resource "aws_security_group" "dskdemo-allow-security" {
  name        = "dskdemo-allow-security-new"
  description = "Allow inbound traffic"
  vpc_id      = var.VPC_ID

  ingress {
    description      = "SSH"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      =  ["118.223.123.161/32"]
  }
  ingress {
    description      = "etcd"
    from_port        = 2379
    to_port          = 2380
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  ingress {
    description      = "kubelet api"
    from_port        = 10250
    to_port          = 10250
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  ingress {
    description      = "Cilium Geneve or VXLAN"
    from_port        = 8472
    to_port          = 8472
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  ingress {
    description      = "Cilium Health Check"
    from_port        = 4240
    to_port          = 4240
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  ingress {
    description      = "api-server"
    from_port        = 6443
    to_port          = 6443
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  ingress {
    description      = "node port range"
    from_port        = 30000
    to_port          = 32767
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  ingress {
    description      = "Cilium Operator"
    from_port        = 2379
    to_port          = 2379
    protocol         = "tcp"
    cidr_blocks      =  ["172.24.2.0/24"]
  }
  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "dskdemo-allow-security"
  }
}