Skip to content

T
terraform-aws-security-group
Commit 08901240 authored by Anton Babenko's avatar Anton Babenko
Browse files
Options

Initial commit

parents
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 1514 additions and 0 deletions
.gitignore 0 → 100644
View file @ 08901240
.terraform
terraform.tfstate
*.tfstate*
terraform.tfvars
LICENSE 0 → 100644
View file @ 08901240
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
README.md 0 → 100644
View file @ 08901240
AWS EC2-VPC Security Group Terraform module
===========================================
Terraform module which creates [EC2 security group within VPC](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) on AWS.
These types of resources are supported:
* [EC2-VPC Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
* [EC2-VPC Security Group Rules](https://www.terraform.io/docs/providers/aws/r/security_group_rule.html)
Root module creates security group with provided arguments.
Modules in [modules directory](modules) has been configured with the list of ingress (inbound) and egress (outbound) ports open for common scenarios (eg, [ssh](modules/ssh), [http](modules/http), [mysql](modules/mysql)).
Code in this module aims to implement **ALL** combinations of arguments (IPV4/IPV6 CIDR blocks, [VPC endpoint prefix lists](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html), source security groups, self), named rules.
If there is something missing - [open an issue](https://github.com/terraform-aws-modules/terraform-aws-security-group/issues/new).
Usage
-----
There are two ways to create security groups using this module:
##### 1. Security group with pre-defined rules
```hcl
module "web_server_sg" {
source = "terraform-aws-modules/security-group/aws//modules/http"
name = "web-server"
description = "Security group for web-server with HTTP ports open within VPC"
vpc_id = "vpc-12345678"
ingress_cidr_blocks = ["10.10.0.0/16"]
}
```
##### 2. Security group with custom rules
```hcl
module "vote_service_sg" {
source = "terraform-aws-modules/security-group/aws"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_cidr_blocks = ["10.10.0.0/16"]
ingress_rules = ["mysql"]
ingress_with_cidr_blocks = [
{
from_port = 8080
to_port = 8090
protocol = 6
description = "User-service ports"
cidr_blocks = "10.10.0.0/16"
},
{
rule = "postgres"
cidr_blocks = "0.0.0.0/0"
},
]
}
```
Parameters
----------
Ingress and egress rules can be configured in a variety of ways as listed on [the registry](https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/?tab=inputs).
Examples
--------
* [Complete Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/complete)
* [HTTP Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/http)
Authors
-------
Module managed by [Anton Babenko](https://github.com/antonbabenko).
License
-------
Apache 2 Licensed. See LICENSE for full details.
\ No newline at end of file
examples/complete/README.md 0 → 100644
View file @ 08901240
Complete Security Group example
===============================
Configuration in this directory creates set of Security Group and Security Group Rules resources in various combination.
Data sources are used to discover existing VPC resources (VPC and default security group).
Usage
=====
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
examples/complete/main.tf 0 → 100644
View file @ 08901240
provider "aws" {
region = "eu-west-1"
}
#############################################################
# Data sources to get VPC and default security group details
#############################################################
data "aws_vpc" "default" {
default = true
}
data "aws_security_group" "default" {
name = "default"
vpc_id = "${data.aws_vpc.default.id}"
}
################################################
# Security group with complete set of arguments
################################################
module "complete_sg" {
source = "../../"
name = "complete-sg"
description = "Security group with all available arguments set (this is just an example)"
vpc_id = "${data.aws_vpc.default.id}"
tags = {
Cash = "king"
Department = "kingdom"
}
# Default CIDR blocks, which will be used for all ingress rules in this module. Typically these are CIDR blocks of the VPC.
