feat: self-managed k8s security groups

.gitignore

@@ -2,8 +2,9 @@
 k8s-security-demo
 
 # Terraform
-.terraform
-.terraform.lock.hcl
-.terraform.tfstate.lock.info
-terraform.tfstate
-terraform.tfvars
+**/.terraform
+**/.terraform.lock.hcl
+**/terraform.tfstate.backup
+**/.terraform.tfstate.lock.info
+**/terraform.tfstate
+**/terraform.tfvars

terraform/main.tf

@@ -4,3 +4,10 @@ module "eks" {
   vpc_id       = var.vpc_id
   cluster_name = "test"
 }
+
+module "self-managed" {
+  source = "./modules/k8s-self-managed"
+
+  vpc_id       = var.vpc_id
+  cluster_name = "self_managed"
+}

terraform/modules/k8s-self-managed/control_plane_sg.tf

@@ -0,0 +1,70 @@
+resource "aws_security_group" "control_plane" {
+  name        = "eks_cluster_${var.cluster_name}_control_plane_sg"
+  description = "EKS cluster ${var.cluster_name} control plane security group."
+
+  vpc_id = var.vpc_id
+
+  tags = {
+    "Name" = "eks_cluster_${var.cluster_name}_control_plane_sg"
+  }
+}
+
+resource "aws_security_group_rule" "control_plane_egress" {
+  description       = "Allow control plane egress access to the Internet."
+  protocol          = "-1"
+  security_group_id = aws_security_group.control_plane.id
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 0
+  to_port           = 0
+  type              = "egress"
+}
+
+resource "aws_security_group_rule" "control_plane_api_server_ingress" {
+  description              = "Allow pods to communicate with the EKS cluster API."
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  source_security_group_id = aws_security_group.worker.id
+  from_port                = 443
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "control_plane_etcd" {
+  description              = "etcd server client API"
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  source_security_group_id = aws_security_group.control_plane.id
+  from_port                = 2379
+  to_port                  = 2380
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "control_plane_scheduler" {
+  description              = "kube-scheduler"
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  source_security_group_id = aws_security_group.control_plane.id
+  from_port                = 10251
+  to_port                  = 10251
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "control_plane_controller_manager" {
+  description              = "kube-controller-manager"
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  source_security_group_id = aws_security_group.control_plane.id
+  from_port                = 10252
+  to_port                  = 10252
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "control_plane_cloud_controller_manager" {
+  description              = "cloud-controller-manager"
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  source_security_group_id = aws_security_group.control_plane.id
+  from_port                = 10258
+  to_port                  = 10258
+  type                     = "ingress"
+}

terraform/modules/k8s-self-managed/variables.tf

@@ -0,0 +1,9 @@
+# cluster
+variable "cluster_name" {
+  type = string
+}
+
+# networking
+variable "vpc_id" {
+  description = "The existing VPC"
+}

terraform/modules/k8s-self-managed/worker_node_sg.tf

@@ -0,0 +1,55 @@
+resource "aws_security_group" "worker" {
+  name        = "eks_cluster_${var.cluster_name}_worker_sg"
+  description = "Security group for all worker nodes in the cluster."
+
+  vpc_id = var.vpc_id
+
+  lifecycle {
+    ignore_changes = [ingress]
+  }
+
+  tags = {
+    "Name"                   = "eks_cluster_${var.cluster_name}_worker_sg"
+    "kubernetes.io/cluster/" = var.cluster_name
+  }
+}
+
+resource "aws_security_group_rule" "workers_egress" {
+  description       = "Allow worker nodes egress access to the Internet."
+  protocol          = "-1"
+  security_group_id = aws_security_group.worker.id
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 0
+  to_port           = 0
+  type              = "egress"
+}
+
+resource "aws_security_group_rule" "worker_kubelet_api" {
+  description              = "kubelet API"
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.worker.id
+  source_security_group_id = aws_security_group.control_plane.id
+  from_port                = 10250
+  to_port                  = 10250
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "cluster_worker_ingress" {
+  description              = "NodePort Services"
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.worker.id
+  source_security_group_id = aws_security_group.control_plane.id
+  from_port                = 30000
+  to_port                  = 32767
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "worker_node_ports" {
+  description              = "Allow node to communicate with each other."
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.worker.id
+  source_security_group_id = aws_security_group.worker.id
+  from_port                = 30000
+  to_port                  = 32767
+  type                     = "ingress"
+}