Security Group update

7641670a · michaelmcleroy · 27380683 · 7641670a · 7641670a
Commit 7641670a authored Jul 13, 2021 by michaelmcleroy
Hide whitespace changes
Inline Side-by-side

Showing with 45 additions and 4 deletions

CHANGELOG.md CHANGELOG.md +17 -0

terraform/modules/elb/main.tf terraform/modules/elb/main.tf +28 -4

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,23 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [1.1.1]
+
+### Changed
+- Security groups between internet facing network load balancer and agent's node ports updated to fix ingress
+
+## [1.1.0]
+
+### Added
+
+- Upload of private SSH to encrypted S3 bucket
+- Rename of `default` Kubernetes profile to environment name
+- Change permissions of local Kubernetes config file to read/write of owner only
+
+### Changed
+
+- Migrated terraform classic load balancer to regular load balancer
+
 ## [1.0.1]

 ### Changed

--- a/terraform/modules/elb/main.tf
+++ b/terraform/modules/elb/main.tf
@@ -118,12 +118,36 @@ resource "aws_security_group" "public_nlb_pool" {

  # Allow all traffic from load balancer
  ingress {
-    description       = "Allow public Network Load Balancer traffic"
-    from_port         = 0
-    to_port           = 0
-    protocol          = -1
+    description       = "Allow public Network Load Balancer traffic to health check"
+    from_port         = var.node_port_health_checks
+    to_port           = var.node_port_health_checks
+    protocol          = "tcp"
    cidr_blocks       = formatlist("%s/32", [for eni in data.aws_network_interface.public_nlb : eni.private_ip])
  }

+  ingress {
+    description       = "Allow internet traffic to HTTP node port"
+    from_port         = var.node_port_http
+    to_port           = var.node_port_http
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description       = "Allow internet traffic to HTTPS node port"
+    from_port         = var.node_port_https
+    to_port           = var.node_port_https
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description       = "Allow internet traffic to SNI node port"
+    from_port         = var.node_port_sni
+    to_port           = var.node_port_sni
+    protocol          = "tcp"
+    cidr_blocks       = ["0.0.0.0/0"]
+  }
+
  tags = var.tags
 }
\ No newline at end of file