# If this is not specified then world-open CIDR blocks are used.
ingress_cidr_blocks = ["10.10.0.0/16"]
ingress_ipv6_cidr_blocks = ["2001:db8::/64"]
# Prefix list ids to use in all ingress rules in this module.
# ingress_prefix_list_ids = ["pl-123456"]
# Open for all CIDRs defined in ingress_cidr_blocks
ingress_rules = ["http"]
# Open to CIDRs blocks (rule or from_port+to_port+protocol+description)
ingress_with_cidr_blocks = [
{
rule = "postgres"
cidr_blocks = "0.0.0.0/0,2.2.2.2/32"
ipv6_cidr_blocks = "2001:db8::/60"
},
{
rule = "postgres"
cidr_blocks = "30.30.30.30/32"
},
{
from_port = 10
to_port = 20
protocol = 6
description = "Service name"
cidr_blocks = "10.10.0.0/20"
},
]
# Open for security group id (rule or from_port+to_port+protocol+description)
ingress_with_source_security_group_id = [
{
rule = "mysql"
source_security_group_id = "${data.aws_security_group.default.id}"
},
{
from_port = 10
to_port = 10
protocol = 6
description = "Service name"
source_security_group_id = "${data.aws_security_group.default.id}"
},
]
# Open for self (rule or from_port+to_port+protocol+description)
ingress_with_self = [
{
rule = "all-all"
},
{
from_port = 30
to_port = 40
protocol = 6
description = "Service name"
self = true
},
{
from_port = 41
to_port = 51
protocol = 6
self = false
},
]
# Default CIDR blocks, which will be used for all egress rules in this module. Typically these are CIDR blocks of the VPC.
# If this is not specified then world-open CIDR blocks are used.
egress_cidr_blocks = ["10.10.0.0/16"]
egress_ipv6_cidr_blocks = ["2001:db8::/64"]
# Prefix list ids to use in all egress rules in this module.
# egress_prefix_list_ids = ["pl-123456"]
# Open for all CIDRs defined in egress_cidr_blocks
egress_rules = ["http"]
# Open to CIDRs blocks (rule or from_port+to_port+protocol+description)
egress_with_cidr_blocks = [
{
rule = "postgres"
cidr_blocks = "0.0.0.0/0,2.2.2.2/32"
ipv6_cidr_blocks = "2001:db8::/60"
},
{
rule = "postgres"
cidr_blocks = "30.30.30.30/32"
},
{
from_port = 10
to_port = 20
protocol = 6
description = "Service name"
cidr_blocks = "10.10.0.0/20"
},
]
# Open for security group id (rule or from_port+to_port+protocol+description)
egress_with_source_security_group_id = [
{
rule = "mysql"
source_security_group_id = "${data.aws_security_group.default.id}"
},
{
from_port = 10
to_port = 10
protocol = 6
description = "Service name"
source_security_group_id = "${data.aws_security_group.default.id}"
},
]
# Open for self (rule or from_port+to_port+protocol+description)
egress_with_self = [
{
rule = "all-all"
},
{
from_port = 30
to_port = 40
protocol = 6
description = "Service name"
self = true
},
{
from_port = 41
to_port = 51
protocol = 6
self = false
},
]
}
examples/complete/outputs.tf 0 → 100644
View file @ 08901240
output "this_security_group_id" {
description = "The ID of the security group"
value = "${module.complete_sg.this_security_group_id}"
}
output "this_security_group_vpc_id" {
description = "The VPC ID"
value = "${module.complete_sg.this_security_group_vpc_id}"
}
output "this_security_group_owner_id" {
description = "The owner ID"
value = "${module.complete_sg.this_security_group_owner_id}"
}
output "this_security_group_name" {
description = "The name of the security group"
value = "${module.complete_sg.this_security_group_name}"
}
output "this_security_group_description" {
description = "The description of the security group"
value = "${module.complete_sg.this_security_group_description}"
}
output "this_security_group_ingress" {
description = "The ingress rules"
value = "${module.complete_sg.this_security_group_ingress}"
}
output "this_security_group_egress" {
description = "The egress rules"
value = "${module.complete_sg.this_security_group_egress}"
}
examples/http/README.md 0 → 100644
View file @ 08901240
Complete Security Group example
===============================
Configuration in this directory creates set of Security Group and Security Group Rules resources in various combination.
