Sort firewall / security rules and add comments

* No functional changes to network firewalls

aws/container-linux/kubernetes/security.tf

@@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" {
   cidr_blocks = ["0.0.0.0/0"]
 }
 
-resource "aws_security_group_rule" "controller-apiserver" {
-  security_group_id = "${aws_security_group.controller.id}"
-
-  type        = "ingress"
-  protocol    = "tcp"
-  from_port   = 6443
-  to_port     = 6443
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
 resource "aws_security_group_rule" "controller-etcd" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" {
   self      = true
 }
 
+# Allow Prometheus to scrape etcd metrics
 resource "aws_security_group_rule" "controller-etcd-metrics" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
   source_security_group_id = "${aws_security_group.worker.id}"
 }
 
+resource "aws_security_group_rule" "controller-apiserver" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 6443
+  to_port     = 6443
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
 resource "aws_security_group_rule" "controller-flannel" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" {
   self      = true
 }
 
+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "controller-node-exporter" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" {
   source_security_group_id = "${aws_security_group.worker.id}"
 }
 
+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "controller-kubelet" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
   self      = true
 }
 
+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "controller-kubelet-read" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" {
   self      = true
 }
 
+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "worker-node-exporter" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" {
   cidr_blocks = ["0.0.0.0/0"]
 }
 
+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "worker-kubelet" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" {
   source_security_group_id = "${aws_security_group.controller.id}"
 }
 
+# Allow Prometheus to scrape kubelet metrics
 resource "aws_security_group_rule" "worker-kubelet-self" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
   self      = true
 }
 
+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "worker-kubelet-read" {
   security_group_id = "${aws_security_group.worker.id}"
 

aws/fedora-atomic/kubernetes/security.tf

@@ -31,16 +31,6 @@ resource "aws_security_group_rule" "controller-ssh" {
   cidr_blocks = ["0.0.0.0/0"]
 }
 
-resource "aws_security_group_rule" "controller-apiserver" {
-  security_group_id = "${aws_security_group.controller.id}"
-
-  type        = "ingress"
-  protocol    = "tcp"
-  from_port   = 6443
-  to_port     = 6443
-  cidr_blocks = ["0.0.0.0/0"]
-}
-
 resource "aws_security_group_rule" "controller-etcd" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -51,6 +41,7 @@ resource "aws_security_group_rule" "controller-etcd" {
   self      = true
 }
 
+# Allow Prometheus to scrape etcd metrics
 resource "aws_security_group_rule" "controller-etcd-metrics" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -61,6 +52,16 @@ resource "aws_security_group_rule" "controller-etcd-metrics" {
   source_security_group_id = "${aws_security_group.worker.id}"
 }
 
+resource "aws_security_group_rule" "controller-apiserver" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 6443
+  to_port     = 6443
+  cidr_blocks = ["0.0.0.0/0"]
+}
+
 resource "aws_security_group_rule" "controller-flannel" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -81,6 +82,7 @@ resource "aws_security_group_rule" "controller-flannel-self" {
   self      = true
 }
 
+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "controller-node-exporter" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -91,6 +93,7 @@ resource "aws_security_group_rule" "controller-node-exporter" {
   source_security_group_id = "${aws_security_group.worker.id}"
 }
 
+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "controller-kubelet" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -111,6 +114,7 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
   self      = true
 }
 
+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "controller-kubelet-read" {
   security_group_id = "${aws_security_group.controller.id}"
 
@@ -273,6 +277,7 @@ resource "aws_security_group_rule" "worker-flannel-self" {
   self      = true
 }
 
+# Allow Prometheus to scrape node-exporter daemonset
 resource "aws_security_group_rule" "worker-node-exporter" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -293,6 +298,7 @@ resource "aws_security_group_rule" "ingress-health" {
   cidr_blocks = ["0.0.0.0/0"]
 }
 
+# Allow apiserver to access kubelets for exec, log, port-forward
 resource "aws_security_group_rule" "worker-kubelet" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -303,6 +309,7 @@ resource "aws_security_group_rule" "worker-kubelet" {
   source_security_group_id = "${aws_security_group.controller.id}"
 }
 
+# Allow Prometheus to scrape kubelet metrics
 resource "aws_security_group_rule" "worker-kubelet-self" {
   security_group_id = "${aws_security_group.worker.id}"
 
@@ -313,6 +320,7 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
   self      = true
 }
 
+# Allow heapster / metrics-server to scrape kubelet read-only
 resource "aws_security_group_rule" "worker-kubelet-read" {
   security_group_id = "${aws_security_group.worker.id}"