add sg for endpoint

dominodatalab · Feb 14, 2025 · 249e069 · 249e069
1 parent cc5a0b1
commit 249e069
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/modules/eks/node-group.tf b/modules/eks/node-group.tf
@@ -95,3 +95,14 @@ resource "aws_security_group_rule" "ecr_endpoint" {
   description              = "ECR Endpoint access from EKS nodes."
   source_security_group_id = aws_security_group.eks_nodes.id
 }
+
+resource "aws_security_group_rule" "s3_endpoint" {
+  count                    = var.network_info.s3_endpoint != null ? 1 : 0
+  security_group_id        = var.network_info.s3_endpoint.security_group_id
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+  type                     = "ingress"
+  description              = "S3 Endpoint access from EKS nodes."
+  source_security_group_id = aws_security_group.eks_nodes.id
+}
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -24,6 +24,9 @@ variable "network_info" {
     ecr_endpoint = {
       security_group_id = ECR Endpoint security group id.
     }
+    s3_endpoint = {
+      security_group_id = S3 Endpoint security group id.
+    }
     subnets = {
       public = List of public Subnets.
       [{
@@ -53,6 +56,9 @@ variable "network_info" {
     ecr_endpoint = optional(object({
       security_group_id = optional(string, null)
     }), null)
+    s3_endpoint = optional(object({
+      security_group_id = optional(string, null)
+    }), null)
     subnets = object({
       public = list(object({
         name      = string

diff --git a/modules/infra/submodules/network/outputs.tf b/modules/infra/submodules/network/outputs.tf
@@ -20,5 +20,8 @@ output "info" {
     ecr_endpoint = local.create_ecr_endpoint ? {
       security_group_id = aws_security_group.ecr_endpoint[0].id
     } : null
+    s3_endpoint = local.create_vpc ? {
+      security_group_id = aws_security_group.s3_endpoint[0].id
+    } : null
   }
 }
diff --git a/modules/infra/submodules/network/vpc.tf b/modules/infra/submodules/network/vpc.tf
@@ -49,6 +49,20 @@ resource "aws_vpc_endpoint" "s3" {
   }
 }
 
+resource "aws_security_group" "s3_endpoint" {
+  count       = local.create_vpc ? 1 : 0
+  name        = "${var.deploy_id}-s3-endpoint"
+  description = "S3 Endpoint security group"
+  vpc_id      = aws_vpc.this[0].id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+  tags = {
+    "Name" = "${var.deploy_id}-s3-endpoint"
+  }
+}
+
 resource "aws_vpc_endpoint" "s3_interface" {
   count               = local.create_vpc ? 1 : 0
   vpc_id              = aws_vpc.this[0].id
@@ -57,6 +71,10 @@ resource "aws_vpc_endpoint" "s3_interface" {
   private_dns_enabled = true
   subnet_ids          = [for s in aws_subnet.pod : s.id]
 
+  security_group_ids = [
+    aws_security_group.s3_endpoint[0].id,
+  ]
+
   tags = {
     "Name" = "${var.deploy_id}-s3"
   }