Removes unnecessary EIP from RHSSO; Allows CRL lookups through SG

To be tagged v2.0.11

base/rhsso/main.tf

@@ -16,17 +16,18 @@ resource "aws_network_interface" "instance" {
   tags = merge(var.standard_tags, var.tags, { Name = "rhsso-${count.index}" })
 }
 
-resource "aws_eip" "instance" {
-  count = var.rhsso_instance_count
-  vpc = true
-  tags = merge(var.standard_tags, var.tags, { Name = "rhsso-${count.index}" })
-}
+# Even though it's in the public subnet, no EIP, as it's handled by the NLB. It must use the proxy for outbound access.
+#resource "aws_eip" "instance" {
+#  count = var.rhsso_instance_count
+#  vpc = true
+#  tags = merge(var.standard_tags, var.tags, { Name = "rhsso-${count.index}" })
+#}
 
-resource "aws_eip_association" "instance" {
-  count = var.rhsso_instance_count
-  network_interface_id = aws_network_interface.instance[count.index].id
-  allocation_id = aws_eip.instance[count.index].id
-}
+#resource "aws_eip_association" "instance" {
+#  count = var.rhsso_instance_count
+#  network_interface_id = aws_network_interface.instance[count.index].id
+#  allocation_id = aws_eip.instance[count.index].id
+#}
 
 resource "aws_instance" "instance" {
   count = var.rhsso_instance_count

base/rhsso/security-groups.tf

@@ -45,6 +45,15 @@ resource "aws_security_group_rule" "cluster-connectivity-egress" {
   source_security_group_id = aws_security_group.instance.id
 }
 
+resource "aws_security_group_rule" "outbound_http" {
+  description = "CRL Lookups go direct"
+  type = "egress"
+  from_port = 80
+  to_port = 80
+  protocol = "tcp"
+  security_group_id = aws_security_group.instance.id
+  cidr_blocks = [ "0.0.0.0/0" ]
+}
 
 #resource "aws_security_group_rule" "instance-http-in" {
 #  description = ""