From 93ebfc7dd0c5c825648e17ca645da2006eb41528 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Fri, 1 Apr 2022 16:17:54 -0700 Subject: [PATCH] Allow upgrading Azure Terraform Provider to v3.x * Change subnet references to source and destinations prefixes (plural) * Remove references to a resource group in some load balancing components, which no longer require it (inferred) * Rename `worker_address_prefix` output to `worker_address_prefixes` --- CHANGES.md | 5 + azure/fedora-coreos/kubernetes/lb.tf | 12 - azure/fedora-coreos/kubernetes/network.tf | 1 - azure/fedora-coreos/kubernetes/outputs.tf | 6 +- azure/fedora-coreos/kubernetes/security.tf | 408 +++++++++--------- azure/fedora-coreos/kubernetes/versions.tf | 2 +- .../kubernetes/workers/versions.tf | 2 +- azure/flatcar-linux/kubernetes/lb.tf | 12 - azure/flatcar-linux/kubernetes/network.tf | 1 - azure/flatcar-linux/kubernetes/outputs.tf | 6 +- azure/flatcar-linux/kubernetes/security.tf | 408 +++++++++--------- azure/flatcar-linux/kubernetes/versions.tf | 2 +- .../kubernetes/workers/versions.tf | 2 +- docs/architecture/azure.md | 20 +- 14 files changed, 433 insertions(+), 454 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index effe1728..28762bfa 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -4,6 +4,11 @@ Notable changes between versions. ## Latest +### Azure + +* Allow upgrading Azure Terraform provider to v3.x ([#1144](https://github.com/poseidon/typhoon/pull/1144)) +* Rename `worker_address_prefix` output to `worker_address_prefixes` + ## v1.23.5 * Kubernetes [v1.23.5](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#v1235) diff --git a/azure/fedora-coreos/kubernetes/lb.tf b/azure/fedora-coreos/kubernetes/lb.tf index b98949bc..4e139471 100644 --- a/azure/fedora-coreos/kubernetes/lb.tf +++ b/azure/fedora-coreos/kubernetes/lb.tf @@ -53,8 +53,6 @@ resource "azurerm_lb" "cluster" { } resource "azurerm_lb_rule" "apiserver" { - resource_group_name = azurerm_resource_group.cluster.name - name = "apiserver" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration_name = "apiserver" @@ -67,8 +65,6 @@ resource "azurerm_lb_rule" "apiserver" { } resource "azurerm_lb_rule" "ingress-http" { - resource_group_name = azurerm_resource_group.cluster.name - name = "ingress-http" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration_name = "ingress" @@ -82,8 +78,6 @@ resource "azurerm_lb_rule" "ingress-http" { } resource "azurerm_lb_rule" "ingress-https" { - resource_group_name = azurerm_resource_group.cluster.name - name = "ingress-https" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration_name = "ingress" @@ -98,8 +92,6 @@ resource "azurerm_lb_rule" "ingress-https" { # Worker outbound TCP/UDP SNAT resource "azurerm_lb_outbound_rule" "worker-outbound" { - resource_group_name = azurerm_resource_group.cluster.name - name = "worker" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration { @@ -126,8 +118,6 @@ resource "azurerm_lb_backend_address_pool" "worker" { # TCP health check for apiserver resource "azurerm_lb_probe" "apiserver" { - resource_group_name = azurerm_resource_group.cluster.name - name = "apiserver" loadbalancer_id = azurerm_lb.cluster.id protocol = "Tcp" @@ -141,8 +131,6 @@ resource "azurerm_lb_probe" "apiserver" { # HTTP health check for ingress resource "azurerm_lb_probe" "ingress" { - resource_group_name = azurerm_resource_group.cluster.name - name = "ingress" loadbalancer_id = azurerm_lb.cluster.id protocol = "Http" diff --git a/azure/fedora-coreos/kubernetes/network.tf b/azure/fedora-coreos/kubernetes/network.tf index 56215611..0fcaa8b8 100644 --- a/azure/fedora-coreos/kubernetes/network.tf +++ b/azure/fedora-coreos/kubernetes/network.tf @@ -41,4 +41,3 @@ resource "azurerm_subnet_network_security_group_association" "worker" { subnet_id = azurerm_subnet.worker.id network_security_group_id = azurerm_network_security_group.worker.id } - diff --git a/azure/fedora-coreos/kubernetes/outputs.tf b/azure/fedora-coreos/kubernetes/outputs.tf index dda4a204..1fb9cd4d 100644 --- a/azure/fedora-coreos/kubernetes/outputs.tf +++ b/azure/fedora-coreos/kubernetes/outputs.tf @@ -43,9 +43,9 @@ output "worker_security_group_name" { value = azurerm_network_security_group.worker.name } -output "worker_address_prefix" { - description = "Worker network subnet CIDR address (for source/destination)" - value = azurerm_subnet.worker.address_prefix +output "worker_address_prefixes" { + description = "Worker network subnet CIDR addresses (for source/destination)" + value = azurerm_subnet.worker.address_prefixes } # Outputs for custom load balancing diff --git a/azure/fedora-coreos/kubernetes/security.tf b/azure/fedora-coreos/kubernetes/security.tf index e106f3ba..0367cee1 100644 --- a/azure/fedora-coreos/kubernetes/security.tf +++ b/azure/fedora-coreos/kubernetes/security.tf @@ -10,171 +10,171 @@ resource "azurerm_network_security_group" "controller" { resource "azurerm_network_security_rule" "controller-icmp" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-icmp" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "1995" - access = "Allow" - direction = "Inbound" - protocol = "Icmp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-icmp" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "1995" + access = "Allow" + direction = "Inbound" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-ssh" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-ssh" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2000" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-ssh" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2000" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-etcd" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-etcd" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2005" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "2379-2380" - source_address_prefix = azurerm_subnet.controller.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-etcd" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2005" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "2379-2380" + source_address_prefixes = azurerm_subnet.controller.