Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: (IAC-619) Support VPCs with private and control_plane subnets, NAT gateway is not required #238

Merged
merged 27 commits into from
Nov 2, 2023
Merged

feat!: (IAC-619) Support VPCs with private and control_plane subnets, NAT gateway is not required #238

merged 27 commits into from
Nov 2, 2023

Conversation

dhoucgitter
Copy link
Member

@dhoucgitter dhoucgitter commented Oct 9, 2023
edited
Loading

Changes

  • The nat_id input variable is now optional for BYO network scenarios 2 & 3
  • Remove nat_id as a required input in BYOnetwork.md document for scenarios 2 & 3
  • Update the nat_id note entry in CONFIG-VARS.md "Use Existing" table for nat_id entry to indicate when it is an optional input parameter
  • When using the existing subnet_ids map, only two private subnet ids are always required to create the EKS cluster, public and database subnet_ids are optional for private subnet only configurations
  • Add byo_network_scenario output variable value to terraform outputs to indicate which BYOnetwork scenario is driving IaC behavior
  • Do not create new public or database subnet resources for BYON scenarios 2 & 3 when either public or database subnet_ids are not specified in existing subnets map
  • Update VPC endpoint attributes to specify "Interface" or "Gateway" type, use private_dns_enable=true and add security group rule to allow access to AWS ECR container images from a private network
  • Add vpc_private_access_cidrs and vm_private_access_cidrs, and default_private_access_cidrs configuration variables and add doc for them and existing cluster_endpoint_private_access_cidrs
  • Add information regarding use cases for the private access CIDR variables in CONFIG-VARS.md

This update includes breaking changes and updates managed security groups and their rules. Existing EC2 instances and their network interfaces with references to the original security groups creates obstacles for direct replacement of those security groups. Users with infrastructure created with the v7.2.1 release or older will need to destroy their cluster using the version of viya4-iac-aws used to create their infrastructure and then recreate it with the latest release.

The current recommendation for users who want to use the release containing this PR and created their infrastructure for a Viya deployment with viya4-iac-aws:7.2.1 or earlier is to:

  1. Follow the SAS Viya Platform Operation backup and restore documentation to perform a full backup of their environment.
  2. Uninstall the SAS Viya deployment and destroy the infrastructure using the version of viya4-iac-aws you initially deployed with.
  3. Recreate your infrastructure using the latest version of viya4-iac-aws
  4. Follow the SAS Viya Platform Operation backup and restore documentation to restore your environment.

