Adding RDP and updating MSSQL service ports. (#35)

modules/README.md

@@ -20,6 +20,7 @@ List of Security Groups implemented as Terraform modules
 * [nomad](nomad)
 * [openvpn](openvpn)
 * [postgresql](postgresql)
+* [rdp](rdp)
 * [redis](redis)
 * [redshift](redshift)
 * [ssh](ssh)

modules/mssql/auto_values.tf

@@ -6,7 +6,7 @@
 variable "auto_ingress_rules" {
   description = "List of ingress rules to add automatically"
   type        = "list"
-  default     = ["mssql-tcp"]
+  default     = ["mssql-tcp", "mssql-udp", "mssql-analytics-tcp", "mssql-broker-tcp"]
 }
 
 variable "auto_ingress_with_self" {

modules/rdp/auto_values.tf

+# This file was generated from values defined in rules.tf using update_groups.sh.
+###################################
+# DO NOT CHANGE THIS FILE MANUALLY
+###################################
+
+variable "auto_ingress_rules" {
+  description = "List of ingress rules to add automatically"
+  type        = "list"
+  default     = ["rdp-tcp"]
+}
+
+variable "auto_ingress_with_self" {
+  description = "List of maps defining ingress rules with self to add automatically"
+  type        = "list"
+
+  default = [{
+    "rule" = "all-all"
+  }]
+}
+
+variable "auto_egress_rules" {
+  description = "List of egress rules to add automatically"
+  type        = "list"
+  default     = ["all-all"]
+}
+
+variable "auto_egress_with_self" {
+  description = "List of maps defining egress rules with self to add automatically"
+  type        = "list"
+  default     = []
+}

modules/rdp/main.tf

+module "sg" {
+  source = "../../"
+
+  create      = "${var.create}"
+  name        = "${var.name}"
+  description = "${var.description}"
+  vpc_id      = "${var.vpc_id}"
+  tags        = "${var.tags}"
+
+  ##########
+  # Ingress
+  ##########
+  # Rules by names - open for default CIDR
+  ingress_rules = ["${sort(distinct(concat(var.auto_ingress_rules, var.ingress_rules)))}"]
+
+  # Open for self
+  ingress_with_self = ["${concat(var.auto_ingress_with_self, var.ingress_with_self)}"]
+
+  # Open to IPv4 cidr blocks
+  ingress_with_cidr_blocks = ["${var.ingress_with_cidr_blocks}"]
+
+  # Open to IPv6 cidr blocks
+  ingress_with_ipv6_cidr_blocks = ["${var.ingress_with_ipv6_cidr_blocks}"]
+
+  # Open for security group id
+  ingress_with_source_security_group_id = ["${var.ingress_with_source_security_group_id}"]
+
+  # Default ingress CIDR blocks
+  ingress_cidr_blocks      = ["${var.ingress_cidr_blocks}"]
+  ingress_ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
+
+  # Default prefix list ids
+  ingress_prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
+
+  #########
+  # Egress
+  #########
+  # Rules by names - open for default CIDR
+  egress_rules = ["${sort(distinct(concat(var.auto_egress_rules, var.egress_rules)))}"]
+
+  # Open for self
+  egress_with_self = ["${concat(var.auto_egress_with_self, var.egress_with_self)}"]
+
+  # Open to IPv4 cidr blocks
+  egress_with_cidr_blocks = ["${var.egress_with_cidr_blocks}"]
+
+  # Open to IPv6 cidr blocks
+  egress_with_ipv6_cidr_blocks = ["${var.egress_with_ipv6_cidr_blocks}"]
+
+  # Open for security group id
+  egress_with_source_security_group_id = ["${var.egress_with_source_security_group_id}"]
+
+  # Default egress CIDR blocks
+  egress_cidr_blocks      = ["${var.egress_cidr_blocks}"]
+  egress_ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
+
+  # Default prefix list ids
+  egress_prefix_list_ids = ["${var.egress_prefix_list_ids}"]
+}

modules/rdp/outputs.tf

+output "this_security_group_id" {
+  description = "The ID of the security group"
+  value       = "${module.sg.this_security_group_id}"
+}
+
+output "this_security_group_vpc_id" {
+  description = "The VPC ID"
+  value       = "${module.sg.this_security_group_vpc_id}"
+}
+
+output "this_security_group_owner_id" {
+  description = "The owner ID"
+  value       = "${module.sg.this_security_group_owner_id}"
+}
+
+output "this_security_group_name" {
+  description = "The name of the security group"
+  value       = "${module.sg.this_security_group_name}"
+}
+
+output "this_security_group_description" {
+  description = "The description of the security group"
+  value       = "${module.sg.this_security_group_description}"
+}

