earthly · distilledtee · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024 · Sep 30, 2024
diff --git a/README.md b/README.md
@@ -4,20 +4,21 @@ This module allows you to provision the infrastructure needed for an Earthly BYO
 
 ### Module Inputs
 
-| Name           | Description                                                                                                                                              |
-|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
-| cloud_name     | The name to use to identify the cloud installation. Used by Earthly during automatic installation, and to mark related resources in AWS.                 |
-| subnet         | The subnet Earthly will deploy satellites into.                                                                                                          |
-| ssh_public_key | (Optional) The SSH key to include in provisioned satellites. If left unspecified, a new key is generated, and the private key is available as an output. |
+| Name             | Description                                                                                                                                              |
+|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
+| cloud_name       | The name to use to identify the cloud installation. Used by Earthly during automatic installation, and to mark related resources in AWS.                 |
+| subnet           | The subnet Earthly will deploy satellites into.                                                                                                          |
+| ssh_public_key   | (Optional) The SSH key to include in provisioned satellites. If left unspecified, a new key is generated, and the private key is available as an output. |
+| sg_cidr_override | (Optional) An override for the instance security group CIDR. If left unspecified, the rules will be generated with the CIDR of the configured subnet.    |
 
 
 ### Module Outputs
 
-| Name                 | Description                                                                                                                              |
-|----------------------|------------------------------------------------------------------------------------------------------------------------------------------|
-| installation_name    | The name to use to identify the cloud installation. Used by Earthly during automatic installation, and to mark related resources in AWS. |
-| security_group_id    | The ID of the security group for new satellites.                                                                                         |
-| ssh_key_name         | The name of the SSH key in AWS that is included in new satellites.                                                                       |
-| ssh_private_key      | (Sensitive) The private key, if `ssh_public_key` is unspecified.                                                                         |
-| instance_profile_arn | The ARN of the instance profile satellite instances will use for logging.                                                                |
-| compute_role_arn     | The ARN of the role Earthly will assume to orchestrate satellites on your behalf.                                                        |
+| Name                  | Description                                                                                                                              |
+|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------|
+| installation_name     | The name to use to identify the cloud installation. Used by Earthly during automatic installation, and to mark related resources in AWS. |
+| security_group_id     | The ID of the security group for new satellites.                                                                                         |
+| ssh_key_name          | The name of the SSH key in AWS that is included in new satellites.                                                                       |
+| ssh_private_key       | (Sensitive) The private key, if `ssh_public_key` is unspecified.                                                                         |
+| instance_profile_name | The name of the instance profile satellite instances will use for logging.                                                               |
+| compute_role_arn      | The ARN of the role Earthly will assume to orchestrate satellites on your behalf.                                                        |
diff --git a/main.tf b/main.tf
@@ -47,42 +47,60 @@ resource "aws_security_group" satellite_security_group {
   name = "${var.cloud_name}-satellites-access"
   description = "Minimal required rules for satellites."
   vpc_id = data.aws_subnet.current.vpc_id
+  tags = local.tags
+}
 
-  ingress {
-      cidr_blocks = [data.aws_subnet.current.cidr_block]
-      protocol = "tcp"
-      description = "Allow SSH access from within the ingress subnet"
-      from_port = 22
-      to_port = 22
-  }
+resource "aws_vpc_security_group_egress_rule" "open_outbound" {
+  security_group_id = aws_security_group.satellite_security_group.id
 
-  ingress {
-      cidr_blocks = [data.aws_subnet.current.cidr_block]
-      protocol = "tcp"
-      description = "Allow Buildkit access from within the ingress subnet"
-      from_port = 8372
-      to_port = 8372
-  }
+  cidr_ipv4   = "0.0.0.0/0"
+  ip_protocol = "-1"
+  description = "Satellites have general outbound access to whatever they need"
+}
 
