terraform-provider-tencentcloud
terraform-provider-tencentcloud copied to clipboard
tencentcloudstack
Create cluster internet endpoint error,message is `the format of SecurityGroupId is not valid`
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Version 1.76.0
Affected Resource(s)
- tencentcloud_kubernetes_cluster
Panic Output
Error: cls-2vx8jk28 create cluster internet endpoint error ,status is CreateFailed,message is bind security group: unexcepted internal error occured(do ModifyLoadBalancerAttributes: [TencentCloudSDKError] Code=InvalidParameter.FormatError, Message=The format of SecurityGroupId '' is not valid., RequestId=81870675-05be-4e8a-a428-e7fb015ef698)
Cause
This issue occured was because of the upgrading of TencentCloud Kubernetes Cluster (TKE). In order to meet the requirements of the platform for security compliance, the public/private network access configuration of the resource tencentcloud_kubernetes_cluster has the following restrictions:
- Must specify security group for cluster network access policy while enable public network access.
- To enable public/private network access, the cluster must have at least one running worker.
- Due to security requirements, the default public access domain resolution was no longer available. Replace with IP or self-resolve domain if neccessary (Work in Progress).
- Specifying custom domain will be supported while enable network access (Work in Progress).
Version
Please upgrade the provider version >=1.76.1
$ terraform init -upgrade
Example
- Specify the
cluster_internet_security_groupeither if enable public network access.
data "tencentcloud_security_groups" "internal" {
name = "default"
}
resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
// ...
cluster_internet = true
cluster_internet_security_group = data.tencentcloud_security_groups.internal.security_groups.0.security_group_id
}
- Specify non-empty cluster before enable public/private network access.
resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
cluster_internet = true
cluster_intranet = true
// ...
worker {}
}
or using endpoint to attach cluster and worker-base resources
data "tencentcloud_security_groups" "internal" {
name = "default"
}
resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
//...
}
resource "tencentcloud_kubernetes_node_pool" "pool1" {
cluster_id = tencentcloud_kubernetes_cluster.managed_cluster.id
//...
}
resource "tencentcloud_kubernetes_cluster_endpoint" "foo" {
cluster_id = tencentcloud_kubernetes_cluster.managed_cluster.id
cluster_internet = true
cluster_internet_security_group = data.tencentcloud_security_groups.internal.security_groups.0.security_group_id
cluster_intranet = true
// ...
depends_on = [
tencentcloud_kubernetes_node_pool.pool1
]
}
If you have any other questions and advisement, please leave the comment here.
Now, the access policy of the cluster is controlled by the security group, so you need to allow access to cluster by setting the rules of the security group. Reference is as follows.
resource "tencentcloud_security_group" "sg" {
description = "security group for eks cluster cls-0yx5nabi"
name = "cm-eks-cls-0yx5nabi-security-group"
project_id = 0
tags = {}
}
resource "tencentcloud_security_group_lite_rule" "rule" {
ingress = [
"ACCEPT#0.0.0.0/0#443#TCP", // open all incoming traffic on port 443
]
security_group_id = tencentcloud_security_group.sg.id
}
resource "tencentcloud_kubernetes_cluster" "managed_cluster" {
// ...
cluster_internet = true
cluster_internet_security_group = tencentcloud_security_group.sg.id
}