This message was deleted.
# awss
sparse-intern-71089
08/04/2022, 7:04 PMThis message was deleted.
p
polite-napkin-90098
08/04/2022, 7:19 PMHmmm maybe that's not the complete story.
After the first refresh pulumi wants to remove the rule in the sg added by the eks module (I think) which is
"Allow pods to communicate with the cluster API Server"polite-napkin-90098
08/04/2022, 7:22 PMthe next pulumi refresh removes the rule we deleted with that pulkumi up from the state
polite-napkin-90098
08/04/2022, 7:23 PMand then the next up recreates the rule
l
little-cartoon-10569
08/04/2022, 8:31 PMWhy are you refreshing? And, why is one SG being managed by two pieces of code?
p
polite-napkin-90098
08/08/2022, 4:27 PMI am refreshing to ensure that the infra and state match up, and every time I do so they appear to not match up
polite-napkin-90098
08/08/2022, 4:31 PMAs to the 2 pieces of code, I am creating a security group on line 65 of a typescript program and giving it some ingress and egress rules so I can access my cluster from the ssh jumphost and the CICD system, and then on line 158 I use that group as the value for
clusterSecurityGroup:new eks.clusterpolite-napkin-90098
08/08/2022, 4:32 PMSo I don't really see how I can not do that, unless I just use the default security group which has full internet egress which is something I'd rather control, and it also doesn't have ingress for kubectl commands from the jumphost etc.
l
little-cartoon-10569
08/08/2022, 8:47 PMIf you lock down your target account so that no one except Pulumi has update permissions, then you can skip the refresh step. Refreshing is good for recovering from accidental changes, but typically it is not needed. Refreshing exposes you to the risk of state change due to unimportant changes made by your cloud service. Things like unpredictable ordering (e.g. security group rules, WAF rules), default values and others, which do not affect the normal preview-up-repeat cycle, become potentially destructive and certainly inconvenient problems when you switch to a refresh-preview-up cycle.
To get this working, you need to extend your dev work to include manually refreshing after each dev up then updating your code to match whatever the refresh changed. If refreshing pulls an unimportant default value from the cloud into your state, you need to update your code to match the state, or else Pulumi will try to delete that default value. And removing some default values can be a destructive action, causing a replace rather than an update.
little-cartoon-10569
08/08/2022, 8:52 PMCan you post a link to the definition of
clusterSecurityGrouplittle-cartoon-10569
08/08/2022, 9:01 PMThe EKS module updating your SG is a bit of a problem. Typically I allow access between SGs only (no CIDRs, only source SGs), and this logic prevents that. Is there another way to create the same resources, but without it modifying your SG? Maybe you can use NodeGroupSecurityGroup? Does that allow you to maintain full control over all resources?
p
polite-napkin-90098
08/10/2022, 7:23 PMSo the solution was to let the EKS module create the sg, and then to add rules to it so I could access 443 from my AdminVM with code like
Copy code
// add a rule allowing the AdminVM in to kubectl the cluster
const adminClusterRule = new aws.ec2.SecurityGroupRule("adminClusterRule", {
type: "ingress",
fromPort: 443,
toPort: 443,
protocol: "tcp",
securityGroupId: clusterSecurityGroupId,
sourceSecurityGroupId: adminsg.ids[0],
description: `Allow AdminVM to communicate with the ${nam}-eksCluster API Server`,
});new eks.clusterpolite-napkin-90098
08/10/2022, 7:24 PMI should probably work out a minimal example of this, and post a bug on the EKS module's github, but I'm off to Mt. Blanc tomorrow for 3 weeks, so I don't have the time.
l
little-cartoon-10569
08/10/2022, 9:03 PMI don't think it's a bug, unfortunately. It functions as designed. An alternative design that works better for IaC would be good: this design appears to have been created for console users.
15 Views