Merge pull request #8 from 3scale-ops/fix/worker-security-group

3scale-robot · web-flow · commit 0151cf3478fc · 2024-08-05T17:38:15.000+02:00
Make creation of Vault's AppRole optional
diff --git a/hosted-cluster.tf b/hosted-cluster.tf
@@ -39,10 +39,6 @@ data "template_file" "helm_values" {
     "worker_autoscaling" : var.worker_autoscaling
     "managedClusterSet" : var.managedclusterset
     "managedClusterExtraLabels" : var.managedcluster_extra_labels
-    "vault" : {
-      "roleID" : vault_approle_auth_backend_role.this.role_id
-      "secretID" : vault_approle_auth_backend_role_secret_id.this.secret_id
-    }
   })
 }
 
@@ -84,6 +80,22 @@ resource "helm_release" "hosted_cluster" {
     }
   }
 
+    dynamic "set" {
+    for_each = (var.deploy_vault_app_role ? ["apply"] : [])
+    content {
+      name  = "vault.roleID"
+      value = vault_approle_auth_backend_role.this[0].role_id
+    }
+  }
+
+  dynamic "set" {
+    for_each = (var.deploy_vault_app_role ? ["apply"] : [])
+    content {
+      name = "vault.secretID"
+      value = vault_approle_auth_backend_role_secret_id.this[0].secret_id
+    }
+  }
+
   timeout = 900
 
   depends_on = [
diff --git a/hosted-cluster/templates/vault-approle-secret.yaml b/hosted-cluster/templates/vault-approle-secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.vault }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ type: Opaque
 stringData:
   "role_id": {{ .Values.vault.roleID }}
   "secret_id": {{ .Values.vault.secretID }}
+{{ end }}
diff --git a/security_group.tf b/security_group.tf
@@ -7,18 +7,14 @@ resource "aws_security_group" "worker" {
   name        = format("%s-worker-sg", local.name)
   description = "worker security group"
   vpc_id      = var.vpc_id
-  tags = {
-    Name                                           = format("%s-worker-sg", local.name)
-    format("kubernetes.io/cluster/%s", local.name) = "owned"
-  }
 
-  lifecycle {
-    ignore_changes = [
-      # Ignore changes ingress rules, as they will be modified
-      # by openshift controllers
-      ingress,
-    ]
-  }
+  # lifecycle {
+  #   ignore_changes = [
+  #     # Ignore changes ingress rules, as they will be modified
+  #     # by openshift controllers
+  #     ingress,
+  #   ]
+  # }
 
   egress {
     cidr_blocks = ["0.0.0.0/0"]
@@ -27,115 +23,4 @@ resource "aws_security_group" "worker" {
     self        = "false"
     to_port     = "0"
   }
-
-  ingress {
-    cidr_blocks = local.cidr_blocks
-    from_port   = "-1"
-    protocol    = "icmp"
-    self        = "false"
-    to_port     = "-1"
-  }
-
-  ingress {
-    cidr_blocks = local.cidr_blocks
-    from_port   = "22"
-    protocol    = "tcp"
-    self        = "false"
-    to_port     = "22"
-  }
-
-  ingress {
-    cidr_blocks = local.cidr_blocks
-    from_port   = "443"
-    protocol    = "tcp"
-    self        = "false"
-    to_port     = "443"
-  }
-
-  ingress {
-    cidr_blocks = local.cidr_blocks
-    from_port   = "443"
-    protocol    = "udp"
-    self        = "false"
-    to_port     = "443"
-  }
-
-  ingress {
-    cidr_blocks = local.cidr_blocks
-    from_port   = "6443"
-    protocol    = "tcp"
-    self        = "false"
-    to_port     = "6443"
-  }
-
-  ingress {
-    cidr_blocks = local.cidr_blocks
-    from_port   = "6443"
-    protocol    = "udp"
-    self        = "false"
-    to_port     = "6443"
-  }
-
-  ingress {
-    from_port = "10250"
-    protocol  = "tcp"
-    self      = "true"
-    to_port   = "10250"
-  }
-
-  ingress {
-    from_port = "30000"
-    protocol  = "tcp"
-    self      = "true"
-    to_port   = "32767"
-  }
-
-  ingress {
-    from_port = "30000"
-    protocol  = "udp"
-    self      = "true"
-    to_port   = "32767"
-  }
-
-  ingress {
-    from_port = "4500"
-    protocol  = "udp"
-    self      = "true"
-    to_port   = "4500"
-  }
-
-  ingress {
-    from_port = "4789"
-    protocol  = "udp"
-    self      = "true"
-    to_port   = "4789"
-  }
-
-  ingress {
-    from_port = "500"
-    protocol  = "udp"
-    self      = "true"
-    to_port   = "500"
-  }
-
-  ingress {
-    from_port = "6081"
-    protocol  = "udp"
-    self      = "true"
-    to_port   = "6081"
-  }
-
-  ingress {
-    from_port = "9000"
-    protocol  = "tcp"
-    self      = "true"
-    to_port   = "9999"
-  }
-
-  ingress {
-    from_port = "9000"
-    protocol  = "udp"
-    self      = "true"
-    to_port   = "9999"
-  }
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -78,6 +78,11 @@ variable "oauth_endpoint_certificate_secret" {
   default = ""
 }
 
+variable "deploy_vault_app_role" {
+  type = bool
+  default = false
+}
+
 variable "managedclusterset" {
   type    = string
   default = "hypershift"
diff --git a/vault.tf b/vault.tf
@@ -1,5 +1,6 @@
 # AppRole for externalsecrets within the hostedcluster
 resource "vault_policy" "this" {
+  count  = var.deploy_vault_app_role ? 1 : 0
   name   = "${local.name}-vault-approle"
   policy = <<EOT
 path "secret/data/kubernetes/${var.environment}-${var.project}/common/*" {
@@ -12,14 +13,16 @@ EOT
 }
 
 resource "vault_approle_auth_backend_role" "this" {
+  count  = var.deploy_vault_app_role ? 1 : 0
   backend        = "approle"
   role_name      = "${local.name}-vault-approle"
-  token_policies = [vault_policy.this.name]
+  token_policies = [vault_policy.this[count.index].name]
 }
 
 resource "vault_approle_auth_backend_role_secret_id" "this" {
+  count  = var.deploy_vault_app_role ? 1 : 0
   backend   = "approle"
-  role_name = vault_approle_auth_backend_role.this.role_name
+  role_name = vault_approle_auth_backend_role.this[count.index].role_name
 }
 
 # Retrieve GitHub oauth credentials from vault
