Closed enekui closed 9 months ago
@enekui Noticed while adding EFS storage for the new
monitoring
cluster that you have to add theencrypted = true
option while creating the EFSresource "aws_efs_file_system" "eks_efs"
otherwise the EFS data will be unencrypted
Yep, but that would require creating a separate KMS key only for EFS. For now, since EFS is not mandatory for this use case it's more an optional feature that we provide to the user. I rather to keep it simple. But yes, in the next iteration I will include it for sure. Thanks for spotting this one.
Still some references to tower, there's a configmap called
kubernetes_config_map_v1.tower_app_configmap
Yep, I know, but it was requested by Paolo. It had all been renamed to Seqera, but yes.
I'm not discussing the use of a configmap, but its name. Do we want to rename it to Seqera platform or something?
It's OK for now. There's a huge number of variable and settings prefixed with "tower". the idea is to keep this as near as possible to the current deployment
@pditommaso, your approval is required too. :)
Sure, can you please make me a summary of the new settings introduced by this PR and the default value?
Sure, can you please make me a summary of the new settings introduced by this PR and the default value?
MAIN CHANGES:
Added the following new varibales:
enable_ec2_instance_ssh_access = true
enable_ec2_instance_kubernetes_api_access = true
ec2_instance_ssh_cidr_blocks = [""]
ec2_instance_kubernetes_api_cidr_blocks = [""]
The above variables does not affect the current use of the module call.
The main improvement is that now it will provide SSH
and Kubernetes API
access only to the public IP on the module executor.
In case there is a need to extend the IP block that will access these two endpoints, the user can make use of the new parameters:
ec2_instance_ssh_cidr_blocks
*ec2_instance_ssh_cidr_blocks
Which will include the CIDR blocks as part of the allowed sources in the EC2 instance security group.MINOR CHANGES:
Added a set of examples in the examples
folder as a requierement for all the Terraform modules.
GENERAL OVERVIEW
New Variables for Access Control:
Public IP Data Source:
Independent Control of SSH and Kubernetes API Ports:
ALB Variable Clean-Up:
Updated Documentation:
Testing and Validation:
Note:The focus of these changes is on security enhancements, and stability, providing more control and flexibility in managing SSH and Kubernetes API access to EC2 instances
Ok, thanks
Description
Added a set of new variables that will default to true to control SSH and Kubernetes API access to the EC2 instance. Added a new Data source to conditionally get the public IP of the Terraform module operator. We are manipulating the output to get the clean public IP and pass it as the default allowed CIDR block to the SSH and Kubernetes API port. Also, there are two new variables to control this just in case it's needed to open SSH or Kubernetes API ports independently to everyone or other IPs/CIDR blocks. Removed unrelated left variables from ALB. Updated README.md Tested the new changes.
Note: This is a small upgrade, but will make a huge difference in how customers take this from a security best practices point of view.