modules/aws/vpc/sg-etcd: Split out aws_security_group_rule for etcd

This happend for masters and workers in b620c16 (modules/aws: tighten security groups, 2017-04-19, coreos/tectonic-installer#264, where: * Master ingress/egress rules moved from inline entries in modules/aws/master-asg/master.tf to stand-alone rules in modules/aws/vpc/sg-master.tf. * Worker ingress/egress rules moved from inline entries in modules/aws/worker-asg/security-groups.tf to stand-alone rules in modules/aws/vpc/sg-worker.tf. For some reason, b620c16 moved the etcd security group from modules/aws/etcd/network.tf to modules/aws/vpc/sg-etcd.tf without splitting out the inline rules, so this commit catches up for consistency with the other node classes. From the Terraform docs [1]: Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules. We can also use the rule name to hint at the purpose of a rule, while with inline rules we just have port numbers. In this case, the *_etcd and *_peer suffixes are based on [2]: The official etcd ports are 2379 for client requests, and 2380 for peer communication. [1]: https://www.terraform.io/docs/providers/aws/r/security_group_rule.html [2]: https://github.com/coreos/etcd/tree/v3.3.9#etcd-tcp-ports
wking · Aug 20, 2018 · 75858ea · 75858ea
1 parent ffca3e2
commit 75858ea
Showing 1 changed file with 49 additions and 39 deletions.
diff --git a/modules/aws/vpc/sg-etcd.tf b/modules/aws/vpc/sg-etcd.tf
@@ -6,44 +6,54 @@ resource "aws_security_group" "etcd" {
       "kubernetes.io/cluster/${var.cluster_name}", "owned",
       "tectonicClusterID", "${var.cluster_id}"
     ), var.extra_tags)}"
+}
+
+resource "aws_security_group_rule" "etcd_egress" {
+  type              = "egress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  from_port   = 0
+  cidr_blocks = ["0.0.0.0/0"]
+  to_port     = 0
+  protocol    = "-1"
+}
+
+resource "aws_security_group_rule" "etcd_ingress_icmp" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol    = "icmp"
+  cidr_blocks = ["0.0.0.0/0"]
+  from_port   = 0
+  to_port     = 0
+}
+
+resource "aws_security_group_rule" "etcd_ingress_ssh" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 22
+  to_port   = 22
+  self      = true
+}
+
+resource "aws_security_group_rule" "etcd_ingress_etcd" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
+
+  protocol  = "tcp"
+  from_port = 2379
+  to_port   = 2379
+  self      = true
+}
+
+resource "aws_security_group_rule" "etcd_ingress_peer" {
+  type              = "ingress"
+  security_group_id = "${aws_security_group.etcd.id}"
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    self        = true
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    protocol    = "icmp"
-    cidr_blocks = ["0.0.0.0/0"]
-    from_port   = 0
-    to_port     = 0
-  }
-
-  ingress {
-    protocol  = "tcp"
-    from_port = 22
-    to_port   = 22
-    self      = true
-
-    security_groups = ["${aws_security_group.master.id}"]
-  }
-
-  ingress {
-    protocol  = "tcp"
-    from_port = 2379
-    to_port   = 2379
-    self      = true
-
-    security_groups = ["${aws_security_group.master.id}"]
-  }
-
-  ingress {
-    protocol  = "tcp"
-    from_port = 2380
-    to_port   = 2380
-    self      = true
-  }
+  protocol  = "tcp"
+  from_port = 2380
+  to_port   = 2380
+  self      = true
 }