Data sources are used to discover existing VPC resources (VPC and default security group).
Usage
=====
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
examples/http/main.tf 0 → 100644
View file @ 08901240
provider "aws" {
region = "eu-west-1"
}
#############################################################
# Data sources to get VPC and default security group details
#############################################################
data "aws_vpc" "default" {
default = true
}
data "aws_security_group" "default" {
name = "default"
vpc_id = "${data.aws_vpc.default.id}"
}
###########################
# Security groups examples
###########################
#######
# HTTP
#######
module "http_sg" {
source = "../../modules/http"
name = "http-sg"
description = "Security group with HTTP ports open for everybody, egress ports are all world open"
vpc_id = "${data.aws_vpc.default.id}"
}
#####################
# HTTP with MySQL #1
#####################
module "http_mysql_1_sg" {
source = "../../modules/http"
name = "http-mysql-1"
description = "Security group with HTTP and MySQL ports open for everybody globally"
vpc_id = "${data.aws_vpc.default.id}"
# Add MySQL rules
ingress_rules = ["mysql"]
}
#####################
# HTTP with MySQL #2
#####################
module "http_mysql_2_sg" {
source = "../../modules/http"
name = "http-mysql-2"
description = "Security group with HTTP and MySQL ports open within current VPC"
vpc_id = "${data.aws_vpc.default.id}"
# Add mysql rules
ingress_rules = ["mysql"]
# Allow ingress rules to be accessed only within current VPC
ingress_cidr_blocks = ["${data.aws_vpc.default.cidr_block}"]
ingress_ipv6_cidr_blocks = [] # Not all VPCs have IPv6 enabled, but if you have it enabled, then this will work - ["${data.aws_vpc.default.ipv6_cidr_block}"]
}
###########################
# HTTP with egress minimal
###########################
module "http_with_egress_minimal_sg" {
source = "../../modules/http"
name = "http-with-egress-minimal"
description = "Security group with HTTP ports open within current VPC, and allow egress access to HTTP ports to the whole world"
vpc_id = "${data.aws_vpc.default.id}"
# Allow ingress rules to be accessed only within current VPC
ingress_cidr_blocks = ["${data.aws_vpc.default.cidr_block}"]
# Allow all rules for all protocols
egress_rules = ["http"]
}
###########################
# HTTP with egress limited
###########################
module "http_with_egress_sg" {
source = "../../modules/http"
name = "http-with-egress"
description = "Security group with HTTP ports open within current VPC, and allow egress access just to small subnet"
vpc_id = "${data.aws_vpc.default.id}"
# Add mysql rules
ingress_rules = ["mysql"]
# Allow ingress rules to be accessed only within current VPC
ingress_cidr_blocks = ["${data.aws_vpc.default.cidr_block}"]
ingress_ipv6_cidr_blocks = [] # Not all VPCs have IPv6 enabled, but if you have it enabled, then this will work - ["${data.aws_vpc.default.ipv6_cidr_block}"]
# Allow egress rules to access anything (empty list means everything)
egress_cidr_blocks = ["10.10.10.0/28"]
egress_ipv6_cidr_blocks = [] # Not all VPCs have IPv6 enabled, but if you have it enabled, then this will work - ["${data.aws_vpc.default.ipv6_cidr_block}"]
}
examples/http/outputs.tf 0 → 100644
View file @ 08901240
output "this_security_group_id" {
description = "The ID of the security group"
value = "${module.http_sg.this_security_group_id}"
}
output "this_security_group_vpc_id" {
description = "The VPC ID"
value = "${module.http_sg.this_security_group_vpc_id}"
}
output "this_security_group_owner_id" {
description = "The owner ID"
value = "${module.http_sg.this_security_group_owner_id}"
}
output "this_security_group_name" {
description = "The name of the security group"
value = "${module.http_sg.this_security_group_name}"
}
output "this_security_group_description" {
description = "The description of the security group"
value = "${module.http_sg.this_security_group_description}"
}
output "this_security_group_ingress" {
description = "The ingress rules"
value = "${module.http_sg.this_security_group_ingress}"
}
output "this_security_group_egress" {
description = "The egress rules"
value = "${module.http_sg.this_security_group_egress}"
}
main.tf 0 → 100644
View file @ 08901240
#################
# Security group
#################
resource "aws_security_group" "this" {
