Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to operation mode, SGs, cluster type, and additional flags. #57

Merged
merged 4 commits into from May 14, 2024
Merged

Updates to operation mode, SGs, cluster type, and additional flags. #57

merged 4 commits into from May 14, 2024

Conversation

JDBraun
Copy link
Contributor

@JDBraun JDBraun commented Apr 24, 2024

This PR addresses the following issues:

New Additions:

  • A compliance_security_profile flag has been added. If this is set to true, it adds an egress 2443 rule to the data plane security group and an inbound 2443 rule on the PrivateLink endpoint. Since this is only relevant for ESC. 2443 has subsequently been removed from the list of ports in the example.
  • A enable_admin_configs has been added. Unfortunately, due to the evolving nature of this API, it has caused issues in certain provider versions. So, this has been defaulted to false. Examples admin configurations, that follow our best practices, have been added in the resource with their documentation, a user should evaluate if they would like to enable this or not.

@JDBraun
Copy link
Contributor Author

JDBraun commented Apr 30, 2024

@metrocavich - mind taking a look on the nitro update?

@metrocavich
Copy link

All looks good to me now. (And I really looked for something else to comment on...)

ryan-gord-db
ryan-gord-db suggested changes May 1, 2024
View reviewed changes
aws/tf/modules/sra/network.tf Outdated
@@ -67,4 +70,15 @@ resource "aws_security_group" "sg" {
tags = {
Name = "${var.resource_prefix}-data-plane-sg"
}
}

resource "aws_security_group_rule" "esc_conditional_egress" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like AWS advises against using a aws_security_group_rule with an aws_security_group that contains inline rules like the sg resource above. One way to work around the issue is to remove the aws_security_group_rule and add another dynamic block to sg where the for_each is something like this: for_each = [for x in [var.compliance_security_profile ? 2443 : null]: x]. It isn't the most aesthetically pleasing since TF isn't great with conditional logic. Maybe always including a rule to port 2443 outweighs adding this type of logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call - let me explore this

@JDBraun JDBraun mentioned this pull request May 8, 2024
Closed
@JDBraun
Copy link
Contributor Author

JDBraun commented May 14, 2024

@db-wenxin + @ryan-gord-db - check out the changes to the SG rules in network.tf I added dynamic rules in the existing block now

ryan-gord-db
ryan-gord-db approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@ryan-gord-db ryan-gord-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jdbraun-db jdbraun-db merged commit 6523d99 into databricks:main May 14, 2024
1 check passed
This was referenced May 14, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@metrocavich metrocavich metrocavich left review comments

@ryan-gord-db ryan-gord-db ryan-gord-db approved these changes

@db-wenxin db-wenxin db-wenxin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@JDBraun @metrocavich @ryan-gord-db @db-wenxin @jdbraun-db