From f6bc00bfa06e9add1fb2ba54cc63bec0b32b6d05 Mon Sep 17 00:00:00 2001
From: Bradley Lunsford <bradley.t.lunsford@jpl.nasa.gov>
Date: Tue, 17 Sep 2024 15:18:49 -0700
Subject: [PATCH] adding requested changes

---
 .../terraform-unity-sps-airflow/README.md     |  4 +--
 .../terraform-unity-sps-airflow/locals.tf     |  1 +
 .../terraform-unity-sps-airflow/main.tf       | 29 +++++------------
 .../README.md                                 |  4 +--
 .../locals.tf                                 |  1 +
 .../main.tf                                   | 31 +++++--------------
 6 files changed, 20 insertions(+), 50 deletions(-)

diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/README.md b/terraform-unity/modules/terraform-unity-sps-airflow/README.md
index d6e8b3c..2314b4b 100644
--- a/terraform-unity/modules/terraform-unity-sps-airflow/README.md
+++ b/terraform-unity/modules/terraform-unity-sps-airflow/README.md
@@ -49,9 +49,7 @@ No modules.
 | [aws_ssm_parameter.airflow_ui_health_check_endpoint](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.airflow_ui_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.unity_proxy_airflow_ui](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource |
-| [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_jpl_rule1](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_jpl_rule2](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_jpl_rule3](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_jpl_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.airflow_ingress_sg_proxy_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [helm_release.airflow](https://registry.terraform.io/providers/hashicorp/helm/2.13.1/docs/resources/release) | resource |
 | [helm_release.keda](https://registry.terraform.io/providers/hashicorp/helm/2.13.1/docs/resources/release) | resource |
diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf b/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf
index 810e34c..58f31a8 100644
--- a/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf
+++ b/terraform-unity/modules/terraform-unity-sps-airflow/locals.tf
@@ -13,6 +13,7 @@ locals {
     mission     = var.project
     Stack       = ""
   }
+  load_balancer_port                  = 5000
   oidc_provider_url                   = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
   airflow_metadata_kubernetes_secret  = "airflow-metadata-secret"
   airflow_webserver_kubernetes_secret = "airflow-webserver-secret"
diff --git a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf
index ce36277..6893e6f 100644
--- a/terraform-unity/modules/terraform-unity-sps-airflow/main.tf
+++ b/terraform-unity/modules/terraform-unity-sps-airflow/main.tf
@@ -414,26 +414,13 @@ resource "aws_security_group" "airflow_ingress_sg" {
   })
 }
 
-resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_jpl_rule1" {
+resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_jpl_rule" {
+  for_each          = toset(["128.149.0.0/16", "137.78.0.0/16", "137.79.0.0/16"])
   security_group_id = aws_security_group.airflow_ingress_sg.id
   ip_protocol       = "tcp"
-  from_port         = 5000
-  to_port           = 5000
-  cidr_ipv4         = "128.149.0.0/16"
-}
-resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_jpl_rule2" {
-  security_group_id = aws_security_group.airflow_ingress_sg.id
-  ip_protocol       = "tcp"
-  from_port         = 5000
-  to_port           = 5000
-  cidr_ipv4         = "137.78.0.0/16"
-}
-resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_jpl_rule3" {
-  security_group_id = aws_security_group.airflow_ingress_sg.id
-  ip_protocol       = "tcp"
-  from_port         = 5000
-  to_port           = 5000
-  cidr_ipv4         = "137.79.0.0/16"
+  from_port         = local.load_balancer_port
+  to_port           = local.load_balancer_port
+  cidr_ipv4         = each.key
 }
 
 data "aws_security_groups" "venue_proxy_sg" {
@@ -450,8 +437,8 @@ resource "aws_vpc_security_group_ingress_rule" "airflow_ingress_sg_proxy_rule" {
   count                        = length(data.aws_security_groups.venue_proxy_sg.ids) > 0 ? 1 : 0
   security_group_id            = aws_security_group.airflow_ingress_sg.id
   ip_protocol                  = "tcp"
-  from_port                    = 5000
-  to_port                      = 5000
+  from_port                    = local.load_balancer_port
+  to_port                      = local.load_balancer_port
   referenced_security_group_id = data.aws_security_groups.venue_proxy_sg.ids[0]
 }
 
