From 5d9d4fb8b8ebdd074ba1f244d6e91f3125336549 Mon Sep 17 00:00:00 2001
From: Max Williams <max.williams@deliveryhero.com>
Date: Tue, 9 Oct 2018 10:38:17 +0200
Subject: [PATCH] Allowing 443 to nodes from EKS service (#148)

---
 CHANGELOG.md |  1 +
 workers.tf   | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 18c8ad6..1134222 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 - A useful addition (slam dunk, @self 🔥)
 - Worker groups can be created with a specified IAM profile. (from @laverya)
 - exposed `aws_eks_cluster` create and destroy timeouts (by @RGPosadas)
+- Allow port 443 from EKS service to nodes to run `metrics-server`. (by @max-rocket-internet)
 
 ### Changed
 
diff --git a/workers.tf b/workers.tf
index 245a2ef..ebc4f55 100644
--- a/workers.tf
+++ b/workers.tf
@@ -90,6 +90,17 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
   count                    = "${var.worker_security_group_id == "" ? 1 : 0}"
 }
 
+resource "aws_security_group_rule" "workers_ingress_cluster_https" {
+  description              = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane."
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.workers.id}"
+  source_security_group_id = "${local.cluster_security_group_id}"
+  from_port                = 443
+  to_port                  = 443
+  type                     = "ingress"
+  count                    = "${var.worker_security_group_id == "" ? 1 : 0}"
+}
+
 resource "aws_iam_role" "workers" {
   name_prefix        = "${aws_eks_cluster.this.name}"
   assume_role_policy = "${data.aws_iam_policy_document.workers_assume_role_policy.json}"