Skip to content

Fix eks terraform script#5146

Open
LordAbhishek wants to merge 5 commits intomainfrom
abhishek/fix-cloud-night-main
Open

Fix eks terraform script#5146
LordAbhishek wants to merge 5 commits intomainfrom
abhishek/fix-cloud-night-main

Conversation

@LordAbhishek
Copy link
Contributor

@LordAbhishek LordAbhishek commented Feb 26, 2026
edited
Loading

Existing Issue:
Currently eks workflows are failing at infrastructure provisioning in cloud nightly main tests.
Failing Workflow: https://github.com/hashicorp/consul-k8s-workflows/actions/runs/22421960130/job/64921986795

Run # # On eks, we're setting the github run id instead of build URL because label values
╷
│ Error: Unsupported argument
│ 
│   on .terraform/modules/vpc/main.tf line 1030, in resource "aws_eip" "nat":
│ 1030:   vpc = true
│ 
│ An argument named "vpc" is not expected here.
╵
Error: Process completed with exit code 1.

Fix eks terraform script

  • removed depricated versions, updated them with latest supported version.
  • added storage class for consul servers pvcs

Workflow with updated/fixed terraform script:
https://github.com/hashicorp/consul-k8s-workflows/actions/runs/22436582955/job/64968467657
(terraform apply step is successfully completed).

@LordAbhishek
Fix eks terraform script
1582fdf 
* removed depricated versions, updated them with latest supported version.
* added storage class for consul servers pvcs
@LordAbhishek
trigger cloud tests only on eks
52e4675
@LordAbhishek
removing changes from pr.yaml
b285053
@LordAbhishek LordAbhishek marked this pull request as ready for review February 26, 2026 10:15
@LordAbhishek LordAbhishek requested review from a team as code owners February 26, 2026 10:15
@LordAbhishek LordAbhishek added backport/1.7.x Backport to release/1.7.x branch backport/1.8.x Backport to release/1.8.x branch backport/1.9.x labels Feb 26, 2026
@LordAbhishek
Copy link
Contributor Author

LordAbhishek commented Feb 26, 2026
edited
Loading

Please let me know if this change needs changelog file.
I have added it by mistake and just want to confirm before removing it.

anandmukul93
anandmukul93 reviewed Mar 2, 2026
View reviewed changes
charts/consul/test/terraform/eks/main.tf Outdated
route_table_id = [module.vpc[0].public_route_table_ids[0], module.vpc[0].private_route_table_ids[0]][count.index]
# Add routes to all route tables in VPC 0 to route traffic to VPC 1 through the peering connection.
resource "aws_route" "peering_private_0" {
count = var.cluster_count > 1 ? length(module.vpc[0].private_route_table_ids) : 0
Copy link
Contributor

@anandmukul93 anandmukul93 Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Direct Private Subnet Communication - By adding private subnet peering routes, you're enabling a direct path between worker nodes across VPCs that wouldn't exist in production if you're only using public subnet access.

Consul Mesh Behavior Divergence - In production, if Consul is configured to work through public subnet endpoints (NAT gateways, load balancers), the mesh would:

Route through public subnets
Potentially use different network paths
Have different latency/failure characteristics
Testing Gap - Your test environment would validate:

✅ Direct private-to-private node communication
✅ Public subnet routes (also present)
❌ But NOT the actual production traffic pattern
What This Means:

  • Tests might pass because nodes can communicate via the "shortcut" private subnet route
  • But in production, if private peering isn't allowed, the same tests could fail
  • You're not validating the actual network path traffic will take

Copy link
Contributor Author

@LordAbhishek LordAbhishek Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed private subnet route.

anandmukul93
anandmukul93 reviewed Mar 2, 2026
View reviewed changes
charts/consul/test/terraform/eks/main.tf Outdated
# Each EKS cluster needs to allow ingress traffic from the other VPC.
resource "aws_security_group_rule" "allowingressfrom1-0" {
count = var.cluster_count > 1 ? 1 : 0
count = var.cluster_count > 1 ? length(module.vpc[1].private_subnets_cidr_blocks) : 0
Copy link
Contributor

@anandmukul93 anandmukul93 Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here see below comment on private subnet peering access. it doesnt simulate the general use case consul is built for in production.

Copy link
Contributor Author

@LordAbhishek LordAbhishek Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated it as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anandmukul93 anandmukul93 anandmukul93 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport/1.7.x Backport to release/1.7.x branch backport/1.8.x Backport to release/1.8.x branch backport/1.9.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LordAbhishek @anandmukul93