From 25b27b495b46694dd1cf425c28b0e7eebbcf80e7 Mon Sep 17 00:00:00 2001 From: rpoluri <38321430+rpoluri@users.noreply.github.com> Date: Tue, 2 Mar 2021 17:16:14 -0600 Subject: [PATCH] Feature/optional load balancers (#187) * disable k8s service load balancers and dns entries when vpc endpoints are disabled * fix * fix * fix * Update variables.tf Co-authored-by: Ken Figueiredo * update VARIABLES.md Co-authored-by: Raj Poluri Co-authored-by: Ken Figueiredo --- CHANGELOG.md | 4 ++++ VARIABLES.md | 2 +- k8s-readonly.tf | 6 +++--- k8s-readwrite.tf | 6 +++--- ouputs.tf | 4 ++-- route53.tf | 6 +++--- variables.tf | 2 +- 7 files changed, 17 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc8ebb1..805e876 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [6.7.6] - 2021-03-02 +### Fixed +- Disable k8s loadbalancer and route53 entries along with vpc endpoint services. + ## [6.7.5] - 2021-03-01 ### Fixed - S3 HTTPS bucket policy requirements are now properly enforced. diff --git a/VARIABLES.md b/VARIABLES.md index c9527cd..7d3063a 100644 --- a/VARIABLES.md +++ b/VARIABLES.md @@ -36,7 +36,7 @@ | enable_hive_metastore_metrics | Enable sending Hive Metastore metrics to CloudWatch. | bool | `false` | no | | enable_metadata_events | Enable Hive Metastore SNS listener. | bool | `false` | no | | enable_s3_paid_metrics | Enable managed S3 buckets request and data transfer metrics. | bool | `false` | no | -| enable_vpc_endpoint_services | Enable metastore VPC endpoint services,for cross-account access. | bool | `true` | no | +| enable\_vpc\_endpoint\_services | Enable metastore NLB,Route53 entries VPC access and VPC endpoint services,for cross-account access. | `bool` | `true` | no | | external_data_buckets | Buckets that are not managed by Apiary but added to Hive Metastore IAM role access. | list | `` | no | | external_database_host | External Metastore database host to support legacy installations, MySQL database won't be created by Apiary when this option is specified. | string | `` | no | | hms_docker_image | Docker image ID for the Hive Metastore. | string | - | yes | diff --git a/k8s-readonly.tf b/k8s-readonly.tf index d5b6919..5882880 100644 --- a/k8s-readonly.tf +++ b/k8s-readonly.tf @@ -205,12 +205,12 @@ resource "kubernetes_service" "hms_readonly" { port = 9083 target_port = 9083 } - type = "LoadBalancer" - load_balancer_source_ranges = var.ingress_cidr + type = var.enable_vpc_endpoint_services ? "LoadBalancer" : "ClusterIP" + load_balancer_source_ranges = var.enable_vpc_endpoint_services ? var.ingress_cidr : null } } data "aws_lb" "k8s_hms_ro_lb" { - count = var.hms_instance_type == "k8s" ? 1 : 0 + count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0 name = split("-", split(".", kubernetes_service.hms_readonly.0.load_balancer_ingress.0.hostname).0).0 } diff --git a/k8s-readwrite.tf b/k8s-readwrite.tf index 876127d..63b36eb 100644 --- a/k8s-readwrite.tf +++ b/k8s-readwrite.tf @@ -241,12 +241,12 @@ resource "kubernetes_service" "hms_readwrite" { port = 9083 target_port = 9083 } - type = "LoadBalancer" - load_balancer_source_ranges = var.ingress_cidr + type = var.enable_vpc_endpoint_services ? "LoadBalancer" : "ClusterIP" + load_balancer_source_ranges = var.enable_vpc_endpoint_services ? var.ingress_cidr : null } } data "aws_lb" "k8s_hms_rw_lb" { - count = var.hms_instance_type == "k8s" ? 1 : 0 + count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0 name = split("-", split(".", kubernetes_service.hms_readwrite.0.load_balancer_ingress.0.hostname).0).0 } diff --git a/ouputs.tf b/ouputs.tf index 00b2e38..5a811df 100644 --- a/ouputs.tf +++ b/ouputs.tf @@ -1,9 +1,9 @@ output "hms_readonly_load_balancers" { - value = var.hms_instance_type == "k8s" ? kubernetes_service.hms_readonly[0].load_balancer_ingress.*.hostname : [] + value = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? kubernetes_service.hms_readonly[0].load_balancer_ingress.*.hostname : [] } output "hms_readwrite_load_balancers" { - value = var.hms_instance_type == "k8s" ? kubernetes_service.hms_readwrite[0].load_balancer_ingress.*.hostname : [] + value = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? kubernetes_service.hms_readwrite[0].load_balancer_ingress.*.hostname : [] } output "managed_database_host" { diff --git a/route53.tf b/route53.tf index 4ca516c..587ef3a 100644 --- a/route53.tf +++ b/route53.tf @@ -31,7 +31,7 @@ resource "aws_route53_record" "hms_readonly_alias" { } resource "aws_route53_zone" "apiary" { - count = var.hms_instance_type == "k8s" ? 1 : 0 + count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0 name = "${local.instance_alias}-${var.aws_region}.${var.ecs_domain_extension}" vpc { @@ -40,7 +40,7 @@ resource "aws_route53_zone" "apiary" { } resource "aws_route53_record" "hms_readwrite" { - count = var.hms_instance_type == "k8s" ? 1 : 0 + count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0 name = "hms-readwrite" zone_id = aws_route53_zone.apiary[0].id @@ -50,7 +50,7 @@ resource "aws_route53_record" "hms_readwrite" { } resource "aws_route53_record" "hms_readonly" { - count = var.hms_instance_type == "k8s" ? 1 : 0 + count = var.hms_instance_type == "k8s" && var.enable_vpc_endpoint_services ? 1 : 0 name = "hms-readonly" zone_id = aws_route53_zone.apiary[0].id diff --git a/variables.tf b/variables.tf index eb1a466..43de14f 100644 --- a/variables.tf +++ b/variables.tf @@ -97,7 +97,7 @@ variable "external_database_host" { } variable "enable_vpc_endpoint_services" { - description = "Enable metastore VPC endpoint services,for cross-account access." + description = "Enable metastore NLB, Route53 entries VPC access and VPC endpoint services, for cross-account access." type = bool default = true }