Rename sg_ports.tf and clean up duplicate rules

additional_sg_rules.tf

@@ -0,0 +1,21 @@
+locals {
+  node_security_group_additional_rules = {
+    ingress_nodes_ephemeral = {
+      description = "Node to node ingress on ephemeral ports"
+      from_port   = 80
+      protocol    = "tcp"
+      self        = true
+      to_port     = 65535
+      type        = "ingress"
+    }
+    # ALB controller, NGINX
+    ingress_cluster_9443_webhook = {
+      description                   = "Cluster API to node 9443/tcp webhook"
+      from_port                     = 9443
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+      to_port                       = 9443
+      type                          = "ingress"
+    }
+  }
+}

main.tf

@@ -135,6 +135,9 @@ resource "aws_ec2_tag" "container_subnets" {
   }
 }
 
+# NOTE: Because the source SG of this rule is the primary SG of the cluster,
+#   we cannot add it to "node_security_group_additional_rules" map, which is
+#   referenced by cluster module. It will create circular dependency.
 resource "aws_security_group_rule" "allow_sidecar_injection" {
   description = "Webhook container port, from Control Plane"
   protocol    = "tcp"