Tests

tests are being recorded in the internal ticket during testing

@dhoucgitter dhoucgitter marked this pull request as draft October 9, 2023 22:20
@dhoucgitter dhoucgitter self-assigned this Oct 9, 2023
@dhoucgitter dhoucgitter added enhancement New feature or request documentation Improvements or additions to documentation labels Oct 9, 2023
@dhoucgitter dhoucgitter marked this pull request as ready for review October 16, 2023 12:33
riragh
riragh reviewed Oct 17, 2023
View reviewed changes
docs/CONFIG-VARS.md Outdated Show resolved Hide resolved
thpang
thpang requested changes Oct 18, 2023
View reviewed changes
docs/CONFIG-VARS.md Outdated Show resolved Hide resolved
docs/user/BYOnetwork.md Outdated Show resolved Hide resolved
docs/user/BYOnetwork.md Outdated Show resolved Hide resolved
main.tf Show resolved Hide resolved
main.tf Outdated Show resolved Hide resolved
modules/aws_vpc/main.tf Show resolved Hide resolved
modules/aws_vpc/main.tf Show resolved Hide resolved
modules/aws_vpc/main.tf Show resolved Hide resolved
modules/aws_vpc/main.tf Show resolved Hide resolved
main.tf Show resolved Hide resolved
@dhoucgitter dhoucgitter requested a review from canpmh October 19, 2023 17:34
dhoucgitter
dhoucgitter commented Oct 19, 2023
View reviewed changes
security.tf Outdated Show resolved Hide resolved
@dhoucgitter dhoucgitter requested a review from riragh October 20, 2023 20:09
jarpat
jarpat requested changes Oct 25, 2023
View reviewed changes
main.tf Outdated Show resolved Hide resolved
@dhoucgitter
feat: (IAC-619) Support VPCs with ONLY private subnets, NAT gateway i…
c3bed14 
…s not required
@dhoucgitter
change to support s3 vpc endpoint using Gateway type
bfb5cb4
@dhoucgitter
restore create_subnets condition using count iterator, formatting
12989d5
@dhoucgitter
update note to express when nat_id is optional
1273ad1
@dhoucgitter
Add a BYON 0 entry to the table
7a091a8
@dhoucgitter
Add input variable and document how to enable/disable VPC endpoint cr…
a6fee66 
…eation
@dhoucgitter
Add a direct link to referenced BYON scenarios per review comment
9bde720
@dhoucgitter
Add nat_id back to table as optional variable for BYON scenarios 2 & 3
23cde6e
@dhoucgitter
Update local var name per review comment
de7babf
@dhoucgitter
Don't create vpc endpoint SG ingress rule if IaC vpc endpoint creatio…
739ac38 
…n is disabled
@dhoucgitter
any existing security group indicates byo_network_scenario 3 choice, …
7e0a4a5 
…review comment
@dhoucgitter
Update ref to local var, allow existing workers SG input without clus…
e952b30 
…ter SG input
@dhoucgitter
add missing SG description, correct private VPC SG rule description p…
078d5c3 
…er review comment
@dhoucgitter
Use private subnets for database when no db subnets provided
ce2cc34
@dhoucgitter
Add 2 private CIDR config vars and doc for 3 private CIDR variables
dd552f8 
Add expected ingress rules to main SG, cluster SG and workers SG for new private CIDR vars
canpmh
canpmh reviewed Oct 25, 2023
View reviewed changes
security.tf Outdated Show resolved Hide resolved
canpmh
canpmh reviewed Oct 25, 2023
View reviewed changes
security.tf Outdated Show resolved Hide resolved
thpang
thpang reviewed Oct 27, 2023
View reviewed changes
Copy link
Member

@thpang thpang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking for logic clarity

modules/aws_vpc/variables.tf Show resolved Hide resolved
jarpat
jarpat requested changes Oct 27, 2023
View reviewed changes
docs/CONFIG-VARS.md Outdated Show resolved Hide resolved
thpang
thpang requested changes Oct 31, 2023
View reviewed changes
docs/user/BYOnetwork.md Outdated Show resolved Hide resolved
docs/user/BYOnetwork.md Outdated Show resolved Hide resolved
modules/aws_vpc/main.tf Show resolved Hide resolved
modules/aws_vpc/variables.tf Show resolved Hide resolved
thpang
thpang approved these changes Nov 1, 2023
View reviewed changes
Copy link
Member

@thpang thpang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dhoucgitter dhoucgitter changed the title feat: (IAC-619) Support VPCs with ONLY private subnets, NAT gateway is not required feat!: (IAC-619) Support VPCs with ONLY private subnets, NAT gateway is not required Nov 2, 2023
@dhoucgitter dhoucgitter merged commit c1325fb into staging Nov 2, 2023
3 checks passed
@dhoucgitter dhoucgitter deleted the fix/iac-619 branch November 2, 2023 14:44
@dhoucgitter dhoucgitter mentioned this pull request Dec 5, 2023
Merged
@dhoucgitter dhoucgitter changed the title feat!: (IAC-619) Support VPCs with ONLY private subnets, NAT gateway is not required feat!: (IAC-619) Support VPCs with private and control_plane subnets, NAT gateway is not required Dec 5, 2023
@dhoucgitter dhoucgitter linked an issue Dec 6, 2023 that may be closed by this pull request
Recieving an Error when attempting to provision Viya without a nat gateway #178
Closed
1 task
dhoucgitter added a commit that referenced this pull request Feb 28, 2024
@dhoucgitter
feat!: (IAC-619) Support VPCs with ONLY private subnets, NAT gateway …
3aad36a 
…is not required (#238)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@canpmh canpmh canpmh left review comments

@riragh riragh riragh approved these changes

@jarpat jarpat jarpat approved these changes

@thpang thpang thpang approved these changes

@sayeun sayeun Awaiting requested review from sayeun

Assignees

@dhoucgitter dhoucgitter

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Recieving an Error when attempting to provision Viya without a nat gateway
5 participants
@dhoucgitter @thpang @canpmh @jarpat @riragh