Feature/optional load balancers (#187)

* disable k8s service load balancers and dns entries when vpc endpoints are disabled * fix * fix * fix * Update variables.tf Co-authored-by: Ken Figueiredo <[email protected]> * update VARIABLES.md Co-authored-by: Raj Poluri <[email protected]> Co-authored-by: Ken Figueiredo <[email protected]>
ExpediaGroup · Mar 2, 2021 · 25b27b4 · 25b27b4
1 parent eae54cf
commit 25b27b4
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [6.7.6] - 2021-03-02
+### Fixed
+- Disable k8s loadbalancer and route53 entries along with vpc endpoint services.
+
 ## [6.7.5] - 2021-03-01
 ### Fixed
 - S3 HTTPS bucket policy requirements are now properly enforced.

diff --git a/VARIABLES.md b/VARIABLES.md
@@ -36,7 +36,7 @@
 | enable_hive_metastore_metrics | Enable sending Hive Metastore metrics to CloudWatch. | bool | `false` | no |
 | enable_metadata_events | Enable Hive Metastore SNS listener. | bool | `false` | no |
 | enable_s3_paid_metrics | Enable managed S3 buckets request and data transfer metrics. | bool | `false` | no |
-| enable_vpc_endpoint_services | Enable metastore VPC endpoint services,for cross-account access. | bool | `true` | no |
+| enable\_vpc\_endpoint\_services | Enable metastore NLB,Route53 entries VPC access and VPC endpoint services,for cross-account access. | `bool` | `true` | no |
 | external_data_buckets | Buckets that are not managed by Apiary but added to Hive Metastore IAM role access. | list | `<list>` | no |
 | external_database_host | External Metastore database host to support legacy installations, MySQL database won't be created by Apiary when this option is specified. | string | `` | no |
 | hms_docker_image | Docker image ID for the Hive Metastore. | string | - | yes |

diff --git a/k8s-readonly.tf b/k8s-readonly.tf
@@ -205,12 +205,12 @@ resource "kubernetes_service" "hms_readonly" {
       port        = 9083
       target_port = 9083
     }
-    type                        = "LoadBalancer"
-    load_balancer_source_ranges = var.ingress_cidr
+    type                        = var.enable_vpc_endpoint_services ? "LoadBalancer" : "ClusterIP"
+    load_balancer_source_ranges = var.enable_vpc_endpoint_services ? var.ingress_cidr : null
   }
 }
 
 data "aws_lb" "k8s_hms_ro_lb" {
-  count = var.hms_instance_type == "k8s" ? 1 : 0
+  count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0
   name  = split("-", split(".", kubernetes_service.hms_readonly.0.load_balancer_ingress.0.hostname).0).0
 }
diff --git a/k8s-readwrite.tf b/k8s-readwrite.tf
@@ -241,12 +241,12 @@ resource "kubernetes_service" "hms_readwrite" {
       port        = 9083
       target_port = 9083
     }
-    type                        = "LoadBalancer"
-    load_balancer_source_ranges = var.ingress_cidr
+    type                        = var.enable_vpc_endpoint_services ? "LoadBalancer" : "ClusterIP"
+    load_balancer_source_ranges = var.enable_vpc_endpoint_services ? var.ingress_cidr : null
   }
 }
 
 data "aws_lb" "k8s_hms_rw_lb" {
-  count = var.hms_instance_type == "k8s" ? 1 : 0
+  count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0
   name  = split("-", split(".", kubernetes_service.hms_readwrite.0.load_balancer_ingress.0.hostname).0).0
 }
diff --git a/ouputs.tf b/ouputs.tf
@@ -1,9 +1,9 @@
 output "hms_readonly_load_balancers" {
-  value = var.hms_instance_type == "k8s" ? kubernetes_service.hms_readonly[0].load_balancer_ingress.*.hostname : []
+  value = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? kubernetes_service.hms_readonly[0].load_balancer_ingress.*.hostname : []
 }
 
 output "hms_readwrite_load_balancers" {
-  value = var.hms_instance_type == "k8s" ? kubernetes_service.hms_readwrite[0].load_balancer_ingress.*.hostname : []
+  value = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? kubernetes_service.hms_readwrite[0].load_balancer_ingress.*.hostname : []
 }
 
 output "managed_database_host" {

diff --git a/route53.tf b/route53.tf
@@ -31,7 +31,7 @@ resource "aws_route53_record" "hms_readonly_alias" {
 }
 
 resource "aws_route53_zone" "apiary" {
-  count = var.hms_instance_type == "k8s" ? 1 : 0
+  count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0
   name  = "${local.instance_alias}-${var.aws_region}.${var.ecs_domain_extension}"
 
   vpc {
@@ -40,7 +40,7 @@ resource "aws_route53_zone" "apiary" {
 }
 
 resource "aws_route53_record" "hms_readwrite" {
-  count = var.hms_instance_type == "k8s" ? 1 : 0
+  count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0
   name  = "hms-readwrite"
 
   zone_id = aws_route53_zone.apiary[0].id
@@ -50,7 +50,7 @@ resource "aws_route53_record" "hms_readwrite" {
 }
 
 resource "aws_route53_record" "hms_readonly" {
-  count = var.hms_instance_type == "k8s" ? 1 : 0
+  count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0
   name  = "hms-readonly"
 
   zone_id = aws_route53_zone.apiary[0].id

diff --git a/variables.tf b/variables.tf
@@ -97,7 +97,7 @@ variable "external_database_host" {
 }
 
 variable "enable_vpc_endpoint_services" {
-  description = "Enable metastore VPC endpoint services,for cross-account access."
+  description = "Enable metastore NLB, Route53 entries VPC access and VPC endpoint services, for cross-account access."
   type        = bool
   default     = true
 }