Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-12 07:59:29 -05:00
Code Issues Packages Projects Releases Wiki Activity

AWS: Don't expose SSH debugging ports on the LB

Browse Source
This commit is contained in:
Nils Hanke 2022-11-07 09:54:04 +01:00 committed by Nils Hanke
parent fa6dfdff4f
commit 759c626e0f
1 changed files with 1 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cli/internal/terraform/terraform/aws/main.tf
View File

@ -20,7 +20,6 @@ locals {
uid = random_id.uid.hex uid = random_id.uid.hex
name = "${var.name}-${local.uid}" name = "${var.name}-${local.uid}"
ports_node_range = "30000-32767" ports_node_range = "30000-32767"
ports_ssh = "22"
ports_kubernetes = "6443" ports_kubernetes = "6443"
ports_bootstrapper = "9000" ports_bootstrapper = "9000"
ports_konnectivity = "8132" ports_konnectivity = "8132"
@ -89,18 +88,6 @@ resource "aws_security_group" "security_group" {
description = "K8s node ports" description = "K8s node ports"
} }
# TODO: Remove when development is more advanced
dynamic "ingress" {
for_each = var.debug ? [1] : []
content {
from_port = local.ports_ssh
to_port = local.ports_ssh
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "SSH"
}
}
ingress { ingress {
from_port = local.ports_bootstrapper from_port = local.ports_bootstrapper
to_port = local.ports_bootstrapper to_port = local.ports_bootstrapper
@ -203,18 +190,6 @@ module "load_balancer_target_konnectivity" {
healthcheck_protocol = "TCP" healthcheck_protocol = "TCP"
} }
# TODO: Remove when development is more advanced
module "load_balancer_target_ssh" {
count = var.debug ? 1 : 0 // only deploy SSH in debug mode
source = "./modules/load_balancer_target"
name = "${local.name}-ssh"
vpc_id = aws_vpc.vpc.id
lb_arn = aws_lb.front_end.arn
port = local.ports_ssh
tags = local.tags
healthcheck_protocol = "TCP"
}
module "instance_group_control_plane" { module "instance_group_control_plane" {
source = "./modules/instance_group" source = "./modules/instance_group"
name = local.name name = local.name
@ -230,8 +205,7 @@ module "instance_group_control_plane" {
module.load_balancer_target_kubernetes.target_group_arn, module.load_balancer_target_kubernetes.target_group_arn,
module.load_balancer_target_verify.target_group_arn, module.load_balancer_target_verify.target_group_arn,
module.load_balancer_target_konnectivity.target_group_arn, module.load_balancer_target_konnectivity.target_group_arn,
var.debug ? [module.load_balancer_target_debugd[0].target_group_arn, var.debug ? [module.load_balancer_target_debugd[0].target_group_arn] : [],
module.load_balancer_target_ssh[0].target_group_arn] : [],
]) ])
security_groups = [aws_security_group.security_group.id] security_groups = [aws_security_group.security_group.id]
subnetwork = module.public_private_subnet.private_subnet_id subnetwork = module.public_private_subnet.private_subnet_id