[breaking] Fix aws-redis-node security groups #149
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mbarrien
force-pushed
the
mbarrien/redis-sg
branch
3 times, most recently
from
22be77b
to
f87e7bb
Compare
mbarrien
force-pushed
the
mbarrien/redis-sg
branch
from
f87e7bb
to
702d173
Compare
chauvm
approved these changes
Oct 17, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
aws-redis-node (and its predecessor in shared-infra, redis-node) had a bug (or at least a naming bug), where the variable named "ingress_security_groups" which ostensibly controlled which security groups were allowed to access the cache, instead assigned the security group that were assigned to Elasticache. In all cases in CZI repos so far, this was set to be the security group assigned to the worker nodes, which happened to allow access to all traffic.
The PR makes this module match the description of ingress_security_group by introducing a new security group in between, assigning the cache the new security group and allowing ingress into that security group from the input security groups, only to the port Redis is listening on.
This PR is breaking because we now need the vpc_id as a new input to be able to create the new intermediate security group. It is also breaking (although not used in this way anywhere in CZI's code base) since it now requires service to be provided, and does not provide a default.