Fix security groups (#2)

* Use EMR default security groups for all managed security groups * Use EMR default security groups for all managed security groups * Use EMR default security groups for all managed security groups
cloudposse · Aug 5, 2019 · 93c40e6 · 93c40e6
1 parent 84f520f
commit 93c40e6
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 20 deletions.
diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars
@@ -10,11 +10,11 @@ name = "emr-test"
 
 ebs_root_volume_size = 10
 
-visible_to_all_users = false
+visible_to_all_users = true
 
 release_label = "emr-5.25.0"
 
-applications = ["Hadoop", "Hive", "Presto"]
+applications = ["Hive", "Presto"]
 
 core_instance_group_instance_type = "m4.large"
 
@@ -41,21 +41,3 @@ create_task_instance_group = false
 ssh_public_key_path = "/secrets"
 
 generate_ssh_key = true
-
-# https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-configure-apps.html
-configurations_json = <<EOF
-  [
-    {
-      "Classification": "hadoop-env",
-      "Configurations": [
-        {
-          "Classification": "export",
-          "Properties": {
-            "JAVA_HOME": "/usr/lib/jvm/java-1.8.0"
-          }
-        }
-      ],
-      "Properties": {}
-    }
-  ]
-EOF
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -46,6 +46,7 @@ variable "applications" {
 variable "configurations_json" {
   type        = string
   description = "A JSON string for supplying list of configurations for the EMR cluster"
+  default     = null
 }
 
 variable "core_instance_group_instance_type" {

diff --git a/main.tf b/main.tf
@@ -108,6 +108,18 @@ resource "aws_security_group" "managed_master" {
   }
 }
 
+resource "aws_security_group_rule" "managed_master_egress" {
+  count             = var.enabled ? 1 : 0
+  description       = "Allow all egress traffic"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+  security_group_id = join("", aws_security_group.managed_master.*.id)
+}
+
 resource "aws_security_group" "managed_slave" {
   count                  = var.enabled ? 1 : 0
   revoke_rules_on_delete = true
@@ -122,6 +134,18 @@ resource "aws_security_group" "managed_slave" {
   }
 }
 
+resource "aws_security_group_rule" "managed_slave_egress" {
+  count             = var.enabled ? 1 : 0
+  description       = "Allow all egress traffic"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+  security_group_id = join("", aws_security_group.managed_slave.*.id)
+}
+
 resource "aws_security_group" "managed_service_access" {
   count                  = var.enabled && var.subnet_type == "private" ? 1 : 0
   revoke_rules_on_delete = true
@@ -136,6 +160,19 @@ resource "aws_security_group" "managed_service_access" {
   }
 }
 
+resource "aws_security_group_rule" "managed_service_access_egress" {
+  count             = var.enabled && var.subnet_type == "private" ? 1 : 0
+  description       = "Allow all egress traffic"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+  security_group_id = join("", aws_security_group.managed_service_access.*.id)
+}
+
+# Specify additional master and slave security groups
 resource "aws_security_group" "master" {
   count                  = var.enabled ? 1 : 0
   revoke_rules_on_delete = true