-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecurity-groups.tf
56 lines (49 loc) · 1.6 KB
/
security-groups.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
module "masters_sg_label" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
context = module.label.context
name = "masters"
}
resource "aws_security_group" "masters" {
name = "masters.${local.cluster_dns}"
tags = module.masters_sg_label.tags
description = "Controls traffic to the master nodes of cluster ${local.cluster_name}"
vpc_id = local.vpc_id
egress {
to_port = 0
from_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group_rule" "masters_ingress" {
count = var.create_public_api_record ? 1 : 0
source_security_group_id = join("", aws_security_group.public_loadbalancer.*.id)
security_group_id = aws_security_group.masters.id
type = "ingress"
to_port = 443
from_port = 443
protocol = "tcp"
description = "Allows access from a public API Load Balancer security group"
}
resource "aws_security_group" "public_loadbalancer" {
count = var.create_public_api_record ? 1 : 0
name = "public-api-elb.${local.cluster_dns}"
tags = module.api_loadbalancer_label.tags
description = "Allows public HTTPS inbound traffic to API Server"
vpc_id = local.vpc_id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
lifecycle {
create_before_destroy = true
}
}