From 347291b333199e7e5d8ce8d4d2777e04fa527d92 Mon Sep 17 00:00:00 2001
From: Mike Metral <1112768+metral@users.noreply.github.com>
Date: Wed, 17 Apr 2019 21:42:32 -0700
Subject: [PATCH 1/3] fix(secgroups): replace in-line rules with standalone
 secgroup rules

- null out the secgroup ingress & egress to revoke any existing rules
- create new standalone secgroup rules
---
 nodejs/eks/cluster.ts       | 14 ++++---
 nodejs/eks/securitygroup.ts | 76 ++++++++++++++++++++++---------------
 2 files changed, 54 insertions(+), 36 deletions(-)

diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts
index 90442c07e..e070148bb 100644
--- a/nodejs/eks/cluster.ts
+++ b/nodejs/eks/cluster.ts
@@ -114,16 +114,20 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
     }, { parent: parent });
 
     // Create the EKS cluster security group
-    const allEgress = {
+    const eksClusterSecurityGroup = new aws.ec2.SecurityGroup(`${name}-eksClusterSecurityGroup`, {
+        vpcId: vpcId,
+        ingress: [],
+        egress: [],
+    }, { parent: parent });
+
+    const eksClusterInternetEgressRule = new aws.ec2.SecurityGroupRule(`${name}-eksClusterInternetEgressRule`, {
         description: "Allow internet access.",
+        type: "egress",
         fromPort: 0,
         toPort: 0,
         protocol: "-1",  // all
         cidrBlocks: [ "0.0.0.0/0" ],
-    };
-    const eksClusterSecurityGroup = new aws.ec2.SecurityGroup(`${name}-eksClusterSecurityGroup`, {
-        vpcId: vpcId,
-        egress: [ allEgress ],
+        securityGroupId: eksClusterSecurityGroup.id,
     }, { parent: parent });
 
     // Create the EKS cluster
diff --git a/nodejs/eks/securitygroup.ts b/nodejs/eks/securitygroup.ts
index d2db18044..aafee1760 100644
--- a/nodejs/eks/securitygroup.ts
+++ b/nodejs/eks/securitygroup.ts
@@ -33,40 +33,54 @@ export interface NodeGroupSecurityGroupOptions {
 }
 
 export function createNodeGroupSecurityGroup(name: string, args: NodeGroupSecurityGroupOptions, parent: pulumi.ComponentResource): aws.ec2.SecurityGroup {
-    return new aws.ec2.SecurityGroup(`${name}-nodeSecurityGroup`, {
+    const nodeSecurityGroup = new aws.ec2.SecurityGroup(`${name}-nodeSecurityGroup`, {
         vpcId: args.vpcId,
-        ingress: [
-            {
-                description: "Allow nodes to communicate with each other",
-                fromPort: 0,
-                toPort: 0,
-                protocol: "-1", // all
-                self: true,
-            },
-            {
-                description: "Allow worker Kubelets and pods to receive communication from the cluster control plane",
-                fromPort: 1025,
-                toPort: 65535,
-                protocol: "tcp",
-                securityGroups: [ args.clusterSecurityGroup.id ],
-            },
-            {
-                description: "Allow pods running extension API servers on port 443 to receive communication from cluster control plane",
-                fromPort: 443,
-                toPort: 443,
-                protocol: "tcp",
-                securityGroups: [ args.clusterSecurityGroup.id ],
-            },
-        ],
-        egress: [{
-            description: "Allow internet access.",
-            fromPort: 0,
-            toPort: 0,
-            protocol: "-1",  // all
-            cidrBlocks: [ "0.0.0.0/0" ],
-        }],
+        ingress: [],
+        egress: [],
         tags: args.eksCluster.name.apply(n => <aws.Tags>{
             [`kubernetes.io/cluster/${n}`]: "owned",
         }),
     }, { parent: parent });
+
+    const nodeIngressRule = new aws.ec2.SecurityGroupRule(`${name}-eksNodeIngressRule`, {
+        description: "Allow nodes to communicate with each other",
+        type: "ingress",
+        fromPort: 0,
+        toPort: 0,
+        protocol: "-1", // all
+        securityGroupId: nodeSecurityGroup.id,
+        self: true,
+    }, { parent: parent });
+
+    const nodeClusterIngressRule = new aws.ec2.SecurityGroupRule(`${name}-eksNodeClusterIngressRule`, {
+        description: "Allow worker Kubelets and pods to receive communication from the cluster control plane",
+        type: "ingress",
+        fromPort: 1025,
+        toPort: 65535,
+        protocol: "tcp",
+        securityGroupId: nodeSecurityGroup.id,
+        sourceSecurityGroupId: args.clusterSecurityGroup.id,
+    }, { parent: parent });
+
+    const extApiServerClusterIngressRule = new aws.ec2.SecurityGroupRule(`${name}-eksExtApiServerClusterIngressRule`, {
+        description: "Allow pods running extension API servers on port 443 to receive communication from cluster control plane",
+        type: "ingress",
+        fromPort: 443,
+        toPort: 443,
+        protocol: "tcp",
+        securityGroupId: nodeSecurityGroup.id,
+        sourceSecurityGroupId: args.clusterSecurityGroup.id,
+    }, { parent: parent });
+
+    const nodeInternetEgressRule = new aws.ec2.SecurityGroupRule(`${name}-eksNodeInternetEgressRule`, {
+        description: "Allow internet access.",
+        type: "egress",
+        fromPort: 0,
+        toPort: 0,
+        protocol: "-1",  // all
+        cidrBlocks: [ "0.0.0.0/0" ],
+        securityGroupId: nodeSecurityGroup.id,
+    }, { parent: parent });
+
+    return nodeSecurityGroup;
 }

