Skip to content

Commit e04d4a8

Browse files
frenchfrywpepperfrenchfrywpepper
authored
Merge pull request #8 from redpanda-data/sarah/cleanup_security_groups
Refactor aws_security_group_rule resources
2 parents 3425d90 + a96f6e1 commit e04d4a8

1 file changed

Lines changed: 147 additions & 154 deletions

File tree

customer-managed/aws/terraform/security_groups.tf

Lines changed: 147 additions & 154 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
// -----------------------------
2+
// Redpanda Agent security group
3+
// -----------------------------
14
resource "aws_security_group" "redpanda_agent" {
25
name_prefix = "${var.common_prefix}agent-"
36
description = "Redpanda agent VM"
@@ -15,6 +18,9 @@ resource "aws_security_group" "redpanda_agent" {
1518
}
1619
}
1720

21+
// -----------------------------
22+
// Connectors security group
23+
// -----------------------------
1824
resource "aws_security_group" "connectors" {
1925
name_prefix = "${var.common_prefix}connect-"
2026
description = "Redpanda connectors nodes"
@@ -34,6 +40,9 @@ resource "aws_security_group_rule" "connectors" {
3440
cidr_blocks = ["0.0.0.0/0"]
3541
}
3642

43+
// -----------------------------
44+
// Utility security group
45+
// -----------------------------
3746
resource "aws_security_group" "utility" {
3847
name_prefix = "${var.common_prefix}util-"
3948
description = "Redpanda utility nodes"
@@ -53,6 +62,9 @@ resource "aws_security_group_rule" "utility" {
5362
cidr_blocks = ["0.0.0.0/0"]
5463
}
5564

65+
// ----------------------------------
66+
// Redpanda Node Group security group
67+
// ----------------------------------
5668
resource "aws_security_group" "redpanda_node_group" {
5769
name_prefix = "${var.common_prefix}rp-"
5870
description = "Redpanda cluster nodes"
@@ -92,44 +104,9 @@ resource "aws_security_group_rule" "redpanda_node_group" {
92104
cidr_blocks = local.rp_node_group_cidr_blocks
93105
}
94106

95-
locals {
96-
cluster_security_group_rules = {
97-
ingress_nodes_443 = {
98-
description = "Node groups to cluster API"
99-
protocol = "tcp"
100-
from_port = 443
101-
to_port = 443
102-
type = "ingress"
103-
source_node_security_group = true
104-
}
105-
ingress_nodes_from_agent_443 = {
106-
description = "Agent to cluster API"
107-
protocol = "tcp"
108-
from_port = 443
109-
to_port = 443
110-
type = "ingress"
111-
cidr_blocks = [aws_vpc.redpanda.cidr_block]
112-
}
113-
egress_nodes_443 = {
114-
description = "Cluster API to node groups"
115-
protocol = "tcp"
116-
from_port = 443
117-
to_port = 443
118-
type = "egress"
119-
source_node_security_group = true
120-
}
121-
egress_nodes_kubelet = {
122-
description = "Cluster API to node kubelets"
123-
protocol = "tcp"
124-
from_port = 10250
125-
to_port = 10250
126-
type = "egress"
127-
source_node_security_group = true
128-
}
129-
}
130-
131-
node_security_group_id = aws_security_group.node.id
132-
}
107+
// -----------------------------
108+
// Cluster security group
109+
// -----------------------------
133110
resource "aws_security_group" "cluster" {
134111
name_prefix = "${var.common_prefix}cluster-"
135112
description = "EKS cluster security group"
@@ -139,111 +116,49 @@ resource "aws_security_group" "cluster" {
139116
}
140117
}
141118

142-
resource "aws_security_group_rule" "cluster" {
143-
for_each = { for k, v in local.cluster_security_group_rules : k => v }
119+
resource "aws_security_group_rule" "cluster_node_groups_to_cluster_api" {
120+
description = "Node groups to cluster API"
121+
security_group_id = aws_security_group.cluster.id
122+
protocol = "tcp"
123+
from_port = 443
124+
to_port = 443
125+
type = "ingress"
126+
source_security_group_id = aws_security_group.node.id
127+
}
144128