-  ingress {
-      cidr_blocks = [data.aws_subnet.current.cidr_block]
-      protocol = "tcp"
-      description = "Allow Prometheus access from within the ingress subnet"
-      from_port = 9000
-      to_port = 9000
-  }
+resource "aws_vpc_security_group_ingress_rule" "satellite_ssh" {
+  security_group_id = aws_security_group.satellite_security_group.id
+  cidr_ipv4 = (
+    var.sg_cidr_override == ""
+    ? data.aws_subnet.current.cidr_block
+    : var.sg_cidr_override
+  )
 
-  egress {
-      cidr_blocks = ["0.0.0.0/0"]
-      protocol = -1
-      description = "Satellites have general outbound access to whatever they need"
-      from_port = 0
-      to_port = 0
-    }
+  description = "Allow SSH access from the satellites subnet"
+  ip_protocol = "tcp"
+  from_port   = 22
+  to_port     = 22
+}
 
-  tags = local.tags
+resource "aws_vpc_security_group_ingress_rule" "satellite_buildkit" {
+  security_group_id = aws_security_group.satellite_security_group.id
+  cidr_ipv4 = (
+    var.sg_cidr_override == ""
+    ? data.aws_subnet.current.cidr_block
+    : var.sg_cidr_override
+  )
+
+  description = "Allow BuildKit access from the satellites subnet"
+  ip_protocol = "tcp"
+  from_port   = 8372
+  to_port     = 8372
+}
+
+resource "aws_vpc_security_group_ingress_rule" "satellite_prometheus" {
+  security_group_id = aws_security_group.satellite_security_group.id
+  cidr_ipv4 = (
+    var.sg_cidr_override == ""
+    ? data.aws_subnet.current.cidr_block
+    : var.sg_cidr_override
+  )
+
+  description = "Allow Prometheus access from the satellites subnet"
+  ip_protocol = "tcp"
+  from_port   = 9000
+  to_port     = 9000
 }
 
+
 ## ---------------------------------------------------------------------------------------------------------------------
 ## SATELLITE INSTANCE ROLE
 ## Satellites need IAM permissions to allow Buildkit logs to CloudFormation.
@@ -91,15 +109,17 @@ resource "aws_security_group" satellite_security_group {
 resource "aws_iam_role" satellite_instance_role {
   description = "The instance role for Satellites"
   path = "/earthly/satellites/${var.cloud_name}/"
-  managed_policy_arns = [
-    aws_iam_policy.satellite_instance_policy.arn
-  ]
   max_session_duration = 3600
   name = "${var.cloud_name}-satellite-instance"
   assume_role_policy = data.aws_iam_policy_document.satellite_instance_assume_role_policy_document.json
   tags = local.tags
 }
 
+resource "aws_iam_role_policy_attachment" "satellite_instance_policy_attachment" {
+  role       = aws_iam_role.satellite_instance_role.name
+  policy_arn = aws_iam_policy.satellite_instance_policy.arn
+}
+
 data aws_iam_policy_document satellite_instance_assume_role_policy_document {
   version = "2012-10-17"
 

diff --git a/outputs.tf b/outputs.tf
@@ -37,9 +37,9 @@ output "ssh_private_key" {
   )
 }
 
-output "instance_profile_arn" {
-  description = "The ARN of the instance profile satellites use for logging in a given cloud installation."
-  value       = aws_iam_instance_profile.satellite_instance_profile.arn
+output "instance_profile_name" {
+  description = "The name of the instance profile satellites use for logging in a given cloud installation."
+  value       = aws_iam_instance_profile.satellite_instance_profile.name
 }
 
 output "compute_role_arn" {

diff --git a/variables.tf b/variables.tf
@@ -8,6 +8,12 @@ variable subnet {
   type = string
 }
 
+variable sg_cidr_override {
+  description = "Overrides the CIDR used in security group rules for the satellites"
+  type        = string
+  default     = ""
+}
+
 variable ssh_public_key {
   description = "The public key to use when provisioning your satellites. No value generates a key for you and stores the private key in your outputs."
   type = string