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape etcd metrics resource "azurerm_network_security_rule" "controller-etcd-metrics" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-etcd-metrics" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2010" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "2381" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-etcd-metrics" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2010" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "2381" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape kube-proxy metrics resource "azurerm_network_security_rule" "controller-kube-proxy" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-kube-proxy-metrics" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2011" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10249" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-kube-proxy-metrics" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2011" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "10249" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape kube-scheduler and kube-controller-manager metrics resource "azurerm_network_security_rule" "controller-kube-metrics" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-kube-metrics" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2012" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10257-10259" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-kube-metrics" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2012" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "10257-10259" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-apiserver" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-apiserver" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2015" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "6443" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-apiserver" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2015" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "6443" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-cilium-health" { resource_group_name = azurerm_resource_group.cluster.name count = var.networking == "cilium" ? 1 : 0 - name = "allow-cilium-health" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2019" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "4240" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-cilium-health" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2019" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "4240" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-vxlan" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2020" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "4789" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-vxlan" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2020" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "4789" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-linux-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-linux-vxlan" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2021" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "8472" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-linux-vxlan" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2021" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "8472" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape node-exporter daemonset resource "azurerm_network_security_rule" "controller-node-exporter" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-node-exporter" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2025" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "9100" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-node-exporter" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2025" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9100" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow apiserver to access kubelet's for exec, log, port-forward @@ -191,8 +191,8 @@ resource "azurerm_network_security_rule" "controller-kubelet" { destination_port_range = "10250" # allow Prometheus to scrape kubelet metrics too - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound @@ -240,139 +240,139 @@ resource "azurerm_network_security_group" "worker" { resource "azurerm_network_security_rule" "worker-icmp" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-icmp" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "1995" - access = "Allow" - direction = "Inbound" - protocol = "Icmp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-icmp" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "1995" + access = "Allow" + direction = "Inbound" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-ssh" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-ssh" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2000" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = azurerm_subnet.controller.address_prefix - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-ssh" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2000" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefixes = azurerm_subnet.controller.address_prefixes + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-http" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-http" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2005" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "80" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-http" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2005" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-https" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-https" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2010" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-https" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2010" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-cilium-health" { resource_group_name = azurerm_resource_group.cluster.name count = var.networking == "cilium" ? 