Permit to update the "enable_default_security" field.

[vmarlier]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

My case: I create a kapsule cluster and I want to allow smtp ports. Although I add security_groups_rules, it doesn't work. I need to update the "enable_default_security" field to false. I cannot do this through Terraform because the Security Group is not created by Terraform but by the Kapsule cluster.

Permit to update the field "enable_default_security" on an existing SG.

• scaleway_instance_security_group

[remyleone]

Hello, you can indeed change the enable default security in a security group: https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/instance_security_group

Security groups in Kapsule will soon be replaced by VPC, in the meantime, I would suggest using a data source to get the security group of your Kubernetes cluster from terraform https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/data-sources/instance_security_group basically, the name is by default kubernetes $CLUSTERID. From there you can import your security group with an explicit resource:

resource "scaleway_k8s_cluster" "foobar" {
  name = "foobar"
  version = "1.19.4"
  cni     = "cilium"
}

resource "scaleway_k8s_pool" "foobar" {
  cluster_id = scaleway_k8s_cluster.foobar.id
  node_type = "GP1-XS"
  name = "pool-kind-noyce"
  size = 1
  wait_for_pool_ready = true
  autohealing = false
}

output "security_group" {
    value  = "kubernetes ${replace(scaleway_k8s_cluster.foobar.id, format("%s/", scaleway_k8s_cluster.foobar.region), "")}"
}

[jeantil]

Hi, @remyleone VPCs are now available but I don't understand how they help solve this issue. I haven't seen any setting related to email sending in VPCs.

Can you provide an example of how to terraform a k8s cluster that can send emails ?

Another option that seems available is to create a custom instance security group with the proper settings but I can't tell the k8s pool instances to use it

[stubbi]

@jeantil I am facing the same issue!

[stubbi]

@remyleone can this one be revisited? Or are we missing something?

[jeantil]

for now I am using a hidden workaround found a in a discussion (either on an issue here or in the community slack) : the name of the security group is computed in a deterministic manner. it can be created/updated from terraform and there it is possible to control the smtp security

resource "scaleway_k8s_cluster" "k8s" {
  name = "k8s"
  version = "1.28.2"
  cni = "cilium"
  delete_additional_resources = false
}

resource "scaleway_instance_security_group" "security-group" {
  name = "kubernetes ${replace(scaleway_k8s_cluster.k8s.id, format("%s/", scaleway_k8s_cluster.k8s.region), "")}"
  enable_default_security = false # enable SMTP
}