From c8a4adfc3c122074868dc60552950327610fe2e2 Mon Sep 17 00:00:00 2001
From: Andriy Knysh <aknysh@users.noreply.github.com>
Date: Wed, 24 May 2023 17:18:10 -0400
Subject: [PATCH] Update Security Group rules (#186)

* Update Security Group

* Update Security Group

* Update Security Group

* Update Security Group
---
 .github/workflows/release-branch.yml |  1 +
 LICENSE                              |  2 +-
 README.md                            |  1 +
 docs/terraform.md                    |  1 +
 security-group-variables.tf          |  3 --
 security-group.tf                    | 47 +++++++++++++++-------------
 variables.tf                         |  6 ++++
 7 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 3f8fe623..b30901ea 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write
diff --git a/LICENSE b/LICENSE
index 4bd1946f..7afefb95 100644
--- a/LICENSE
+++ b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2018-2022 Cloud Posse, LLC
+   Copyright 2018-2023 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
index e4d1107e..090109c9 100644
--- a/README.md
+++ b/README.md
@@ -528,6 +528,7 @@ Available targets:
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_local_exec_interpreter"></a> [local\_exec\_interpreter](#input\_local\_exec\_interpreter) | shell to use for local\_exec | `list(string)` | <pre>[<br>  "/bin/sh",<br>  "-c"<br>]</pre> | no |
+| <a name="input_managed_security_group_rules_enabled"></a> [managed\_security\_group\_rules\_enabled](#input\_managed\_security\_group\_rules\_enabled) | Flag to enable/disable the ingress and egress rules for the EKS managed Security Group | `bool` | `true` | no |
 | <a name="input_map_additional_aws_accounts"></a> [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap | `list(string)` | `[]` | no |
 | <a name="input_map_additional_iam_roles"></a> [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_map_additional_iam_users"></a> [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM users to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br>    userarn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 4f750ab3..208ed341 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -112,6 +112,7 @@
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_local_exec_interpreter"></a> [local\_exec\_interpreter](#input\_local\_exec\_interpreter) | shell to use for local\_exec | `list(string)` | <pre>[<br>  "/bin/sh",<br>  "-c"<br>]</pre> | no |
+| <a name="input_managed_security_group_rules_enabled"></a> [managed\_security\_group\_rules\_enabled](#input\_managed\_security\_group\_rules\_enabled) | Flag to enable/disable the ingress and egress rules for the EKS managed Security Group | `bool` | `true` | no |
 | <a name="input_map_additional_aws_accounts"></a> [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap | `list(string)` | `[]` | no |
 | <a name="input_map_additional_iam_roles"></a> [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_map_additional_iam_users"></a> [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM users to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br>    userarn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
diff --git a/security-group-variables.tf b/security-group-variables.tf
index 2c3545fd..bab56c52 100644
--- a/security-group-variables.tf
+++ b/security-group-variables.tf
@@ -44,8 +44,6 @@ variable "allowed_cidr_blocks" {
     EOT
 }
 
-
-
 variable "custom_ingress_rules" {
   type = list(object({
     description              = string
@@ -58,5 +56,4 @@ variable "custom_ingress_rules" {
   description = <<-EOT
     A List of Objects, which are custom security group rules that
     EOT
-
 }
diff --git a/security-group.tf b/security-group.tf
index 59843177..e2808839 100644
--- a/security-group.tf
+++ b/security-group.tf
@@ -2,36 +2,54 @@
 # Rules for EKS-managed Security Group
 # -----------------------------------------------------------------------
 
+locals {
+  cluster_security_group_id            = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
+  managed_security_group_rules_enabled = local.enabled && var.managed_security_group_rules_enabled
+}
+
 resource "aws_security_group_rule" "managed_ingress_security_groups" {
-  count = local.enabled ? length(local.allowed_security_group_ids) : 0
+  count = local.managed_security_group_rules_enabled ? length(local.allowed_security_group_ids) : 0
 
   description              = "Allow inbound traffic from existing Security Groups"
   from_port                = 0
   to_port                  = 65535
   protocol                 = "-1"
   source_security_group_id = local.allowed_security_group_ids[count.index]
-  security_group_id        = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
+  security_group_id        = local.cluster_security_group_id
   type                     = "ingress"
 }
 
 resource "aws_security_group_rule" "managed_ingress_cidr_blocks" {
-  count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
+  count = local.managed_security_group_rules_enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
 
   description       = "Allow inbound traffic from CIDR blocks"
   from_port         = 0
   to_port           = 65535
   protocol          = "-1"
   cidr_blocks       = var.allowed_cidr_blocks
-  security_group_id = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
+  security_group_id = local.cluster_security_group_id
   type              = "ingress"
 }
 
+resource "aws_security_group_rule" "custom_ingress_rules" {
+  for_each = { for sg_rule in var.custom_ingress_rules : sg_rule.source_security_group_id => sg_rule }
+
+  description              = each.value.description
+  from_port                = each.value.from_port
+  to_port                  = each.value.to_port
+  protocol                 = each.value.protocol
+  source_security_group_id = each.value.source_security_group_id
+  security_group_id        = local.cluster_security_group_id
+  type                     = "ingress"
+}
+
 # -----------------------------------------------------------------------
 # DEPRECATED: Additional Security Group
 # -----------------------------------------------------------------------
 
 locals {
   create_security_group = local.enabled && var.create_security_group
+  security_group_id     = one(aws_security_group.default[*].id)
 }
 
 resource "aws_security_group" "default" {
@@ -51,7 +69,7 @@ resource "aws_security_group_rule" "egress" {
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = one(aws_security_group.default[*].id)
+  security_group_id = local.security_group_id
   type              = "egress"
 }
 
@@ -63,7 +81,7 @@ resource "aws_security_group_rule" "ingress_workers" {
   to_port                  = 65535
   protocol                 = "-1"
   source_security_group_id = var.workers_security_group_ids[count.index]
-  security_group_id        = one(aws_security_group.default[*].id)
+  security_group_id        = local.security_group_id
   type                     = "ingress"
 }
 
@@ -75,7 +93,7 @@ resource "aws_security_group_rule" "ingress_security_groups" {
   to_port                  = 65535
   protocol                 = "-1"
   source_security_group_id = var.allowed_security_groups[count.index]
-  security_group_id        = one(aws_security_group.default[*].id)
+  security_group_id        = local.security_group_id
   type                     = "ingress"
 }
 
@@ -87,19 +105,6 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
   to_port           = 65535
   protocol          = "-1"
   cidr_blocks       = var.allowed_cidr_blocks
-  security_group_id = one(aws_security_group.default[*].id)
+  security_group_id = local.security_group_id
   type              = "ingress"
 }
-
-resource "aws_security_group_rule" "custom_ingress_rules" {
-
-  for_each = { for sg_rule in var.custom_ingress_rules : sg_rule.source_security_group_id => sg_rule }
-
-  description              = each.value.description
-  from_port                = each.value.from_port
-  to_port                  = each.value.to_port
-  protocol                 = each.value.protocol
-  source_security_group_id = each.value.source_security_group_id
-  security_group_id        = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
-  type                     = "ingress"
-}
diff --git a/variables.tf b/variables.tf
index 6aa5799f..c956f89b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -326,3 +326,9 @@ variable "cluster_attributes" {
   description = "Override label module default cluster attributes"
   default     = ["cluster"]
 }
+
+variable "managed_security_group_rules_enabled" {
+  type        = bool
+  description = "Flag to enable/disable the ingress and egress rules for the EKS managed Security Group"
+  default     = true
+}