From f62a4f6cd7158f3c3eef385f1e5dd7283d606e3b Mon Sep 17 00:00:00 2001
From: Jacopo De Amicis <jdamicis@amazon.it>
Date: Fri, 12 Jan 2024 22:54:29 +0100
Subject: [PATCH] Allow traffic from external slurmdbd to slurmctld's

Add ingress rule in the external dbd client security group
to allow connections initiated from the slurmdbd.

Such connections may be established from the slurmdbd's side
when the slurmdbd drops and then recovers: in this case
it is the slurmdbd attempting to re-establish the connectivity
between itself and all the slurmctld's it was previously
connected to.

Remove useless egress rules from security groups (all outgoing
traffic is enabled by default at the moment).

Signed-off-by: Jacopo De Amicis <jdamicis@amazon.it>
---
 .../external_slurmdbd/external_slurmdbd_stack.py    | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py b/cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py
index dda1d0bc38..333bd8986e 100644
--- a/cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py
+++ b/cloudformation/external-slurmdbd/external_slurmdbd/external_slurmdbd_stack.py
@@ -204,20 +204,21 @@ def _add_management_security_groups(self):
             description="Allow SSH access to slurmdbd instance (server)",
             vpc=self.vpc,
         )
+
         client_sg = ec2.SecurityGroup(
             self,
             "SSHClientSecurityGroup",
             description="Allow SSH access to slurmdbd instance (client)",
             vpc=self.vpc,
         )
+
         server_sg.add_ingress_rule(
             peer=client_sg, connection=ec2.Port.tcp(22), description="Allow SSH access from client SG"
         )
-        client_sg.add_egress_rule(
-            peer=server_sg, connection=ec2.Port.tcp(22), description="Allow SSH access to server SG"
-        )
+
         return server_sg, client_sg
 
+    # FIXME: make the ingress rules more configurable
     def _add_slurmdbd_accounting_security_groups(self):
         slurmdbd_server_sg = ec2.SecurityGroup(
             self,
@@ -239,10 +240,10 @@ def _add_slurmdbd_accounting_security_groups(self):
             description="Allow Slurm accounting traffic from the cluster head node",
         )
 
-        slurmdbd_client_sg.add_egress_rule(
+        slurmdbd_client_sg.add_ingress_rule(
             peer=slurmdbd_server_sg,
-            connection=ec2.Port.tcp(6819),
-            description="Allow Slurm accounting traffic to the slurmdbd instance",
+            connection=ec2.Port.tcp_range(6820, 6829),
+            description="Allow traffic coming from slurmdbd instance",
         )
 
         return slurmdbd_server_sg, slurmdbd_client_sg