1 : 0 - name = "allow-cilium-health" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2014" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "4240" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-cilium-health" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2014" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "4240" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-vxlan" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2015" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "4789" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-vxlan" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2015" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "4789" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-linux-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-linux-vxlan" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2016" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "8472" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-linux-vxlan" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2016" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "8472" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Allow Prometheus to scrape node-exporter daemonset resource "azurerm_network_security_rule" "worker-node-exporter" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-node-exporter" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2020" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "9100" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-node-exporter" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2020" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9100" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Allow Prometheus to scrape kube-proxy resource "azurerm_network_security_rule" "worker-kube-proxy" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-kube-proxy" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2024" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10249" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-kube-proxy" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2024" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "10249" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Allow apiserver to access kubelet's for exec, log, port-forward @@ -389,8 +389,8 @@ resource "azurerm_network_security_rule" "worker-kubelet" { destination_port_range = "10250" # allow Prometheus to scrape kubelet metrics too - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound diff --git a/azure/fedora-coreos/kubernetes/versions.tf b/azure/fedora-coreos/kubernetes/versions.tf index f916bb9e..15d3040f 100644 --- a/azure/fedora-coreos/kubernetes/versions.tf +++ b/azure/fedora-coreos/kubernetes/versions.tf @@ -3,7 +3,7 @@ terraform { required_version = ">= 0.13.0, < 2.0.0" required_providers { - azurerm = "~> 2.8" + azurerm = ">= 2.8, < 4.0" template = "~> 2.2" null = ">= 2.1" diff --git a/azure/fedora-coreos/kubernetes/workers/versions.tf b/azure/fedora-coreos/kubernetes/workers/versions.tf index c151563f..5ef34d75 100644 --- a/azure/fedora-coreos/kubernetes/workers/versions.tf +++ b/azure/fedora-coreos/kubernetes/workers/versions.tf @@ -3,7 +3,7 @@ terraform { required_version = ">= 0.13.0, < 2.0.0" required_providers { - azurerm = "~> 2.8" + azurerm = ">= 2.8, < 4.0" template = "~> 2.2" ct = { diff --git a/azure/flatcar-linux/kubernetes/lb.tf b/azure/flatcar-linux/kubernetes/lb.tf index b98949bc..4e139471 100644 --- a/azure/flatcar-linux/kubernetes/lb.tf +++ b/azure/flatcar-linux/kubernetes/lb.tf @@ -53,8 +53,6 @@ resource "azurerm_lb" "cluster" { } resource "azurerm_lb_rule" "apiserver" { - resource_group_name = azurerm_resource_group.cluster.name - name = "apiserver" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration_name = "apiserver" @@ -67,8 +65,6 @@ resource "azurerm_lb_rule" "apiserver" { } resource "azurerm_lb_rule" "ingress-http" { - resource_group_name = azurerm_resource_group.cluster.name - name = "ingress-http" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration_name = "ingress" @@ -82,8 +78,6 @@ resource "azurerm_lb_rule" "ingress-http" { } resource "azurerm_lb_rule" "ingress-https" { - resource_group_name = azurerm_resource_group.cluster.name - name = "ingress-https" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration_name = "ingress" @@ -98,8 +92,6 @@ resource "azurerm_lb_rule" "ingress-https" { # Worker outbound TCP/UDP SNAT resource "azurerm_lb_outbound_rule" "worker-outbound" { - resource_group_name = azurerm_resource_group.cluster.name - name = "worker" loadbalancer_id = azurerm_lb.cluster.id frontend_ip_configuration { @@ -126,8 +118,6 @@ resource "azurerm_lb_backend_address_pool" "worker" { # TCP health check for apiserver resource "azurerm_lb_probe" "apiserver" { - resource_group_name = azurerm_resource_group.cluster.name - name = "apiserver" loadbalancer_id = azurerm_lb.cluster.id protocol = "Tcp" @@ -141,8 +131,6 @@ resource "azurerm_lb_probe" "apiserver" { # HTTP health check for ingress resource "azurerm_lb_probe" "ingress" { - resource_group_name = azurerm_resource_group.cluster.name - name = "ingress" loadbalancer_id = azurerm_lb.cluster.id protocol = "Http" diff --git a/azure/flatcar-linux/kubernetes/network.tf b/azure/flatcar-linux/kubernetes/network.tf index 56215611..0fcaa8b8 100644 --- a/azure/flatcar-linux/kubernetes/network.tf +++ b/azure/flatcar-linux/kubernetes/network.tf @@ -41,4 +41,3 @@ resource "azurerm_subnet_network_security_group_association" "worker" { subnet_id = azurerm_subnet.worker.id network_security_group_id = azurerm_network_security_group.worker.id } - diff --git a/azure/flatcar-linux/kubernetes/outputs.tf b/azure/flatcar-linux/kubernetes/outputs.tf index dda4a204..1fb9cd4d 100644 --- a/azure/flatcar-linux/kubernetes/outputs.tf +++ b/azure/flatcar-linux/kubernetes/outputs.tf @@ -43,9 +43,9 @@ output "worker_security_group_name" { value = azurerm_network_security_group.worker.name } -output "worker_address_prefix" { - description = "Worker network subnet CIDR address (for source/destination)" - value = azurerm_subnet.worker.address_prefix +output "worker_address_prefixes" { + description = "Worker network subnet CIDR addresses (for source/destination)" + value = azurerm_subnet.worker.address_prefixes } # Outputs for custom load balancing diff --git a/azure/flatcar-linux/kubernetes/security.tf b/azure/flatcar-linux/kubernetes/security.tf index e106f3ba..0367cee1 100644 --- a/azure/flatcar-linux/kubernetes/security.tf +++ b/azure/flatcar-linux/kubernetes/security.tf @@ -10,171 +10,171 @@ resource "azurerm_network_security_group" "controller" { resource "azurerm_network_security_rule" "controller-icmp" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-icmp" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "1995" - access = "Allow" - direction = "Inbound" - protocol = "Icmp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-icmp" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "1995" + access = "Allow" + direction = "Inbound" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-ssh" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-ssh" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2000" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-ssh" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2000" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-etcd" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-etcd" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2005" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "2379-2380" - source_address_prefix = azurerm_subnet.controller.