name = "${var.name}"
description = "${var.description}"
vpc_id = "${var.vpc_id}"
tags = "${merge(var.tags, map("Name", format("%s", var.name)))}"
}
###################################
# Ingress - List of rules (simple)
###################################
# Security group rules with "cidr_blocks" and it uses list of rules names
resource "aws_security_group_rule" "ingress_rules" {
count = "${length(var.ingress_rules)}"
security_group_id = "${aws_security_group.this.id}"
type = "ingress"
cidr_blocks = ["${var.ingress_cidr_blocks}"]
ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
from_port = "${element(var.rules[var.ingress_rules[count.index]], 0)}"
to_port = "${element(var.rules[var.ingress_rules[count.index]], 1)}"
protocol = "${element(var.rules[var.ingress_rules[count.index]], 2)}"
}
##########################
# Ingress - Maps of rules
##########################
# Security group rules with "source_security_group_id", but without "cidr_blocks" and "self"
resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
count = "${length(var.ingress_with_source_security_group_id)}"
security_group_id = "${aws_security_group.this.id}"
type = "ingress"
source_security_group_id = "${lookup(var.ingress_with_source_security_group_id[count.index], "source_security_group_id")}"
ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
from_port = "${lookup(var.ingress_with_source_security_group_id[count.index], "from_port", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 0))}"
to_port = "${lookup(var.ingress_with_source_security_group_id[count.index], "to_port", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 1))}"
protocol = "${lookup(var.ingress_with_source_security_group_id[count.index], "protocol", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 2))}"
}
# Security group rules with "cidr_blocks", but without "source_security_group_id" and "self"
resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
count = "${length(var.ingress_with_cidr_blocks)}"
security_group_id = "${aws_security_group.this.id}"
type = "ingress"
cidr_blocks = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]
ipv6_cidr_blocks = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]
prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
from_port = "${lookup(var.ingress_with_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 0))}"
to_port = "${lookup(var.ingress_with_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 1))}"
protocol = "${lookup(var.ingress_with_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 2))}"
}
# Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
resource "aws_security_group_rule" "ingress_with_self" {
count = "${length(var.ingress_with_self)}"
security_group_id = "${aws_security_group.this.id}"
type = "ingress"
self = "${lookup(var.ingress_with_self[count.index], "self", true)}"
ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
from_port = "${lookup(var.ingress_with_self[count.index], "from_port", element(var.rules[lookup(var.ingress_with_self[count.index], "rule", "_")], 0))}"
to_port = "${lookup(var.ingress_with_self[count.index], "to_port", element(var.rules[lookup(var.ingress_with_self[count.index], "rule", "_")], 1))}"
protocol = "${lookup(var.ingress_with_self[count.index], "protocol", element(var.rules[lookup(var.ingress_with_self[count.index], "rule", "_")], 2))}"
}
#################
# End of ingress
#################
##################################
# Egress - List of rules (simple)
##################################
# Security group rules with "cidr_blocks" and it uses list of rules names
resource "aws_security_group_rule" "egress_rules" {
count = "${length(var.egress_rules)}"
security_group_id = "${aws_security_group.this.id}"
type = "egress"
cidr_blocks = ["${var.egress_cidr_blocks}"]
ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
prefix_list_ids = ["${var.egress_prefix_list_ids}"]
from_port = "${element(var.rules[var.egress_rules[count.index]], 0)}"
to_port = "${element(var.rules[var.egress_rules[count.index]], 1)}"
protocol = "${element(var.rules[var.egress_rules[count.index]], 2)}"
}
#########################
# Egress - Maps of rules
#########################
# Security group rules with "source_security_group_id", but without "cidr_blocks" and "self"
resource "aws_security_group_rule" "egress_with_source_security_group_id" {
