Allow additional security groups for ASG Instances
lawliet89 opened this issue · 5 comments
I am referring to the line in the nomad-cluster module.
It would be desirable to allow users to define any additional security groups for instances launched by the ASG which will be concatenated with aws_security_group.lc_security_group.id. For example, if I have a ELB launched, I would like to be able to add the ELB security group as ingress.
I have a patch for this, although I am not sure how this can be tested.
For example, if I have a ELB launched, I would like to be able to add the ELB security group as ingress.
Just to make sure I understand, is your goal to be able to specify other security groups that open up various ports on Nomad? Or to specify other security groups from which Nomad will allow connections (e.g., so an ELB can talk to the Nomad servers)?
If it's the latter, you can do that already, since the security_group_id is an output, which allows you to add your own security group rules:
module "nomad" {
source = "git@github.com:hashicorp/terraform-aws-nomad.git//modules/nomad-cluster?ref=v0.0.4"
# ... (other params omitted) ...
}
resource "aws_security_group_rule" "example" {
type = "ingress"
from_port = 12345
to_port = 12345
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${module.nomad.security_group_id}"
}Just to make sure I understand, is your goal to be able to specify other security groups that open up various ports on Nomad? Or to specify other security groups from which Nomad will allow connections (e.g., so an ELB can talk to the Nomad servers)?
For both actually. One issue with your solution would be that I would hit an error where AWS complains the security group has too many rules.
One issue with your solution would be that I would hit an error where AWS complains the security group has too many rules.
I believe AWS allows up to 50 inbound and 50 outbound rules. Are you adding that many?
At any rate, I'm certainly open to a PR that allows you to pass in extra security group IDs.
That's strange. I don't think I have 50 rules, but I did hit that error. I'll open a PR.