have_ssh_key ? var.ec2_ssh_key : "none"
+    source_security_group_ids = local.ng_needs_remote_access ? var.source_security_group_ids : []
   }
 }
 
@@ -103,7 +104,12 @@ resource "random_pet" "cbd" {
     ec2_ssh_key        = local.ng.need_remote_access ? local.ng.ec2_ssh_key : "handled by launch template"
     # Any change in security groups requires a new node group, because you cannot delete a security group while it is in use
     # and it will not automatically disassociate itself from instances or network interfaces.
-    source_security_group_ids = join(",", local.ng.source_security_group_ids, local.launch_template_vpc_security_group_ids)
+    #
+    # TODO: Once https://github.com/hashicorp/terraform/issues/25631 is fixed,
+    #       actually track security groups by using
+    #       source_security_group_ids = join(",", local.ng.source_security_group_ids, aws_security_group.remote_access.*.id)
+    #
+    source_security_group_ids = local.need_remote_access_sg ? "generated for launch template" : join(",", local.ng.source_security_group_ids)
 
     launch_template_id = local.use_launch_template ? local.launch_template_id : "none"
   }
@@ -167,6 +173,7 @@ resource "aws_eks_node_group" "default" {
     aws_iam_role_policy_attachment.amazon_eks_worker_node_autoscale_policy,
     aws_iam_role_policy_attachment.amazon_eks_cni_policy,
     aws_iam_role_policy_attachment.amazon_ec2_container_registry_read_only,
+    aws_security_group.remote_access,
     # Also allow calling module to create an explicit dependency
     # This is useful in conjunction with terraform-aws-eks-cluster to ensure
     # the cluster is fully created and configured before creating any node groups
@@ -227,6 +234,7 @@ resource "aws_eks_node_group" "cbd" {
     aws_iam_role_policy_attachment.amazon_eks_worker_node_autoscale_policy,
     aws_iam_role_policy_attachment.amazon_eks_cni_policy,
     aws_iam_role_policy_attachment.amazon_ec2_container_registry_read_only,
+    aws_security_group.remote_access,
     # Also allow calling module to create an explicit dependency
     # This is useful in conjunction with terraform-aws-eks-cluster to ensure
     # the cluster is fully created and configured before creating any node groups

diff --git a/security-group.tf b/security-group.tf
@@ -1,11 +1,15 @@
 # https://docs.aws.amazon.com/eks/latest/APIReference/API_RemoteAccessConfig.html
 
+locals {
+  sg_name = format("%v%v%v", module.label.id, module.label.delimiter, "remoteAccess")
+}
+
 resource "aws_security_group" "remote_access" {
   count       = local.need_remote_access_sg ? 1 : 0
-  name        = format("%v%v%v", module.label.id, module.label.delimiter, "remoteAccess")
+  name        = local.sg_name
   description = "Allow SSH access to all nodes in the nodeGroup"
   vpc_id      = data.aws_eks_cluster.this[0].vpc_config[0].vpc_id
-  tags        = module.label.tags
+  tags        = merge(module.label.tags, { "Name" = local.sg_name })
 }
 
 resource "aws_security_group_rule" "remote_access_public_ssh" {

diff --git a/versions.tf b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 0.13.3"
 
   required_providers {
     aws      = ">= 3.0"