count = "${length(var.egress_with_source_security_group_id)}"
security_group_id = "${aws_security_group.this.id}"
type = "egress"
source_security_group_id = "${lookup(var.egress_with_source_security_group_id[count.index], "source_security_group_id")}"
ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
prefix_list_ids = ["${var.egress_prefix_list_ids}"]
from_port = "${lookup(var.egress_with_source_security_group_id[count.index], "from_port", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 0))}"
to_port = "${lookup(var.egress_with_source_security_group_id[count.index], "to_port", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 1))}"
protocol = "${lookup(var.egress_with_source_security_group_id[count.index], "protocol", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 2))}"
}
# Security group rules with "cidr_blocks", but without "source_security_group_id" and "self"
resource "aws_security_group_rule" "egress_with_cidr_blocks" {
count = "${length(var.egress_with_cidr_blocks)}"
security_group_id = "${aws_security_group.this.id}"
type = "egress"
cidr_blocks = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]
ipv6_cidr_blocks = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]
prefix_list_ids = ["${var.egress_prefix_list_ids}"]
from_port = "${lookup(var.egress_with_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 0))}"
to_port = "${lookup(var.egress_with_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 1))}"
protocol = "${lookup(var.egress_with_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 2))}"
}
# Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
resource "aws_security_group_rule" "egress_with_self" {
count = "${length(var.egress_with_self)}"
security_group_id = "${aws_security_group.this.id}"
type = "egress"
self = "${lookup(var.egress_with_self[count.index], "self", true)}"
ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
prefix_list_ids = ["${var.egress_prefix_list_ids}"]
from_port = "${lookup(var.egress_with_self[count.index], "from_port", element(var.rules[lookup(var.egress_with_self[count.index], "rule", "_")], 0))}"
to_port = "${lookup(var.egress_with_self[count.index], "to_port", element(var.rules[lookup(var.egress_with_self[count.index], "rule", "_")], 1))}"
protocol = "${lookup(var.egress_with_self[count.index], "protocol", element(var.rules[lookup(var.egress_with_self[count.index], "rule", "_")], 2))}"
}
################
# End of egress
################
modules/README.md 0 → 100644
View file @ 08901240
List of Security Groups implemented as Terraform modules
========================================================
* [http](http)
* [ssh](ssh)
modules/_templates/README.md 0 → 100644
View file @ 08901240
Code in this directory is used as a template for other modules. Change carefully, test thoughtfully! :)
\ No newline at end of file
modules/_templates/main.tf 0 → 100644
View file @ 08901240
module "sg" {
source = "../../"
name = "${var.name}"
description = "${var.description}"
vpc_id = "${var.vpc_id}"
tags = "${var.tags}"
##########
# Ingress
##########
# Rules by names - open for default CIDR
ingress_rules = ["${sort(distinct(concat(var.auto_ingress_rules, var.ingress_rules)))}"]
# Open for self
ingress_with_self = ["${concat(var.auto_ingress_with_self, var.ingress_with_self)}"]
# Open to cidr_blocks
ingress_with_cidr_blocks = ["${var.ingress_with_cidr_blocks}"]
# Open for security group id
ingress_with_source_security_group_id = ["${var.ingress_with_source_security_group_id}"]
# Default ingress CIDR blocks
ingress_cidr_blocks = ["${var.ingress_cidr_blocks}"]
ingress_ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
# Default prefix list ids
ingress_prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
#########
# Egress
#########
# Rules by names - open for default CIDR
egress_rules = ["${sort(distinct(concat(var.auto_egress_rules, var.egress_rules)))}"]
# Open for self
egress_with_self = ["${concat(var.auto_egress_with_self, var.egress_with_self)}"]
# Open to cidr_blocks
egress_with_cidr_blocks = ["${var.egress_with_cidr_blocks}"]
# Open for security group id
egress_with_source_security_group_id = ["${var.egress_with_source_security_group_id}"]
# Default egress CIDR blocks
egress_cidr_blocks = ["${var.egress_cidr_blocks}"]
egress_ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
# Default prefix list ids
egress_prefix_list_ids = ["${var.egress_prefix_list_ids}"]
