From 97c79643fbcd5b6ff64b938f2822972225bb47f1 Mon Sep 17 00:00:00 2001
From: Scott Crooks <sc250024@users.noreply.github.com>
Date: Mon, 25 Mar 2019 11:58:55 +0100
Subject: [PATCH] Adding minimum communication security group rule for Kubelet
 (#318)

* Adding minimum communication

The docs at https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html specify that port 10250 is needed at a minimum for communication between the control plane, and the worker nodes. If you specify a `worker_sg_ingress_from_port` as something like `30000`, then this minimum communication is never established.

* Adding description to CHANGELOG.md

* Adjusting the naming of the resources

* Ensuring creation is conditional on the value of `worker_sg_ingress_from_port`

* Mistake, should be greater than port 10250
---
 CHANGELOG.md |  1 +
 workers.tf   | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebecf62..e53f3b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 
 - Write your awesome addition here (by @you)
+- Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024)
 
 ### Changed
 
diff --git a/workers.tf b/workers.tf
index 949d964..7790c62 100644
--- a/workers.tf
+++ b/workers.tf
@@ -93,7 +93,7 @@ resource "aws_security_group_rule" "workers_ingress_self" {
 }
 
 resource "aws_security_group_rule" "workers_ingress_cluster" {
-  description              = "Allow workers Kubelets and pods to receive communication from the cluster control plane."
+  description              = "Allow workers pods to receive communication from the cluster control plane."
   protocol                 = "tcp"
   security_group_id        = "${aws_security_group.workers.id}"
   source_security_group_id = "${local.cluster_security_group_id}"
@@ -103,6 +103,17 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
   count                    = "${var.worker_create_security_group ? 1 : 0}"
 }
 
+resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" {
+  description              = "Allow workers Kubelets to receive communication from the cluster control plane."
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.workers.id}"
+  source_security_group_id = "${local.cluster_security_group_id}"
+  from_port                = 10250
+  to_port                  = 10250
+  type                     = "ingress"
+  count                    = "${var.worker_create_security_group ? (var.worker_sg_ingress_from_port > 10250 ? 1 : 0) : 0}"
+}
+
 resource "aws_security_group_rule" "workers_ingress_cluster_https" {
   description              = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane."
   protocol                 = "tcp"