chore: updates from testing, working as intended

bryantbiggs · bryantbiggs · commit b20c1a07c03d · 2022-01-14T12:24:46.000-05:00
diff --git a/modules/eks-managed-node-group/README.md b/modules/eks-managed-node-group/README.md
@@ -74,6 +74,7 @@ module "eks_managed_node_group" {
 | [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
diff --git a/modules/eks-managed-node-group/main.tf b/modules/eks-managed-node-group/main.tf
@@ -1,5 +1,7 @@
 data "aws_partition" "current" {}
 
+data "aws_caller_identity" "current" {}
+
 ################################################################################
 # User Data
 ################################################################################
@@ -393,7 +395,7 @@ locals {
 
   iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
 
-  cni_policy = var.cluster_ip_family == "ipv6" ? "${local.iam_role_policy_prefix}/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+  cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
diff --git a/modules/fargate-profile/README.md b/modules/fargate-profile/README.md
@@ -48,6 +48,7 @@ No modules.
 | [aws_eks_fargate_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_fargate_profile) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
diff --git a/modules/fargate-profile/main.tf b/modules/fargate-profile/main.tf
@@ -1,11 +1,13 @@
 data "aws_partition" "current" {}
 
+data "aws_caller_identity" "current" {}
+
 locals {
   iam_role_name = coalesce(var.iam_role_name, var.name, "fargate-profile")
 
   iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
 
-  cni_policy = var.cluster_ip_family == "ipv6" ? "${local.iam_role_policy_prefix}/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+  cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
 }
 
 ################################################################################
diff --git a/modules/self-managed-node-group/README.md b/modules/self-managed-node-group/README.md
@@ -68,6 +68,7 @@ module "self_managed_node_group" {
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_ami.eks_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
diff --git a/modules/self-managed-node-group/main.tf b/modules/self-managed-node-group/main.tf
@@ -1,5 +1,7 @@
 data "aws_partition" "current" {}
 
+data "aws_caller_identity" "current" {}
+
 data "aws_ami" "eks_default" {
   count = var.create ? 1 : 0
 
@@ -495,7 +497,7 @@ locals {
 
   iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
 
-  cni_policy = var.cluster_ip_family == "ipv6" ? "${local.iam_role_policy_prefix}/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+  cni_policy = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
 }
 
 data "aws_iam_policy_document" "assume_role_policy" {
diff --git a/node_groups.tf b/node_groups.tf
@@ -116,53 +116,32 @@ locals {
       self        = true
     }
     egress_https = {
-      description = "Egress all HTTPS to internet"
-      protocol    = "tcp"
-      from_port   = 443
-      to_port     = 443
-      type        = "egress"
-      cidr_blocks = ["0.0.0.0/0", ]
-    }
-    egress_https_ipv6 = { for k, v in {
       description      = "Egress all HTTPS to internet"
       protocol         = "tcp"
       from_port        = 443
       to_port          = 443
       type             = "egress"
-      ipv6_cidr_blocks = ["::/0"]
-    } : k => v if var.cluster_ip_family == "ipv6" }
-    egress_ntp_tcp = {
-      description = "Egress NTP/TCP to internet"
-      protocol    = "tcp"
-      from_port   = 123
-      to_port     = 123
-      type        = "egress"
-      cidr_blocks = ["0.0.0.0/0"]
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
     }
-    egress_ntp_tcp_ipv6 = { for k, v in {
+    egress_ntp_tcp = {
       description      = "Egress NTP/TCP to internet"
       protocol         = "tcp"
       from_port        = 123
       to_port          = 123
       type             = "egress"
-      ipv6_cidr_blocks = ["::/0"]
-    } : k => v if var.cluster_ip_family == "ipv6" }
-    egress_ntp_udp = {
-      description = "Egress NTP/UDP to internet"
-      protocol    = "udp"
-      from_port   = 123
-      to_port     = 123
-      type        = "egress"
-      cidr_blocks = ["0.0.0.0/0"]
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
     }
-    egress_ntp_udp_ipv6 = { for k, v in {
+    egress_ntp_udp = {
       description      = "Egress NTP/UDP to internet"
       protocol         = "udp"
       from_port        = 123
       to_port          = 123
       type             = "egress"
-      ipv6_cidr_blocks = ["::/0"]
-    } : k => v if var.cluster_ip_family == "ipv6" }
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
+    }
   }
 }
 