@@ -463,7 +450,7 @@ resource "kubernetes_ingress_v1" "airflow_ingress" {
       "alb.ingress.kubernetes.io/scheme"           = "internet-facing"
       "alb.ingress.kubernetes.io/target-type"      = "ip"
       "alb.ingress.kubernetes.io/subnets"          = join(",", jsondecode(data.aws_ssm_parameter.subnet_ids.value)["public"])
-      "alb.ingress.kubernetes.io/listen-ports"     = "[{\"HTTP\": 5000}]"
+      "alb.ingress.kubernetes.io/listen-ports"     = "[{\"HTTP\": ${local.load_balancer_port}}]"
       "alb.ingress.kubernetes.io/security-groups"  = aws_security_group.airflow_ingress_sg.id
       "alb.ingress.kubernetes.io/healthcheck-path" = "/health"
     }
diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md
index 7ddea64..05e6521 100644
--- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md
+++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/README.md
@@ -28,9 +28,7 @@ No modules.
 | [aws_ssm_parameter.ogc_processes_api_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.ogc_processes_ui_url](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.unity_proxy_ogc_api](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/ssm_parameter) | resource |
-| [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_jpl_rule1](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_jpl_rule2](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_jpl_rule3](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_jpl_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.ogc_ingress_sg_proxy_rule](https://registry.terraform.io/providers/hashicorp/aws/5.50.0/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [kubernetes_deployment.ogc_processes_api](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/deployment) | resource |
 | [kubernetes_deployment.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/2.29.0/docs/resources/deployment) | resource |
diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf
index e61981e..42a5000 100644
--- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf
+++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/locals.tf
@@ -13,4 +13,5 @@ locals {
     mission     = var.project
     Stack       = ""
   }
+  load_balancer_port = 5001
 }
diff --git a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf
index 8c897c3..f0b2225 100644
--- a/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf
+++ b/terraform-unity/modules/terraform-unity-sps-ogc-processes-api/main.tf
@@ -217,28 +217,13 @@ resource "aws_security_group" "ogc_ingress_sg" {
   })
 }
 
-resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_jpl_rule1" {
+resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_jpl_rule" {
+  for_each          = toset(["128.149.0.0/16", "137.78.0.0/16", "137.79.0.0/16"])
   security_group_id = aws_security_group.ogc_ingress_sg.id
   ip_protocol       = "tcp"
-  from_port         = 5001
-  to_port           = 5001
-  cidr_ipv4         = "128.149.0.0/16"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_jpl_rule2" {
-  security_group_id = aws_security_group.ogc_ingress_sg.id
-  ip_protocol       = "tcp"
-  from_port         = 5001
-  to_port           = 5001
-  cidr_ipv4         = "137.78.0.0/16"
-}
-
-resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_jpl_rule3" {
-  security_group_id = aws_security_group.ogc_ingress_sg.id
-  ip_protocol       = "tcp"
-  from_port         = 5001
-  to_port           = 5001
-  cidr_ipv4         = "137.79.0.0/16"
+  from_port         = local.load_balancer_port
+  to_port           = local.load_balancer_port
+  cidr_ipv4         = each.key
 }
 
 data "aws_security_groups" "venue_proxy_sg" {
@@ -255,8 +240,8 @@ resource "aws_vpc_security_group_ingress_rule" "ogc_ingress_sg_proxy_rule" {
   count                        = length(data.aws_security_groups.venue_proxy_sg.ids) > 0 ? 1 : 0
   security_group_id            = aws_security_group.ogc_ingress_sg.id
   ip_protocol                  = "tcp"
-  from_port                    = 5001
-  to_port                      = 5001
+  from_port                    = local.load_balancer_port
+  to_port                      = local.load_balancer_port
   referenced_security_group_id = data.aws_security_groups.venue_proxy_sg.ids[0]
 }
 
@@ -268,7 +253,7 @@ resource "kubernetes_ingress_v1" "ogc_processes_api_ingress" {
       "alb.ingress.kubernetes.io/scheme"           = "internet-facing"
       "alb.ingress.kubernetes.io/target-type"      = "ip"
       "alb.ingress.kubernetes.io/subnets"          = join(",", jsondecode(data.aws_ssm_parameter.subnet_ids.value)["public"])
-      "alb.ingress.kubernetes.io/listen-ports"     = "[{\"HTTP\": 5001}]"
+      "alb.ingress.kubernetes.io/listen-ports"     = "[{\"HTTP\": ${local.load_balancer_port}}]"
       "alb.ingress.kubernetes.io/security-groups"  = aws_security_group.ogc_ingress_sg.id
       "alb.ingress.kubernetes.io/healthcheck-path" = "/health"
     }