From 71af65c3637e18c108d04eb74f851a019b751643 Mon Sep 17 00:00:00 2001
From: Simon Gottschlag <simon.gottschlag@xenit.se>
Date: Wed, 23 Feb 2022 11:12:59 +0100
Subject: [PATCH] aks/eks core: fix network policy bug (#570)

For cluster using var.kubernetes_network_policy_default_deny = false,
these new network policies are causing issues (all traffic is blocked).
---
 CHANGELOG.md                                 | 6 +++++-
 modules/kubernetes/aks-core/networkpolicy.tf | 4 ++--
 modules/kubernetes/eks-core/networkpolicy.tf | 4 ++--
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40b87d63c..76d0cc090 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## Unreleased
 
+### Fixed
+
+- [#570](https://github.com/XenitAB/terraform-modules/pull/570) Only add network policy for Datadog / Grafana-Agent if default deny is true
+
 ## 2022.02.4
 
 ### Added
@@ -49,7 +53,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Added
 
-- [#522](https://github.com/XenitAB/terraform-modules/pull/522) Add  networkpolicy for datadog and grafana-agent to tenant namespace.
+- [#522](https://github.com/XenitAB/terraform-modules/pull/522) Add networkpolicy for datadog and grafana-agent to tenant namespace.
 
 ### Changed
 
diff --git a/modules/kubernetes/aks-core/networkpolicy.tf b/modules/kubernetes/aks-core/networkpolicy.tf
index a7233fbdd..55a04ccb8 100644
--- a/modules/kubernetes/aks-core/networkpolicy.tf
+++ b/modules/kubernetes/aks-core/networkpolicy.tf
@@ -2,7 +2,7 @@ resource "kubernetes_network_policy" "allow_egress_datadog" {
   for_each = {
     for ns in var.namespaces :
     ns.name => ns
-    if var.datadog_enabled
+    if var.datadog_enabled && var.kubernetes_network_policy_default_deny
   }
 
   metadata {
@@ -45,7 +45,7 @@ resource "kubernetes_network_policy" "allow_egress_ingress_grafana_agent" {
   for_each = {
     for ns in var.namespaces :
     ns.name => ns
-    if var.grafana_agent_enabled
+    if var.grafana_agent_enabled && var.kubernetes_network_policy_default_deny
   }
 
   metadata {
diff --git a/modules/kubernetes/eks-core/networkpolicy.tf b/modules/kubernetes/eks-core/networkpolicy.tf
index a7233fbdd..55a04ccb8 100644
--- a/modules/kubernetes/eks-core/networkpolicy.tf
+++ b/modules/kubernetes/eks-core/networkpolicy.tf
@@ -2,7 +2,7 @@ resource "kubernetes_network_policy" "allow_egress_datadog" {
   for_each = {
     for ns in var.namespaces :
     ns.name => ns
-    if var.datadog_enabled
+    if var.datadog_enabled && var.kubernetes_network_policy_default_deny
   }
 
   metadata {
@@ -45,7 +45,7 @@ resource "kubernetes_network_policy" "allow_egress_ingress_grafana_agent" {
   for_each = {
     for ns in var.namespaces :
     ns.name => ns
-    if var.grafana_agent_enabled
+    if var.grafana_agent_enabled && var.kubernetes_network_policy_default_deny
   }
 
   metadata {