Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1875773: ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml: Add EC2 endpoint #11723

Merged
merged 1 commit into from
Sep 24, 2020
Merged

Bug 1875773: ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml: Add EC2 endpoint #11723

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 37 additions & 1 deletion ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,42 @@ Resources:
Properties:
SubnetId: !Ref PrivateSubnet3
RouteTableId: !Ref PrivateRouteTable3
EC2EndpointSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Endpoint Security Group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !Ref VpcCidr
VpcId: !Ref VPC
EC2Endpoint:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should a TODO comment be added to remove the this VPCE when https://bugzilla.redhat.com/show_bug.cgi?id=1769223 is fixed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dunno. We will probably need to keep this until we have end-of-lifed all releases for which the machine-API needs the endpoint. But we may want to split into two flavors of VPC so we can test proxy-respecting machine-API while continuing to run CI on proxy-ignoring machine-API. I'm fine tracking that in Jira or a bug or whatever instead of in release comments.

wking marked this conversation as resolved.
Show resolved Hide resolved
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: '*'
Action:
- '*'
Resource:
- '*'
PrivateDnsEnabled: "true"
SecurityGroupIds:
- !Ref EC2EndpointSecurityGroup
ServiceName: !Join
- ''
- - com.amazonaws.
- !Ref 'AWS::Region'
- .ec2
SubnetIds:
- !Ref PublicSubnet
- !If [DoAz2, !Ref PublicSubnet2, !Ref "AWS::NoValue"]
- !If [DoAz3, !Ref PublicSubnet3, !Ref "AWS::NoValue"]
VpcEndpointType: Interface
VpcId: !Ref VPC
S3Endpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
Expand Down Expand Up @@ -214,4 +250,4 @@ Outputs:
!Join [
",",
[!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]]
]
]