From b4152cc2edabe2975baa05379fd062cf7884aae8 Mon Sep 17 00:00:00 2001
From: Mike Metral <1112768+metral@users.noreply.github.com>
Date: Mon, 22 Apr 2019 16:30:21 -0700
Subject: [PATCH 2/3] fix(secgroups): enable revokeRulesOnDelete for secgroups

---
 nodejs/eks/cluster.ts       | 1 +
 nodejs/eks/securitygroup.ts | 1 +
 2 files changed, 2 insertions(+)

diff --git a/nodejs/eks/cluster.ts b/nodejs/eks/cluster.ts
index e070148bb..66719454b 100644
--- a/nodejs/eks/cluster.ts
+++ b/nodejs/eks/cluster.ts
@@ -116,6 +116,7 @@ export function createCore(name: string, args: ClusterOptions, parent: pulumi.Co
     // Create the EKS cluster security group
     const eksClusterSecurityGroup = new aws.ec2.SecurityGroup(`${name}-eksClusterSecurityGroup`, {
         vpcId: vpcId,
+        revokeRulesOnDelete: true,
         ingress: [],
         egress: [],
     }, { parent: parent });
diff --git a/nodejs/eks/securitygroup.ts b/nodejs/eks/securitygroup.ts
index aafee1760..72075b8da 100644
--- a/nodejs/eks/securitygroup.ts
+++ b/nodejs/eks/securitygroup.ts
@@ -35,6 +35,7 @@ export interface NodeGroupSecurityGroupOptions {
 export function createNodeGroupSecurityGroup(name: string, args: NodeGroupSecurityGroupOptions, parent: pulumi.ComponentResource): aws.ec2.SecurityGroup {
     const nodeSecurityGroup = new aws.ec2.SecurityGroup(`${name}-nodeSecurityGroup`, {
         vpcId: args.vpcId,
+        revokeRulesOnDelete: true,
         ingress: [],
         egress: [],
         tags: args.eksCluster.name.apply(n => <aws.Tags>{

From a2ca9913bb3ff823519a0e3f468e1efec7d01584 Mon Sep 17 00:00:00 2001
From: Mike Metral <1112768+metral@users.noreply.github.com>
Date: Mon, 22 Apr 2019 23:10:59 -0700
Subject: [PATCH 3/3] Update CHANGELOG to include secgroup rules

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0fae667ba..da850b653 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ### Improvements
 
+- fix(secgroups): use standalone secgroup rules instead of in-line rules
+  [#108](https://github.com/pulumi/pulumi-eks/pull/108)
 - fix(nodegroup): filter on x86_64 arch for node AMI
   [#112](https://github.com/pulumi/pulumi-eks/pull/112)