Add rule from eks nodes

modules/eks/node-group.tf

@@ -83,3 +83,14 @@ resource "aws_security_group_rule" "netapp" {
   description              = "Netapp access from EKS nodes."
   source_security_group_id = aws_security_group.eks_nodes.id
 }
+
+resource "aws_security_group_rule" "ecr_endpoint" {
+  count                    = var.network_info.ecr_endpoint_sg_id != null ? 1 : 0
+  security_group_id        = var.network_info.ecr_endpoint_sg_id
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+  type                     = "ingress"
+  description              = "ECR Endpoint access from EKS nodes."
+  source_security_group_id = aws_security_group.eks_nodes.id
+}

modules/eks/variables.tf

@@ -21,6 +21,7 @@ variable "region" {
 variable "network_info" {
   description = <<EOF
     id = VPC ID.
+    ecr_endpoint_sg_id = ECR Endpoint security group id.
     subnets = {
       public = List of public Subnets.
       [{
@@ -47,6 +48,7 @@ variable "network_info" {
   EOF
   type = object({
     vpc_id = string
+    ecr_endpoint_sg_id = string
     subnets = object({
       public = list(object({
         name      = string

modules/infra/submodules/network/outputs.tf

@@ -17,5 +17,6 @@ output "info" {
     vpc_cidrs = var.network.cidrs.vpc
     pod_cidrs = var.network.cidrs.pod
     s3_cidrs  = data.aws_prefix_list.s3.cidr_blocks
+    ecr_endpoint_sg_id = data.aws_security_group.ecr_endpoint.id
   }
 }

modules/infra/submodules/network/vpc.tf

@@ -58,22 +58,6 @@ resource "aws_security_group" "ecr_endpoint" {
   description = "ECR Endpoint security group"
   vpc_id      = aws_vpc.this[0].id
 
-  ingress {
-    description = "Node to node https traffic"
-    protocol    = "tcp"
-    from_port   = 443
-    to_port     = 443
-    self        = true
-  }
-
-  egress {
-    description = "Allow outbound TCP traffic."
-    from_port   = 0
-    to_port     = 65535
-    protocol    = "tcp"
-    self        = true
-  }
-
   lifecycle {
     create_before_destroy = true
   }