SCT-Engineering · morga471 · Apr 22, 2025 · Mar 20, 2025 · Mar 21, 2025 · Mar 21, 2025
diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
@@ -1,20 +1,20 @@
-name: Terraform CI/CD
+name: Terraform Module Release
 on:
   workflow_dispatch:
   pull_request:
     types: [closed]
     branches:
       - main
 jobs:
-  terraform-ci-cd:
-    runs-on: 229685449397
+  terraform-release:
+    runs-on: "229685449397"
     permissions:
       contents: write
 
     steps:
       - name: Checkout code
         uses: CSVD/gh-actions-checkout@v4
-        
+
       - name: Setup GITHUB Credentials
         id: github_credentials
         uses: CSVD/gh-auth@main
@@ -32,7 +32,7 @@ jobs:
 
           # Test GitHub CLI auth status
           gh auth status || echo "GitHub CLI authentication failed"
-        
+
       - name: Run Release Action
         uses: CSVD/releaser@main
         with:

diff --git a/README.md b/README.md
@@ -98,12 +98,14 @@ efs-csi-controller    0         5m
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.14 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.88.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
@@ -125,6 +127,7 @@ efs-csi-controller    0         5m
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
@@ -0,0 +1,21 @@
+locals {
+  node_security_group_additional_rules = {
+    ingress_nodes_ephemeral = {
+      description = "Node to node ingress on ephemeral ports"
+      from_port   = 80
+      protocol    = "tcp"
+      self        = true
+      to_port     = 65535
+      type        = "ingress"
+    }
+    # ALB controller, NGINX
+    ingress_cluster_9443_webhook = {
+      description                   = "Cluster API to node 9443/tcp webhook"
+      from_port                     = 9443
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+      to_port                       = 9443
+      type                          = "ingress"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -135,6 +135,9 @@ resource "aws_ec2_tag" "container_subnets" {
   }
 }
 
+# NOTE: Because the source SG of this rule is the primary SG of the cluster,
+#   we cannot add it to "node_security_group_additional_rules" map, which is
+#   referenced by cluster module. It will create circular dependency.
 resource "aws_security_group_rule" "allow_sidecar_injection" {
   description = "Webhook container port, from Control Plane"
   protocol    = "tcp"

diff --git a/requirements.tf b/requirements.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.14"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2"
+    }
   }
 }
diff --git a/security_groups.tf b/security_groups.tf
@@ -44,7 +44,6 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
   }
 }
 
-
 resource "aws_security_group" "all_worker_mgmt" {
   name = local.all_worker_mgmt_name
 

diff --git a/sg_ports.tf b/sg_ports.tf
diff --git a/version.tf b/version.tf
@@ -1,4 +1,16 @@
+resource "null_resource" "git_version" {
+  triggers = {
+    # Force this to run on every apply to get the latest tag value
+    always_run = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command    = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag"
+    on_failure = continue
+  }
+}
+
 locals {
   module_name    = "tfmod-eks"
-  module_version = "0.1.1"
+  module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest"
 }