Skip to content

Commit

Permalink
Merge pull request #179 from ministryofjustice/eks-subnet-sgs
Browse files Browse the repository at this point in the history
Eks subnet sgs
  • Loading branch information
sj-williams authored Sep 12, 2024
2 parents 356ff82 + 1382ea6 commit 37af104
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 3 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,9 @@ No modules.
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_subnet.eks_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
| [aws_subnets.eks_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |

Expand Down
28 changes: 25 additions & 3 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,22 @@ data "aws_subnet" "private" {
id = each.value
}

data "aws_subnets" "eks_private" {
filter {
name = "vpc-id"
values = [data.aws_vpc.this.id]
}

tags = {
SubnetType = "EKS-Private"
}
}

data "aws_subnet" "eks_private" {
for_each = toset(data.aws_subnets.eks_private.ids)
id = each.value
}

########################
# Generate identifiers #
########################
Expand Down Expand Up @@ -123,18 +139,24 @@ resource "aws_security_group" "rds-sg" {
# cyclic dependency. Rather than resorting to `aws_security_group_rule` which
# is not ideal for managing rules, we will simply allow traffic to all ports.
# This does not compromise security as the instance only listens on one port.
ingress {
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [for s in data.aws_subnet.private : s.cidr_block]
cidr_blocks = concat(
[for s in data.aws_subnet.private : s.cidr_block],
[for s in data.aws_subnet.eks_private : s.cidr_block]
)
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [for s in data.aws_subnet.private : s.cidr_block]
cidr_blocks = concat(
[for s in data.aws_subnet.private : s.cidr_block],
[for s in data.aws_subnet.eks_private : s.cidr_block]
)
}
}

Expand Down

0 comments on commit 37af104

Please sign in to comment.