From 0079d6f10bfd3944b6b5de2671c3f6d5fabb20be Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 22 Apr 2025 12:24:05 -0400
Subject: [PATCH] restore security_groups.tf

---
 security_groups.tf | 119 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 security_groups.tf

diff --git a/security_groups.tf b/security_groups.tf
new file mode 100644
index 0000000..c37cec7
--- /dev/null
+++ b/security_groups.tf
@@ -0,0 +1,119 @@
+
+locals {
+  all_worker_mgmt_name           = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name)
+  additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name)
+}
+
+resource "aws_security_group" "additional_eks_cluster_sg" {
+  name = local.additional_eks_cluster_sg_name
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.additional_eks_cluster_sg_name },
+  )
+
+  vpc_id = data.aws_vpc.eks_vpc.id
+
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+
+    security_groups = [
+      aws_security_group.all_worker_mgmt.id,
+    ]
+  }
+
+  # in-VPC access to K8s API
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
+}
+
+resource "aws_security_group" "all_worker_mgmt" {
+  name = local.all_worker_mgmt_name
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = local.all_worker_mgmt_name },
+  )
+
+  vpc_id = local.vpc_id
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = [local.vpc_cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
+}
+
+resource "aws_security_group" "extra_cluster_sg" {
+  name        = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name)
+  description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "Name" = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) },
+  )
+
+  vpc_id = data.aws_vpc.eks_vpc.id
+
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+    self      = true
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
+  # kubectl logs
+  ingress {
+    from_port   = 10250
+    to_port     = 10250
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
+}