Rename sg_ports.tf and clean up duplicate rules (#42)

- Rename sg_ports.tf to additional_sg_rules.tf - Clean up duplicate rules - Add a comment --------- Co-authored-by: Matthew Creal Morgan <matthew.c.morgan@census.gov>
SCT-Engineering · Apr 18, 2025 · 159a98a · 159a98a
1 parent d835a31
commit 159a98a
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 57 deletions.
diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
@@ -0,0 +1,21 @@
+locals {
+  node_security_group_additional_rules = {
+    ingress_nodes_ephemeral = {
+      description = "Node to node ingress on ephemeral ports"
+      from_port   = 80
+      protocol    = "tcp"
+      self        = true
+      to_port     = 65535
+      type        = "ingress"
+    }
+    # ALB controller, NGINX
+    ingress_cluster_9443_webhook = {
+      description                   = "Cluster API to node 9443/tcp webhook"
+      from_port                     = 9443
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+      to_port                       = 9443
+      type                          = "ingress"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -135,6 +135,9 @@ resource "aws_ec2_tag" "container_subnets" {
   }
 }
 
+# NOTE: Because the source SG of this rule is the primary SG of the cluster,
+#   we cannot add it to "node_security_group_additional_rules" map, which is
+#   referenced by cluster module. It will create circular dependency.
 resource "aws_security_group_rule" "allow_sidecar_injection" {
   description = "Webhook container port, from Control Plane"
   protocol    = "tcp"

diff --git a/sg_ports.tf b/sg_ports.tf