Merge pull request #745 from wking/s3-vpc-endpoint

data/aws/vpc: Add an S3 endpoint to new VPCs
2026-02-06 00:48:45 +01:00 · 2018-12-13 16:17:57 -08:00
parent e431e60558 cdcaeb2aa4
commit 5813f611f9
6 changed files with 51 additions and 32 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -392,11 +392,11 @@
  revision = "fb8b55a1072436a51b153de9acf5bf5525efcf83"

 [[projects]]
-  digest = "1:c2edaeee2250d3886f1e2223a8c6698498ecdc467a72949888f89dc1dde89045"
+  digest = "1:fff47662f79ac206b6c6c466afb79f0458fbdf1390f527cad9255e07f8de1369"
  name = "github.com/openshift/hive"
  packages = ["contrib/pkg/awstagdeprovision"]
  pruneopts = "NUT"
-  revision = "2349f175d3e4fc6542dec79add881a59f2d7b1b8"
+  revision = "802db5420da6a88f034fc2501081e2ab12e8463e"

 [[projects]]
  digest = "1:93b1d84c5fa6d1ea52f4114c37714cddd84d5b78f151b62bb101128dd51399bf"
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -70,7 +70,7 @@ ignored = [

 [[constraint]]
  name = "github.com/openshift/hive"
-  revision = "2349f175d3e4fc6542dec79add881a59f2d7b1b8"
+  revision = "802db5420da6a88f034fc2501081e2ab12e8463e"

 [[constraint]]
  name = "k8s.io/utils"
--- a/data/data/aws/main.tf
+++ b/data/data/aws/main.tf
@@ -89,6 +89,7 @@ module "vpc" {
  cluster_id      = "${var.cluster_id}"
  cluster_name    = "${var.cluster_name}"
  external_vpc_id = "${var.aws_external_vpc_id}"
+  region          = "${var.aws_region}"

  external_master_subnet_ids = "${compact(var.aws_external_master_subnet_ids)}"
  external_worker_subnet_ids = "${compact(var.aws_external_worker_subnet_ids)}"
--- a/data/data/aws/vpc/variables.tf
+++ b/data/data/aws/vpc/variables.tf
@@ -51,3 +51,8 @@ variable "public_master_endpoints" {
  description = "If set to true, public-facing ingress resources are created."
  default     = true
 }
+
+variable "region" {
+  type        = "string"
+  description = "The target AWS region for the cluster."
+}
--- a/data/data/aws/vpc/vpc.tf
+++ b/data/data/aws/vpc/vpc.tf
@@ -16,3 +16,9 @@ resource "aws_vpc" "new_vpc" {
      "openshiftClusterID", "${var.cluster_id}"
    ), var.extra_tags)}"
 }
+
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id          = "${aws_vpc.new_vpc.id}"
+  service_name    = "com.amazonaws.${var.region}.s3"
+  route_table_ids = ["${concat(aws_route_table.private_routes.*.id, aws_route_table.default.*.id)}"]
+}
--- a/vendor/github.com/openshift/hive/contrib/pkg/awstagdeprovision/awstagdeprovision.go
+++ b/vendor/github.com/openshift/hive/contrib/pkg/awstagdeprovision/awstagdeprovision.go
@@ -377,6 +377,34 @@ func rtHasMainAssociation(rt *ec2.RouteTable) bool {
 	return false
 }

+// deleteVPCEndpoints will find all VPC endpoints associated with the passed in VPC and attempt to delete them
+func deleteVPCEndpoints(vpc *ec2.Vpc, ec2Client *ec2.EC2, logger log.FieldLogger) error {
+	describeEndpointsInput := ec2.DescribeVpcEndpointsInput{}
+	describeEndpointsInput.Filters = []*ec2.Filter{
+		{
+			Name:   aws.String("vpc-id"),
+			Values: []*string{vpc.VpcId},
+		},
+	}
+
+	results, err := ec2Client.DescribeVpcEndpoints(&describeEndpointsInput)
+	if err != nil {
+		logger.Debugf("error describing VPC endpoints: %v", err)
+		return err
+	}
+	for _, ep := range results.VpcEndpoints {
+		_, err := ec2Client.DeleteVpcEndpoints(&ec2.DeleteVpcEndpointsInput{
+			VpcEndpointIds: []*string{ep.VpcEndpointId},
+		})
+		if err != nil {
+			logger.Debugf("error deleting VPC endpoint: %v", err)
+			return err
+		}
+		logger.WithField("id", *ep.VpcEndpointId).Info("Deleted VPC endpoint")
+	}
+	return nil
+}
+
 // deleteRouteTablesWithVPC will attempt to delete all route tables associated with a given VPC
 func deleteRouteTablesWithVPC(vpc *ec2.Vpc, ec2Client *ec2.EC2, logger log.FieldLogger) error {
 	var anyError error
@@ -400,12 +428,6 @@ func deleteRouteTablesWithVPC(vpc *ec2.Vpc, ec2Client *ec2.EC2, logger log.Field
 			return err
 		}

-		err = deleteRoutesFromTable(rt, ec2Client, logger)
-		if err != nil {
-			logger.Debugf("error deleting routes from route table: %v", err)
-			return err
-		}
-
 		if rtHasMainAssociation(rt) {
 			// can't delete route table with the 'Main' association
 			// it will get cleaned up as part of deleting the VPC
@@ -456,8 +478,15 @@ func deleteVPCs(awsSession *session.Session, filters AWSFilter, clusterName stri
 				return false, nil
 			}

+			// next delete any VPC endpoints associated with the VPC (they are not taggable)
+			err := deleteVPCEndpoints(vpc, ec2Client, logger)
+			if err != nil {
+				logger.Debugf("error deleting VPC endpoint: %v", err)
+				return false, nil
+			}
+
 			// next delete route tables associated with the VPC (not all of them are tagged)
-			err := deleteRouteTablesWithVPC(vpc, ec2Client, logger)
+			err = deleteRouteTablesWithVPC(vpc, ec2Client, logger)
 			if err != nil {
 				logger.Debugf("error deleting route tables: %v", err)
 				return false, nil
@@ -1017,28 +1046,6 @@ func disassociateRouteTable(rt *ec2.RouteTable, ec2Client *ec2.EC2, logger log.F
 	return nil
 }

-// deleteRoutesFromTable will attempt to remove all routes defined in a given route table
-func deleteRoutesFromTable(rt *ec2.RouteTable, ec2Client *ec2.EC2, logger log.FieldLogger) error {
-	for _, route := range rt.Routes {
-		// can't delete the 'local' route
-		if route.GatewayId != nil && *route.GatewayId == "local" {
-			continue
-		}
-		logger.Debugf("deleting route %v from RT %v", *route.DestinationCidrBlock, *rt.RouteTableId)
-		_, err := ec2Client.DeleteRoute(&ec2.DeleteRouteInput{
-			RouteTableId:         rt.RouteTableId,
-			DestinationCidrBlock: route.DestinationCidrBlock,
-		})
-		if err != nil {
-			logger.Debugf("error deleting route from route table: %v", err)
-			return err
-		}
-
-		logger.Infof("Deleted route %v from route table %v", *route.DestinationCidrBlock, *rt.RouteTableId)
-	}
-	return nil
-}
-
 // deleteSubnets will attempt to delete all Subnets matching the given filter
 func deleteSubnets(session *session.Session, filter AWSFilter, clusterName string, logger log.FieldLogger) (bool, error) {
 	logger.Debugf("Deleting subnets (%s)", filter)