modules/rdp/variables.tf

+#################
+# Security group
+#################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC where to create security group"
+}
+
+variable "name" {
+  description = "Name of security group"
+}
+
+variable "description" {
+  description = "Description of security group"
+  default     = "Security Group managed by Terraform"
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to security group"
+  default     = {}
+}
+
+##########
+# Ingress
+##########
+variable "ingress_rules" {
+  description = "List of ingress rules to create by name"
+  default     = []
+}
+
+variable "ingress_with_self" {
+  description = "List of ingress rules to create where 'self' is defined"
+  default     = []
+}
+
+variable "ingress_with_cidr_blocks" {
+  description = "List of ingress rules to create where 'cidr_blocks' is used"
+  default     = []
+}
+
+variable "ingress_with_ipv6_cidr_blocks" {
+  description = "List of ingress rules to create where 'ipv6_cidr_blocks' is used"
+  default     = []
+}
+
+variable "ingress_with_source_security_group_id" {
+  description = "List of ingress rules to create where 'source_security_group_id' is used"
+  default     = []
+}
+
+variable "ingress_cidr_blocks" {
+  description = "List of IPv4 CIDR ranges to use on all ingress rules"
+  default     = []
+}
+
+variable "ingress_ipv6_cidr_blocks" {
+  description = "List of IPv6 CIDR ranges to use on all ingress rules"
+  default     = []
+}
+
+variable "ingress_prefix_list_ids" {
+  description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules"
+  default     = []
+}
+
+#########
+# Egress
+#########
+variable "egress_rules" {
+  description = "List of egress rules to create by name"
+  default     = []
+}
+
+variable "egress_with_self" {
+  description = "List of egress rules to create where 'self' is defined"
+  default     = []
+}
+
+variable "egress_with_cidr_blocks" {
+  description = "List of egress rules to create where 'cidr_blocks' is used"
+  default     = []
+}
+
+variable "egress_with_ipv6_cidr_blocks" {
+  description = "List of egress rules to create where 'ipv6_cidr_blocks' is used"
+  default     = []
+}
+
+variable "egress_with_source_security_group_id" {
+  description = "List of egress rules to create where 'source_security_group_id' is used"
+  default     = []
+}
+
+variable "egress_cidr_blocks" {
+  description = "List of IPv4 CIDR ranges to use on all egress rules"
+  default     = ["0.0.0.0/0"]
+}
+
+variable "egress_ipv6_cidr_blocks" {
+  description = "List of IPv6 CIDR ranges to use on all egress rules"
+  default     = ["::/0"]
+}
+
+variable "egress_prefix_list_ids" {
+  description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules"
+  default     = []
+}

rules.tf

@@ -66,7 +66,10 @@ variable "rules" {
     mysql-tcp = [3306, 3306, "tcp", "MySQL/Aurora"]
 
     # MSSQL Server
-    mssql-tcp = [1433, 1433, "tcp", "MSSQL Server"]
+    mssql-tcp           = [1433, 1433, "tcp", "MSSQL Server"]
+    mssql-udp           = [1434, 1434, "udp", "MSSQL Browser"]
+    mssql-analytics-tcp = [2383, 2383, "tcp", "MSSQL Analytics"]
+    mssql-broker-tcp.   = [4022, 4022, "tcp", "MSSQL Broker"]
 
     # NFS/EFS
     nfs-tcp = [2049, 2049, "tcp", "NFS/EFS"]
@@ -88,6 +91,9 @@ variable "rules" {
     # Puppet
     puppet-tcp = [8140, 8140, "tcp", "Puppet"]
 
+    # RDP
+    rdp-tcp = [3389, 3389, "tcp", "Remote Desktop"]
+
     # Redis
     redis-tcp = [6379, 6379, "tcp", "Redis"]
 
@@ -215,7 +221,7 @@ variable "auto_groups" {
     }
 
     mssql = {
-      ingress_rules     = ["mssql-tcp"]
+      ingress_rules     = ["mssql-tcp", "mssql-udp", "mssql-analytics-tcp", "mssql-broker-tcp"]
       ingress_with_self = ["all-all"]
       egress_rules      = ["all-all"]
     }
@@ -244,6 +250,12 @@ variable "auto_groups" {
       egress_rules      = ["all-all"]
     }
 
+    rdp = {
+      ingress_rules     = ["rdp-tcp"]
+      ingress_with_self = ["all-all"]
+      egress_rules      = ["all-all"]
+    }
+
     redis = {
       ingress_rules     = ["redis-tcp"]
       ingress_with_self = ["all-all"]