open-edge-platform · hemasenthil13 · Dec 5, 2025 · Dec 4, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/pod-configs/module/load-balancer/main.tf b/pod-configs/module/load-balancer/main.tf
@@ -21,7 +21,7 @@ resource "aws_security_group" "common" {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    security_groups = var.eks_security_groups
   }
   dynamic "ingress" {
     for_each = var.ports

diff --git a/pod-configs/module/load-balancer/variable.tf b/pod-configs/module/load-balancer/variable.tf
@@ -49,3 +49,8 @@ variable "ip_allow_list" {
 variable "enable_deletion_protection" {
   default = true
 }
+
+variable "eks_security_groups" {
+  description = "List of EKS security group IDs (from module/eks/output.tf security_groups)"
+  type        = list(string)
+}
diff --git a/pod-configs/orchestrator/cluster/output.tf b/pod-configs/orchestrator/cluster/output.tf
@@ -76,3 +76,7 @@ output "smtp_url" {
   value = var.smtp_url
 }
 
+output "eks_security_group_id" {
+  description = "The major security group ID for the EKS cluster"
+  value       = module.eks.eks_security_group_id
+}
diff --git a/pod-configs/orchestrator/orch-load-balancer/main.tf b/pod-configs/orchestrator/orch-load-balancer/main.tf
@@ -40,6 +40,10 @@ data "aws_nat_gateway" "vpc_nat_gateway" {
 }
 
 locals {
+  eks_security_groups = [
+    data.terraform_remote_state.eks.outputs.eks_security_group_id,
+  ]
+
   public_subnet_ids = [for name, subnet in data.terraform_remote_state.vpc.outputs.public_subnets : subnet.id]
   vpc_id            = data.terraform_remote_state.vpc.outputs.vpc_id
   region            = data.terraform_remote_state.vpc.outputs.region
@@ -133,6 +137,7 @@ module "traefik2_load_balancer" {
   ip_allow_list              = local.ip_allow_list
   ports                      = local.nlb_ports
   enable_deletion_protection = var.enable_deletion_protection
+  eks_security_groups        = local.eks_security_groups
 }
 
 module "traefik3_load_balancer" {
@@ -148,6 +153,7 @@ module "traefik3_load_balancer" {
   ip_allow_list              = local.ip_allow_list
   ports                      = local.vpro_ports
   enable_deletion_protection = var.enable_deletion_protection
+  eks_security_groups        = local.eks_security_groups
 }
 
 # This block executes only when `create_argocd_load_balancer` is set to true

@@ -254,6 +254,40 @@ else
     exit 1
 fi
 }
+
+apply_load_balancer(){
+echo "Fetching Load Balancer ARNS for Traefik2 and Traefik3"
+
+LB_ARN_T2=$(aws resourcegroupstaggingapi get-resources \
+  --tag-filters Key=Name,Values="${ENV_NAME}-traefik2" \
+  --resource-type-filters elasticloadbalancing:loadbalancer \
+  --query "ResourceTagMappingList[].ResourceARN" \
+  --output text)
+
+LB_ARN_T3=$(aws resourcegroupstaggingapi get-resources \
+  --tag-filters Key=Name,Values="${ENV_NAME}-traefik3" \
+  --resource-type-filters elasticloadbalancing:loadbalancer \
+  --query "ResourceTagMappingList[].ResourceARN" \
+  --output text)
+
+EKS_SG_ID=$(aws ec2 describe-security-groups --filters "Name=group-name,Values=eks-${ENV_NAME}" --query "SecurityGroups[*].GroupId" --output text)
+
+echo "Fetching Load Balancer SG for Traefik2 and Traefik3"
+LB_SG_ID_T2=$(aws elbv2 describe-load-balancers   --load-balancer-arns "$LB_ARN_T2"   --query "LoadBalancers[0].SecurityGroups[0]"   --output text)
+LB_SG_ID_T3=$(aws elbv2 describe-load-balancers   --load-balancer-arns "$LB_ARN_T3"   --query "LoadBalancers[0].SecurityGroups[0]"   --output text)
+
+echo "Updating and revoking the SG for Traefik2"
+aws ec2 describe-security-groups --group-ids "$LB_SG_ID_T2" --query "SecurityGroups[0].IpPermissionsEgress[?UserIdGroupPairs[?GroupId=='$EKS_SG_ID']]" --output text | grep -q . || aws ec2 authorize-security-group-egress --group-id "$LB_SG_ID_T2" --protocol -1 --port -1 --source-group "$EKS_SG_ID"
+aws ec2 describe-security-groups --group-ids "$LB_SG_ID_T2" --query "SecurityGroups[0].IpPermissionsEgress[?IpRanges[?CidrIp=='0.0.0.0/0']]" --output text | grep -q . && aws ec2 revoke-security-group-egress --group-id "$LB_SG_ID_T2" --protocol all --port all --cidr 0.0.0.0/0
+
+
+echo "Updating and revoking the SG for Traefik3"
+aws ec2 describe-security-groups --group-ids "$LB_SG_ID_T3" --query "SecurityGroups[0].IpPermissionsEgress[?UserIdGroupPairs[?GroupId=='$EKS_SG_ID']]" --output text | grep -q . || aws ec2 authorize-security-group-egress --group-id "$LB_SG_ID_T3" --protocol -1 --port -1 --source-group "$EKS_SG_ID"
+aws ec2 describe-security-groups --group-ids "$LB_SG_ID_T3" --query "SecurityGroups[0].IpPermissionsEgress[?IpRanges[?CidrIp=='0.0.0.0/0']]" --output text | grep -q . && aws ec2 revoke-security-group-egress --group-id "$LB_SG_ID_T3" --protocol all --port all --cidr 0.0.0.0/0
+
+return 0
+}
+
 # Main
 
 if [[ ${COMMAND:-""} != upgrade ]]; then
@@ -270,6 +304,7 @@ connect_cluster
 echo "Starting action cluster"
 action_cluster
 apply_modules
+apply_load_balancer
 
 # Terminate existing sshuttle
 terminate_sshuttle