feat: patch CMK module and updated EksIp6 module

2026-02-25 18:06:40 +08:00
parent df22fcf46b
commit acd42ff526
7 changed files with 115 additions and 68 deletions
@@ -1,5 +1,5 @@
 module "BastionRole" {
-  source                  = "../../modules/security_identity_compliance/iam-role-v2"
+  source                  = "../modules/security_identity_compliance/iam-role-v2"
  description             = "EKS bastion instance profile"
  role-name               = "BastionInstanceProfile"
  trusted-entity          = "ec2.amazonaws.com"
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {

 module "eks-bastion" {
  depends_on = [module.eks] # essential for initializing kubectl in userdata
-  source     = "../../modules/compute/ec2"
+  source     = "../modules/compute/ec2"

  additional-tags  = {}
  ami-id           = data.aws_ami.this.id
@@ -46,7 +46,7 @@ module "eks-bastion" {
  instance-name    = "${var.environment}-eks-bastion-${random_pet.pet.id}"
  instance-type    = "t4g.micro"
  key-name         = aws_key_pair.kp.key_name
-  kms-key-id       = ""
+  kms-key-id       = module.KmsKeys.cmks.storage.arn
  root-volume-size = "8"
  # security-groups  = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
  security-groups  = [module.bastion-sg.id]
@@ -121,11 +121,12 @@ resource "aws_key_pair" "kp" {
 }

 module "bastion-sg" {
-  source = "../../modules/compute/security_group"
+  source = "../modules/compute/security_group"

  description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
  egress = {
-    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress"
+    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
+    r2 = "-1,-1,-1,::/0,Allow egress ipv6"
  }
  ingress = {
    r1 = "tcp,22,22,0.0.0.0/0,ssh"
@@ -133,14 +134,3 @@ module "bastion-sg" {
  name   = "eks-bastion-${random_pet.pet.id}-sg"
  vpc-id = module.vpc.vpc_id
 }
-
-# my security_group module does not support ipv6_cidr_blocks
-resource "aws_security_group_rule" "ipv6_egress" {
-  security_group_id = module.bastion-sg.id
-  type              = "egress"
-  from_port         = -1
-  to_port           = -1
-  protocol          = "all"
-  ipv6_cidr_blocks  = ["::/0"]
-  description       = "Allow ipv6 egress"
-}