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-etcd" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2005" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "2379-2380" + source_address_prefixes = azurerm_subnet.controller.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape etcd metrics resource "azurerm_network_security_rule" "controller-etcd-metrics" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-etcd-metrics" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2010" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "2381" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-etcd-metrics" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2010" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "2381" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape kube-proxy metrics resource "azurerm_network_security_rule" "controller-kube-proxy" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-kube-proxy-metrics" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2011" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10249" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-kube-proxy-metrics" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2011" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "10249" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape kube-scheduler and kube-controller-manager metrics resource "azurerm_network_security_rule" "controller-kube-metrics" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-kube-metrics" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2012" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10257-10259" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-kube-metrics" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2012" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "10257-10259" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-apiserver" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-apiserver" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2015" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "6443" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-apiserver" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2015" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "6443" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-cilium-health" { resource_group_name = azurerm_resource_group.cluster.name count = var.networking == "cilium" ? 1 : 0 - name = "allow-cilium-health" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2019" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "4240" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-cilium-health" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2019" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "4240" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-vxlan" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2020" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "4789" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-vxlan" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2020" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "4789" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } resource "azurerm_network_security_rule" "controller-linux-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-linux-vxlan" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2021" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "8472" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-linux-vxlan" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2021" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "8472" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow Prometheus to scrape node-exporter daemonset resource "azurerm_network_security_rule" "controller-node-exporter" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-node-exporter" - network_security_group_name = azurerm_network_security_group.controller.name - priority = "2025" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "9100" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.controller.address_prefix + name = "allow-node-exporter" + network_security_group_name = azurerm_network_security_group.controller.name + priority = "2025" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9100" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Allow apiserver to access kubelet's for exec, log, port-forward @@ -191,8 +191,8 @@ resource "azurerm_network_security_rule" "controller-kubelet" { destination_port_range = "10250" # allow Prometheus to scrape kubelet metrics too - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.controller.address_prefix + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.controller.address_prefixes } # Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound @@ -240,139 +240,139 @@ resource "azurerm_network_security_group" "worker" { resource "azurerm_network_security_rule" "worker-icmp" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-icmp" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "1995" - access = "Allow" - direction = "Inbound" - protocol = "Icmp" - source_port_range = "*" - destination_port_range = "*" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-icmp" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "1995" + access = "Allow" + direction = "Inbound" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "*" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-ssh" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-ssh" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2000" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "22" - source_address_prefix = azurerm_subnet.controller.address_prefix - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-ssh" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2000" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "22" + source_address_prefixes = azurerm_subnet.controller.address_prefixes + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-http" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-http" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2005" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "80" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-http" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2005" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "80" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-https" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-https" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2010" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "443" - source_address_prefix = "*" - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-https" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2010" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "443" + source_address_prefix = "*" + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-cilium-health" { resource_group_name = azurerm_resource_group.cluster.name count = var.networking == "cilium" ? 1 : 0 - name = "allow-cilium-health" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2014" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "4240" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-cilium-health" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2014" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "4240" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-vxlan" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2015" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "4789" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-vxlan" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2015" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "4789" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } resource "azurerm_network_security_rule" "worker-linux-vxlan" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-linux-vxlan" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2016" - access = "Allow" - direction = "Inbound" - protocol = "Udp" - source_port_range = "*" - destination_port_range = "8472" - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-linux-vxlan" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2016" + access = "Allow" + direction = "Inbound" + protocol = "Udp" + source_port_range = "*" + destination_port_range = "8472" + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Allow Prometheus to scrape node-exporter daemonset resource "azurerm_network_security_rule" "worker-node-exporter" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-node-exporter" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2020" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "9100" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-node-exporter" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2020" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "9100" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Allow Prometheus to scrape kube-proxy resource "azurerm_network_security_rule" "worker-kube-proxy" { resource_group_name = azurerm_resource_group.cluster.name - name = "allow-kube-proxy" - network_security_group_name = azurerm_network_security_group.worker.name - priority = "2024" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10249" - source_address_prefix = azurerm_subnet.worker.address_prefix - destination_address_prefix = azurerm_subnet.worker.address_prefix + name = "allow-kube-proxy" + network_security_group_name = azurerm_network_security_group.worker.name + priority = "2024" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "10249" + source_address_prefixes = azurerm_subnet.worker.address_prefixes + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Allow apiserver to access kubelet's for exec, log, port-forward @@ -389,8 +389,8 @@ resource "azurerm_network_security_rule" "worker-kubelet" { destination_port_range = "10250" # allow Prometheus to scrape kubelet metrics too - source_address_prefixes = [azurerm_subnet.controller.address_prefix, azurerm_subnet.worker.address_prefix] - destination_address_prefix = azurerm_subnet.worker.address_prefix + source_address_prefixes = concat(azurerm_subnet.controller.address_prefixes, azurerm_subnet.worker.address_prefixes) + destination_address_prefixes = azurerm_subnet.worker.address_prefixes } # Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound diff --git a/azure/flatcar-linux/kubernetes/versions.tf b/azure/flatcar-linux/kubernetes/versions.tf index f916bb9e..15d3040f 100644 --- a/azure/flatcar-linux/kubernetes/versions.tf +++ b/azure/flatcar-linux/kubernetes/versions.tf @@ -3,7 +3,7 @@ terraform { required_version = ">= 0.13.0, < 2.0.0" required_providers { - azurerm = "~> 2.8" + azurerm = ">= 2.8, < 4.0" template = "~> 2.2" null = ">= 2.1" diff --git a/azure/flatcar-linux/kubernetes/workers/versions.tf b/azure/flatcar-linux/kubernetes/workers/versions.tf index c151563f..5ef34d75 100644 --- a/azure/flatcar-linux/kubernetes/workers/versions.tf +++ b/azure/flatcar-linux/kubernetes/workers/versions.tf @@ -3,7 +3,7 @@ terraform { required_version = ">= 0.13.0, < 2.0.0" required_providers { - azurerm = "~> 2.8" + azurerm = ">= 2.8, < 4.0" template = "~> 2.2" ct = { diff --git a/docs/architecture/azure.md b/docs/architecture/azure.md index a19384b3..2f9c0ab1 100644 --- a/docs/architecture/azure.md +++ b/docs/architecture/azure.md @@ -53,16 +53,16 @@ Add firewall rules to the worker security group. resource "azurerm_network_security_rule" "some-app" { resource_group_name = "${module.ramius.resource_group_name}" - name = "some-app" - network_security_group_name = module.ramius.worker_security_group_name - priority = "3001" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "30333" - source_address_prefix = "*" - destination_address_prefix = module.ramius.worker_address_prefix + name = "some-app" + network_security_group_name = module.ramius.worker_security_group_name + priority = "3001" + access = "Allow" + direction = "Inbound" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "30333" + source_address_prefix = "*" + destination_address_prefixes = module.ramius.worker_address_prefixes } ```