From 3250994c95eed489cf2a8b09ca899df37bedf2bf Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Tue, 25 Feb 2020 23:12:19 -0800 Subject: [PATCH] Use a route table with separate (rather than inline) routes * Allow users to extend the route table using a data reference and adding route resources (e.g. unusual peering setups) * Note: Internally connecting AWS clusters can reduce cross-cloud flexibility and inhibits blue-green cluster patterns. It is not recommended --- CHANGES.md | 1 + aws/container-linux/kubernetes/network.tf | 22 ++++++++++++---------- aws/fedora-coreos/kubernetes/network.tf | 22 ++++++++++++---------- docs/architecture/aws.md | 17 +++++++++++++++++ 4 files changed, 42 insertions(+), 20 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 251456e3..b39c5602 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -9,6 +9,7 @@ Notable changes between versions. #### AWS * Fix `worker_node_labels` for setting initial worker node labels on Fedora CoreOS ([#651](https://github.com/poseidon/typhoon/pull/651)) +* Allow VPC route table extension via reference ([#654](https://github.com/poseidon/typhoon/pull/654)) #### Google Cloud diff --git a/aws/container-linux/kubernetes/network.tf b/aws/container-linux/kubernetes/network.tf index a93b3f0c..f8ea0cec 100644 --- a/aws/container-linux/kubernetes/network.tf +++ b/aws/container-linux/kubernetes/network.tf @@ -25,21 +25,23 @@ resource "aws_internet_gateway" "gateway" { resource "aws_route_table" "default" { vpc_id = aws_vpc.network.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.gateway.id - } - - route { - ipv6_cidr_block = "::/0" - gateway_id = aws_internet_gateway.gateway.id - } - tags = { "Name" = var.cluster_name } } +resource "aws_route" "egress-ipv4" { + route_table_id = aws_route_table.default.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.gateway.id +} + +resource "aws_route" "egress-ipv6" { + route_table_id = aws_route_table.default.id + destination_ipv6_cidr_block = "::/0" + gateway_id = aws_internet_gateway.gateway.id +} + # Subnets (one per availability zone) resource "aws_subnet" "public" { diff --git a/aws/fedora-coreos/kubernetes/network.tf b/aws/fedora-coreos/kubernetes/network.tf index a93b3f0c..f8ea0cec 100644 --- a/aws/fedora-coreos/kubernetes/network.tf +++ b/aws/fedora-coreos/kubernetes/network.tf @@ -25,21 +25,23 @@ resource "aws_internet_gateway" "gateway" { resource "aws_route_table" "default" { vpc_id = aws_vpc.network.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.gateway.id - } - - route { - ipv6_cidr_block = "::/0" - gateway_id = aws_internet_gateway.gateway.id - } - tags = { "Name" = var.cluster_name } } +resource "aws_route" "egress-ipv4" { + route_table_id = aws_route_table.default.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.gateway.id +} + +resource "aws_route" "egress-ipv6" { + route_table_id = aws_route_table.default.id + destination_ipv6_cidr_block = "::/0" + gateway_id = aws_internet_gateway.gateway.id +} + # Subnets (one per availability zone) resource "aws_subnet" "public" { diff --git a/docs/architecture/aws.md b/docs/architecture/aws.md index bdcc6aa1..2edf5085 100644 --- a/docs/architecture/aws.md +++ b/docs/architecture/aws.md @@ -79,6 +79,23 @@ resource "aws_security_group_rule" "some-app" { } ``` +## Routes + +Add a custom [route](https://www.terraform.io/docs/providers/aws/r/route.html) to the VPC route table. + +```tf +data "aws_route_table" "default" { + vpc_id = module.temptest.vpc_id + subnet_id = module.tempest.subnet_ids[0] +} + +resource "aws_route" "peering" { + route_table_id = data.aws_route_table.default.id + destination_cidr_block = "192.168.4.0/24" + ... +} +``` + ## IPv6 AWS Network Load Balancers do not support `dualstack`.