fix: Separate HTTP and HTTPS rule creation (#90)

* separate HTTP and HTTPS rule creation * Update main.tf
wandb · Jun 21, 2023 · 98b0159 · 98b0159
1 parent a5c2688
commit 98b0159
Showing 1 changed file with 29 additions and 11 deletions.
diff --git a/modules/app_lb/main.tf b/modules/app_lb/main.tf
@@ -3,30 +3,48 @@ locals {
   https_port = 443
 }
 
-resource "aws_security_group" "inbound" {
-  name        = "${var.namespace}-alb-inbound"
-  description = "Allow http(s) traffic to wandb"
+
+////////////////////////////////////////////////////////////////////////////////////////////
+// the following security group definitions are created to handle a situation where 
+// we need to assign a large number of ips to a SG, such as is the case in 
+// https://wandb.atlassian.net/browse/WB-14096.
+// althought the quota for max # of security group rules per security group has been raised
+// to 100 as of 2023-06-20, if we don't separate HTTP/HTTPS, the sum number of rules
+// can easily exceed 100. 
+// -> george.scott@wandb.com :: 2023-06-20
+////////////////////////////////////////////////////////////////////////////////////////////
+resource "aws_security_group" "inbound-http" {
+  name        = "${var.namespace}-alb-inbound-http"
+  description = "Allow http traffic to wandb"
   vpc_id      = var.network_id
 
-  ingress {
-    from_port        = local.https_port
-    to_port          = local.https_port
+ ingress {
+    from_port        = local.http_port
+    to_port          = local.http_port
     protocol         = "tcp"
-    description      = "Allow HTTPS (port ${local.https_port}) traffic inbound to W&B LB"
+    description      = "Allow HTTP (port ${local.http_port}) traffic inbound to W&B LB"
     cidr_blocks      = var.allowed_inbound_cidr
     ipv6_cidr_blocks = var.allowed_inbound_ipv6_cidr
   }
+}
+
+resource "aws_security_group" "inbound-https" {
+  name        = "${var.namespace}-alb-inbound-https"
+  description = "Allow https traffic to wandb"
+  vpc_id      = var.network_id
 
   ingress {
-    from_port        = local.http_port
-    to_port          = local.http_port
+    from_port        = local.https_port
+    to_port          = local.https_port
     protocol         = "tcp"
-    description      = "Allow HTTP (port ${local.http_port}) traffic inbound to W&B LB"
+    description      = "Allow HTTPS (port ${local.https_port}) traffic inbound to W&B LB"
     cidr_blocks      = var.allowed_inbound_cidr
     ipv6_cidr_blocks = var.allowed_inbound_ipv6_cidr
   }
 }
 
+
+
 resource "aws_security_group" "outbound" {
   name        = "${var.namespace}-alb-outbound"
   vpc_id      = var.network_id
@@ -45,7 +63,7 @@ resource "aws_lb" "alb" {
   name               = "${var.namespace}-alb"
   internal           = (var.load_balancing_scheme == "PRIVATE")
   load_balancer_type = "application"
-  security_groups    = [aws_security_group.inbound.id, aws_security_group.outbound.id]
+  security_groups    = [aws_security_group.aws_security_group.inbound-https.id, aws_security_group.inbound-http.id, aws_security_group.outbound.id]
   subnets            = var.load_balancing_scheme == "PRIVATE" ? var.network_private_subnets : var.network_public_subnets
 }