From a24c67c5b9e6d76a975c95766e6a51c2335c5e75 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Fri, 30 Aug 2019 11:14:17 -0700 Subject: [PATCH] upi/aws/cloudformation/01_vpc: Drop PublicNetworkAcl We've had this since the templates landed in 39a926a918 (Adding initial user doc/guide & materials for UPI AWS installation, 2019-03-12, #1408). But our Terraform modules contain no analog using aws_network_acl [1] and their presence in the UPI templates is breaking the ping-based network connectivity test [2]. [1]: https://www.terraform.io/docs/providers/aws/r/network_acl.html [2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/canary-openshift-ocp-installer-e2e-aws-upi-4.2/28#0:build-log.txt%3A10235 --- upi/aws/cloudformation/01_vpc.yaml | 81 ------------------------------ 1 file changed, 81 deletions(-) diff --git a/upi/aws/cloudformation/01_vpc.yaml b/upi/aws/cloudformation/01_vpc.yaml index 57428465600..de55a49b2fc 100644 --- a/upi/aws/cloudformation/01_vpc.yaml +++ b/upi/aws/cloudformation/01_vpc.yaml @@ -115,87 +115,6 @@ Resources: Properties: SubnetId: !Ref PublicSubnet3 RouteTableId: !Ref PublicRouteTable - PublicNetworkAcl: - Type: "AWS::EC2::NetworkAcl" - Properties: - VpcId: !Ref VPC - InboundHTTPPublicNetworkAclEntry: - Type: "AWS::EC2::NetworkAclEntry" - Properties: - NetworkAclId: !Ref PublicNetworkAcl - RuleNumber: "100" - Protocol: "6" - RuleAction: allow - Egress: "false" - CidrBlock: 0.0.0.0/0 - PortRange: - From: "80" - To: "80" - InboundHTTPSPublicNetworkAclEntry: - Type: "AWS::EC2::NetworkAclEntry" - Properties: - NetworkAclId: !Ref PublicNetworkAcl - RuleNumber: "101" - Protocol: "6" - RuleAction: allow - Egress: "false" - CidrBlock: 0.0.0.0/0 - PortRange: - From: "443" - To: "443" - InboundSSHPublicNetworkAclEntry: - Type: "AWS::EC2::NetworkAclEntry" - Properties: - NetworkAclId: !Ref PublicNetworkAcl - RuleNumber: "102" - Protocol: "6" - RuleAction: allow - Egress: "false" - CidrBlock: 0.0.0.0/0 - PortRange: - From: "22" - To: "22" - InboundEphemeralPublicNetworkAclEntry: - Type: "AWS::EC2::NetworkAclEntry" - Properties: - NetworkAclId: !Ref PublicNetworkAcl - RuleNumber: "103" - Protocol: "6" - RuleAction: allow - Egress: "false" - CidrBlock: 0.0.0.0/0 - PortRange: - From: "1024" - To: "65535" - OutboundPublicNetworkAclEntry: - Type: "AWS::EC2::NetworkAclEntry" - Properties: - NetworkAclId: !Ref PublicNetworkAcl - RuleNumber: "100" - Protocol: "6" - RuleAction: allow - Egress: "true" - CidrBlock: 0.0.0.0/0 - PortRange: - From: "0" - To: "65535" - PublicSubnetNetworkAclAssociation: - Type: "AWS::EC2::SubnetNetworkAclAssociation" - Properties: - SubnetId: !Ref PublicSubnet - NetworkAclId: !Ref PublicNetworkAcl - PublicSubnetNetworkAclAssociation2: - Type: "AWS::EC2::SubnetNetworkAclAssociation" - Condition: DoAz2 - Properties: - SubnetId: !Ref PublicSubnet2 - NetworkAclId: !Ref PublicNetworkAcl - PublicSubnetNetworkAclAssociation3: - Type: "AWS::EC2::SubnetNetworkAclAssociation" - Condition: DoAz3 - Properties: - SubnetId: !Ref PublicSubnet3 - NetworkAclId: !Ref PublicNetworkAcl PrivateSubnet: Type: "AWS::EC2::Subnet" Properties: