-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add parameter for skipping default security groups #1416
Add parameter for skipping default security groups #1416
Conversation
Does the PR have any schema changes?Found 4 breaking changes: Resources
Types
|
1061126
to
7955f51
Compare
.all([coreSecurityGroupId, args.nodeSecurityGroup?.id, core.nodeSecurityGroupTags]) | ||
.apply(([coreSecurityGroup, nodeSecurityGroup, sgTags]) => { | ||
if (coreSecurityGroup && nodeSecurityGroup) { | ||
if (sgTags && coreSecurityGroup !== nodeSecurityGroup) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Always suspicious of equality but this look like it's over string right? Might be OK. Perhaps call the variables "coreSecurityGroupId" or some such.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it's over string. Noticed that it was comparing Output<string>
before..
nodejs/eks/cluster.ts
Outdated
// apply the tags to the cluster security group if it was created by EKS | ||
if (!eksClusterSecurityGroup) { | ||
const eksCreatedSgId = eksCluster.vpcConfig.clusterSecurityGroupId; | ||
eksClusterSecurityGroup = aws.ec2.SecurityGroup.get( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this .get work OK for you inlight of today's discussion about a possible bug in MLC R.Get ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this was before our call. I just pushed a new version
/// See for more details: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html. | ||
/// </summary> | ||
[Input("skipDefaultSecurityGroups")] | ||
public bool? SkipDefaultSecurityGroups { get; set; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weird three-state boolean. true, false, and unknown. Alas, not worth fixing probably.
examples/examples_nodejs_test.go
Outdated
) | ||
|
||
// should return the EKS created security group instead of the default one the provider would create | ||
assert.Equal(t, info.Outputs["eksCreatedSgMng"], info.Outputs["clusterSecurityGroupMng"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice
7955f51
to
6e9f619
Compare
@@ -17,7 +17,7 @@ export function createNodeGroup( | |||
return new eks.NodeGroup(name, { | |||
cluster: args.cluster, | |||
nodeSecurityGroup: args.cluster.nodeSecurityGroup, | |||
clusterIngressRule: args.cluster.eksClusterIngressRule, | |||
clusterIngressRule: args.cluster.eksClusterIngressRule.apply(rule => rule!), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the small breaking change
.all([coreSecurityGroupId, args.nodeSecurityGroup?.id, core.nodeSecurityGroupTags]) | ||
.apply(([coreSecurityGroup, nodeSecurityGroup, sgTags]) => { | ||
if (coreSecurityGroup && nodeSecurityGroup) { | ||
if (sgTags && coreSecurityGroup !== nodeSecurityGroup) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it's over string. Noticed that it was comparing Output<string>
before..
@t0yv0 @corymhall can you please have another look? I had to change the approach due to the issues with |
Very much worth spending time on to extract a repro and link here 🙏 If you are out of capacity sent it over to me as I might have some bandwidth. |
Fully agreed! I already had a chat with Will about this. I'll try to create a minimal repro tomorrow to further investigate |
Pulumi EKS currently always creates a cluster security group and node security group. - The cluster security group gets assigned to the control plane ENIs in addition to the security group EKS creates (see [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)). This security group gets an ingress rule from the node security group. - The node security group gets assigned to `NodeGroup` and `NodeGroupV2` components that do not specify a custom security group. Users that either manage the node security themselves or use the `ManagedNodeGroup` component (uses the EKS created SG) do not need those default security groups. This change adds a flag on the cluster (`skipDefaultSecurityGroups`) that will skip creating those default security groups. Instead. This introduces a small breaking change, the `clusterSecurityGroup`, `nodeSecurityGroup` and `clusterIngressRule` outputs are now optional. The impact of this should be minimal because users that create custom node groups usually do not use the security groups of the cluster for that. If they do, they need to add a null check. Fixes #747
Pulumi EKS currently always creates a cluster security group and node security group. - The cluster security group gets assigned to the control plane ENIs in addition to the security group EKS creates (see [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html)). This security group gets an ingress rule from the node security group. - The node security group gets assigned to `NodeGroup` and `NodeGroupV2` components that do not specify a custom security group. Users that either manage the node security themselves or use the `ManagedNodeGroup` component (uses the EKS created SG) do not need those default security groups. This change adds a flag on the cluster (`skipDefaultSecurityGroups`) that will skip creating those default security groups. Instead. This introduces a small breaking change, the `clusterSecurityGroup`, `nodeSecurityGroup` and `clusterIngressRule` outputs are now optional. The impact of this should be minimal because users that create custom node groups usually do not use the security groups of the cluster for that. If they do, they need to add a null check. Fixes #747
Pulumi EKS currently always creates a cluster security group and node security group.
NodeGroup
andNodeGroupV2
components that do not specify a custom security group.Users that either manage the node security themselves or use the
ManagedNodeGroup
component (uses the EKS created SG) do not need those default security groups.This change adds a flag on the cluster (
skipDefaultSecurityGroups
) that will skip creating those default security groups. Instead.This introduces a small breaking change, the
clusterSecurityGroup
,nodeSecurityGroup
andclusterIngressRule
outputs are now optional. The impact of this should be minimal because users that create custom node groups usually do not use the security groups of the cluster for that. If they do, they need to add a null check.Fixes #747