diff --git a/README.md b/README.md
index c42bd12e..33926b6f 100644
--- a/README.md
+++ b/README.md
@@ -312,6 +312,7 @@ module "karpenter" {
| [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security Group ID of the master nodes |
| [ebs\_kms\_key\_arn](#output\_ebs\_kms\_key\_arn) | KMS Key ARN used for EBS encryption |
| [ebs\_kms\_key\_id](#output\_ebs\_kms\_key\_id) | KMS Key ID used for EBS encryption |
+| [fargate\_namespaces\_for\_security\_group](#output\_fargate\_namespaces\_for\_security\_group) | value for fargate\_namespaces\_for\_security\_group |
| [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | OIDC Provider ARN for IRSA |
| [worker\_iam\_role\_arn](#output\_worker\_iam\_role\_arn) | IAM Role ARN used by worker nodes |
| [worker\_iam\_role\_name](#output\_worker\_iam\_role\_name) | IAM Role Name used by worker nodes |
diff --git a/fargate_profile.tf b/fargate_profile.tf
index b1012f41..2540719b 100644
--- a/fargate_profile.tf
+++ b/fargate_profile.tf
@@ -1,29 +1,18 @@
locals {
+ essentials_namespaces = ["opentelemetry-operator-system", "cert-manager", "brupop-bottlerocket-aws"] # to add more if the essentials module deploys in any new namespaces
+ kube_system_namespaces = ["kube-system"]
+
+ fargate_namespaces = concat(local.essentials_namespaces, local.kube_system_namespaces)
+
default_fargate_profiles = merge(
{
- default = {
- name = "default"
- selectors = [
- {
- namespace = "default"
- },
- ]
- subnet_ids = var.subnet_ids
- }
essentials = {
subnet_ids = var.subnet_ids
selectors = [
- {
- namespace = "opentelemetry-operator-system"
- },
- {
- namespace = "cert-manager"
- },
- {
- namespace = "brupop-bottlerocket-aws"
- },
- # to add more if the essentials module deploys in any new namespaces
+ for ns_value in local.essentials_namespaces : {
+ namespace = ns_value
+ }
]
}
},
@@ -55,5 +44,8 @@ module "fargate_profiles" {
create_aws_observability_ns = var.create_aws_observability_ns
create_fargate_logger_configmap = var.create_fargate_logger_configmap
+ eks_worker_security_group_id = module.eks.node_security_group_id
+ fargate_namespaces_for_security_group = local.fargate_namespaces
+
tags = var.tags
}
diff --git a/modules/eks_managed_nodes/REDME.md b/modules/eks_managed_nodes/REDME.md
deleted file mode 100644
index e69de29b..00000000
diff --git a/modules/fargate_profile/README.md b/modules/fargate_profile/README.md
index 09e50ace..92114d38 100644
--- a/modules/fargate_profile/README.md
+++ b/modules/fargate_profile/README.md
@@ -80,6 +80,7 @@ module "fargate_profile" {
| Name | Type |
|------|------|
| [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
+| [kubernetes_manifest.sg](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -91,6 +92,8 @@ module "fargate_profile" {
| [cluster\_name](#input\_cluster\_name) | EKS Cluster name | `string` | n/a | yes |
| [create\_aws\_observability\_ns](#input\_create\_aws\_observability\_ns) | value to determine if aws-observability namespace is created | `bool` | `true` | no |
| [create\_fargate\_logger\_configmap](#input\_create\_fargate\_logger\_configmap) | value to determine if create\_fargate\_logger\_configmap is created | `bool` | `true` | no |
+| [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | n/a | yes |
+| [fargate\_namespaces\_for\_security\_group](#input\_fargate\_namespaces\_for\_security\_group) | List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes | `list(string)` | `[]` | no |
| [fargate\_profile\_defaults](#input\_fargate\_profile\_defaults) | Map of Fargate Profile default configurations | `any` | `{}` | no |
| [fargate\_profiles](#input\_fargate\_profiles) | Map of maps of `fargate_profiles` to create | `any` | `{}` | no |
| [tags](#input\_tags) | Tags for all resources | `map(string)` | `{}` | no |
diff --git a/modules/fargate_profile/main.tf b/modules/fargate_profile/main.tf
index f4311670..c5fd453c 100644
--- a/modules/fargate_profile/main.tf
+++ b/modules/fargate_profile/main.tf
@@ -22,3 +22,28 @@ module "fargate_profile" {
iam_role_tags = lookup(each.value, "iam_role_tags", {})
tags = merge(var.tags, lookup(each.value, "tags", {}))
}
+
+
+
+resource "kubernetes_manifest" "sg" {
+
+ for_each = var.fargate_namespaces_for_security_group
+
+ manifest = {
+ apiVersion = "vpcresources.k8s.aws/v1beta1"
+ kind = "SecurityGroupPolicy"
+ metadata = {
+ name = "fargate-node-${each.value}-sg"
+ namespace = each.value
+ }
+ spec = {
+ podSelector = {
+ matchLabels = {}
+ }
+ securityGroups = {
+ groupIds = [var.eks_worker_security_group_id]
+ }
+ }
+ }
+
+}
diff --git a/modules/fargate_profile/variables.tf b/modules/fargate_profile/variables.tf
index d49c36d7..524f202c 100644
--- a/modules/fargate_profile/variables.tf
+++ b/modules/fargate_profile/variables.tf
@@ -50,3 +50,17 @@ variable "create_fargate_logger_configmap" {
type = bool
default = true
}
+
+##################################
+### Fargate Selector Namespaces ##
+##################################
+variable "fargate_namespaces_for_security_group" {
+ description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes"
+ type = list(string)
+ default = []
+}
+
+variable "eks_worker_security_group_id" {
+ description = "Security Group ID of the worker nodes"
+ type = string
+}
diff --git a/outputs.tf b/outputs.tf
index f8c72ca7..e4245e1c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -77,3 +77,8 @@ output "cluster_version" {
description = "Version of the EKS Cluster"
value = module.eks.cluster_version
}
+
+output "fargate_namespaces_for_security_group" {
+ description = "value for fargate_namespaces_for_security_group"
+ value = local.fargate_namespaces
+}