129+
resource "aws_security_group_rule" "cluster_agent_to_cluster_api" {
130+
description = "Agent to cluster API"
145131
security_group_id = aws_security_group.cluster.id
146-
protocol = each.value.protocol
147-
from_port = each.value.from_port
148-
to_port = each.value.to_port
149-
type = each.value.type
150-
description = try(each.value.description, null)
151-
cidr_blocks = try(each.value.cidr_blocks, null)
152-
ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
153-
prefix_list_ids = try(each.value.prefix_list_ids, [])
154-
self = try(each.value.self, null)
155-
source_security_group_id = try(
156-
each.value.source_security_group_id,
157-
try(each.value.source_node_security_group, false) ? local.node_security_group_id : null
158-
)
132+
protocol = "tcp"
133+
from_port = 443
134+
to_port = 443
135+
type = "ingress"
136+
cidr_blocks = [aws_vpc.redpanda.cidr_block]
159137
}
160138

161-
locals {
162-
node_security_group_rules = {
163-
egress_cluster_443 = {
164-
description = "Node groups to cluster API"
165-
protocol = "tcp"
166-
from_port = 443
167-
to_port = 443
168-
type = "egress"
169-
source_cluster_security_group = true
170-
}
171-
ingress_cluster_443 = {
172-
description = "Cluster API to node groups"
173-
protocol = "tcp"
174-
from_port = 443
175-
to_port = 443
176-
type = "ingress"
177-
source_cluster_security_group = true
178-
}
179-
ingress_cluster_kubelet = {
180-
description = "Cluster API to node kubelets"
181-
protocol = "tcp"
182-
from_port = 10250
183-
to_port = 10250
184-
type = "ingress"
185-
source_cluster_security_group = true
186-
}
187-
ingress_self_coredns_tcp = {
188-
description = "Node to node CoreDNS"
189-
protocol = "tcp"
190-
from_port = 53
191-
to_port = 53
192-
type = "ingress"
193-
self = true
194-
}
195-
egress_self_coredns_tcp = {
196-
description = "Node to node CoreDNS"
197-
protocol = "tcp"
198-
from_port = 53
199-
to_port = 53
200-
type = "egress"
201-
self = true
202-
}
203-
ingress_self_coredns_udp = {
204-
description = "Node to node CoreDNS"
205-
protocol = "udp"
206-
from_port = 53
207-
to_port = 53
208-
type = "ingress"
209-
self = true
210-
}
211-
egress_self_coredns_udp = {
212-
description = "Node to node CoreDNS"
213-
protocol = "udp"
214-
from_port = 53
215-
to_port = 53
216-
type = "egress"
217-
self = true
218-
}
219-
egress_https = {
220-
description = "Egress all HTTPS to internet"
221-
protocol = "tcp"
222-
from_port = 443
223-
to_port = 443
224-
type = "egress"
225-
cidr_blocks = ["0.0.0.0/0"]
226-
}
227-
egress_ntp_tcp = {
228-
description = "Egress NTP/TCP to internet"
229-
protocol = "tcp"
230-
from_port = 123
231-
to_port = 123
232-
type = "egress"
233-
cidr_blocks = ["0.0.0.0/0"]
234-
}
235-
egress_ntp_udp = {
236-
description = "Egress NTP/UDP to internet"
237-
protocol = "udp"
238-
from_port = 123
239-
to_port = 123
240-
type = "egress"
241-
cidr_blocks = ["0.0.0.0/0"]
242-
}
243-
}
139+
resource "aws_security_group_rule" "cluster_api_to_node_group" {
140+
description = "Cluster API to node groups"
141+
security_group_id = aws_security_group.cluster.id
142+
protocol = "tcp"
143+
from_port = 443
144+
to_port = 443
145+
type = "egress"
146+
source_security_group_id = aws_security_group.node.id
147+
}
244148

245-
cluster_security_group_id = aws_security_group.cluster.id
149+
resource "aws_security_group_rule" "cluster_egress_nodes_kubelet" {
150+
description = "Cluster API to node kubelets"
151+
security_group_id = aws_security_group.cluster.id
152+
protocol = "tcp"
153+
from_port = 10250
154+
to_port = 10250
155+
type = "egress"
156+
source_security_group_id = aws_security_group.node.id
246157
}
158+
159+
// -----------------------------
160+
// Node security group
161+
// -----------------------------
247162
resource "aws_security_group" "node" {
248163
name_prefix = "${var.common_prefix}node-"
249164
description = "EKS node shared security group"
@@ -253,24 +168,102 @@ resource "aws_security_group" "node" {
253168
}
254169
}
255170

