From 869b42bc56345f1fb1927a468066a7ad794f66e7 Mon Sep 17 00:00:00 2001
From: Josh Myers <joshuajmyers@gmail.com>
Date: Tue, 18 Dec 2018 12:31:06 +0000
Subject: [PATCH] Allow outbound DNS requests from Lambda SG

So that we can resolve DNS for the ES cluster.
---
 main.tf | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/main.tf b/main.tf
index f6c3903..e64e4b6 100644
--- a/main.tf
+++ b/main.tf
@@ -121,6 +121,26 @@ resource "aws_security_group" "default" {
   tags        = "${module.label.tags}"
 }
 
+resource "aws_security_group_rule" "udp_dns_egress_from_lambda" {
+  description       = "Allow outbound UDP traffic from Lambda Elasticsearch cleanup to DNS"
+  type              = "egress"
+  from_port         = 53
+  to_port           = 53
+  protocol          = "udp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${aws_security_group.default.id}"
+}
+
+resource "aws_security_group_rule" "tcp_dns_egress_from_lambda" {
+  description       = "Allow outbound TCP traffic from Lambda Elasticsearch cleanup to DNS"
+  type              = "egress"
+  from_port         = 53
+  to_port           = 53
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${aws_security_group.default.id}"
+}
+
 resource "aws_security_group_rule" "egress_from_lambda_to_es_cluster" {
   description              = "Allow outbound traffic from Lambda Elasticsearch cleanup SG to Elasticsearch SG"
   type                     = "egress"