256-
resource "aws_security_group_rule" "node" {
257-
for_each = { for k, v in local.node_security_group_rules : k => v }
171+
resource "aws_security_group_rule" "node_groups_to_cluster_api" {
172+
description = "Node groups to cluster API"
173+
security_group_id = aws_security_group.node.id
174+
protocol = "tcp"
175+
from_port = "443"
176+
to_port = "443"
177+
type = "egress"
178+
source_security_group_id = aws_security_group.cluster.id
179+
}
180+
181+
resource "aws_security_group_rule" "cluster_api_to_node_groups" {
182+
description = "Cluster API to node groups"
183+
security_group_id = aws_security_group.node.id
184+
protocol = "tcp"
185+
from_port = "443"
186+
to_port = "443"
187+
type = "ingress"
188+
source_security_group_id = aws_security_group.cluster.id
189+
}
190+
191+
resource "aws_security_group_rule" "cluster_api_to_node_kubelets" {
192+
description = "Cluster API to node kubelets"
193+
security_group_id = aws_security_group.node.id
194+
protocol = "tcp"
195+
from_port = "10250"
196+
to_port = "10250"
197+
type = "ingress"
198+
source_security_group_id = aws_security_group.cluster.id
199+
}
200+
201+
resource "aws_security_group_rule" "node_to_node_coredns" {
202+
description = "Node to node CoreDNS"
203+
security_group_id = aws_security_group.node.id
204+
protocol = "tcp"
205+
from_port = "53"
206+
to_port = "53"
207+
type = "ingress"
208+
self = true
209+
}
258210

259-
# Required
211+
resource "aws_security_group_rule" "node_to_node_coredns_egress" {
212+
description = "Node to node CoreDNS"
260213
security_group_id = aws_security_group.node.id
261-
protocol = each.value.protocol
262-
from_port = each.value.from_port
263-
to_port = each.value.to_port
264-
type = each.value.type
214+
protocol = "tcp"
215+
from_port = "53"
216+
to_port = "53"
217+
type = "egress"
218+
self = true
219+
}
265220

266-
# Optional
267-
description = try(each.value.description, null)
268-
cidr_blocks = try(each.value.cidr_blocks, null)
269-
ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
270-
prefix_list_ids = try(each.value.prefix_list_ids, [])
271-
self = try(each.value.self, null)
272-
source_security_group_id = try(
273-
each.value.source_security_group_id,
274-
try(each.value.source_cluster_security_group, false) ? local.cluster_security_group_id : null
275-
)
221+
resource "aws_security_group_rule" "node_to_node_coredns_udp" {
222+
description = "Node to node CoreDNS"
223+
security_group_id = aws_security_group.node.id
224+
protocol = "udp"
225+
from_port = "53"
226+
to_port = "53"
227+
type = "ingress"
228+
self = true
229+
}
230+
231+
resource "aws_security_group_rule" "node_to_node_coredns_udp_egress" {
232+
description = "Node to node CoreDNS"
233+
security_group_id = aws_security_group.node.id
234+
protocol = "udp"
235+
from_port = "53"
236+
to_port = "53"
237+
type = "egress"
238+
self = true
239+
}
240+
241+
resource "aws_security_group_rule" "egress_all_https_to_internet" {
242+
description = "Egress all HTTPS to internet"
243+
security_group_id = aws_security_group.node.id
244+
protocol = "tcp"
245+
from_port = "443"
246+
to_port = "443"
247+
type = "egress"
248+
cidr_blocks = ["0.0.0.0/0"]
249+
}
250+
251+
resource "aws_security_group_rule" "egress_ntp_tcp_to_internet" {
252+
description = "Egress NTP/TCP to internet"
253+
security_group_id = aws_security_group.node.id
254+
protocol = "tcp"
255+
from_port = "123"
256+
to_port = "123"
257+
type = "egress"
258+
cidr_blocks = ["0.0.0.0/0"]
259+
}
260+
261+
resource "aws_security_group_rule" "egress_ntp_udp_to_internet" {
262+
description = "Egress NTP/UDP to internet"
263+
security_group_id = aws_security_group.node.id
264+
protocol = "udp"
265+
from_port = "123"
266+
to_port = "123"
267+
type = "egress"
268+
cidr_blocks = ["0.0.0.0/0"]
276269
}

0 commit comments

Comments
 (0)