}
modules/_templates/outputs.tf 0 → 100644
View file @ 08901240
output "this_security_group_id" {
description = "The ID of the security group"
value = "${module.sg.this_security_group_id}"
}
output "this_security_group_vpc_id" {
description = "The VPC ID"
value = "${module.sg.this_security_group_vpc_id}"
}
output "this_security_group_owner_id" {
description = "The owner ID"
value = "${module.sg.this_security_group_owner_id}"
}
output "this_security_group_name" {
description = "The name of the security group"
value = "${module.sg.this_security_group_name}"
}
output "this_security_group_description" {
description = "The description of the security group"
value = "${module.sg.this_security_group_description}"
}
output "this_security_group_ingress" {
description = "The ingress rules"
value = "${module.sg.this_security_group_ingress}"
}
output "this_security_group_egress" {
description = "The egress rules"
value = "${module.sg.this_security_group_egress}"
}
modules/_templates/variables.tf 0 → 100644
View file @ 08901240
#################
# Security group
#################
variable "vpc_id" {
description = "ID of VPC to create security group into"
}
variable "name" {
description = "Name of security group"
}
variable "description" {
description = "Description of security group"
default = "Security Group managed by Terraform"
}
variable "tags" {
description = "A mapping of tags to assign to security group"
default = {}
}
##########
# Ingress
##########
variable "ingress_rules" {
description = "List of ingress rules to create by name"
default = []
}
variable "ingress_with_self" {
description = "List of ingress rules to create where 'self' is defined"
default = []
}
variable "ingress_with_cidr_blocks" {
description = "List of ingress rules to create where 'cidr_blocks' is used"
default = []
}
variable "ingress_with_source_security_group_id" {
description = "List of ingress rules to create where 'source_security_group_id' is used"
default = []
}
variable "ingress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all ingress rules"
default = ["0.0.0.0/0"]
}
variable "ingress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all ingress rules"
default = ["::/0"]
}
variable "ingress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules"
default = []
}
#########
# Egress
#########
variable "egress_rules" {
description = "List of egress rules to create by name"
default = []
}
variable "egress_with_self" {
description = "List of egress rules to create where 'self' is defined"
default = []
}
variable "egress_with_cidr_blocks" {
description = "List of egress rules to create where 'cidr_blocks' is used"
default = []
}
variable "egress_with_source_security_group_id" {
description = "List of egress rules to create where 'source_security_group_id' is used"
default = []
}
variable "egress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all egress rules"
default = ["0.0.0.0/0"]
}
variable "egress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all egress rules"
default = ["::/0"]
}
variable "egress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules"
default = []
}
modules/http/auto_values.tf 0 → 100644
View file @ 08901240
# This file was generated from values defined in rules.tf using update_groups.sh.
###################################
# DO NOT CHANGE THIS FILE MANUALLY
###################################
variable "auto_ingress_rules" {
description = "List of ingress rules to add automatically"
type = "list"
default = ["http"]
}
variable "auto_ingress_with_self" {
description = "List of ingress rules with self to add automatically"
type = "list"
default = []
}
variable "auto_egress_rules" {
description = "List of egress rules to add automatically"
type = "list"
default = ["all-all"]
}
variable "auto_egress_with_self" {
description = "List of egress rules with self to add automatically"
type = "list"
default = []
}
modules/http/main.tf 0 → 100644
View file @ 08901240
module "sg" {
source = "../../"
name = "${var.name}"
description = "${var.description}"
vpc_id = "${var.vpc_id}"
tags = "${var.tags}"
##########
# Ingress
##########
# Rules by names - open for default CIDR
ingress_rules = ["${sort(distinct(concat(var.auto_ingress_rules, var.ingress_rules)))}"]
# Open for self
ingress_with_self = ["${concat(var.auto_ingress_with_self, var.ingress_with_self)}"]
# Open to cidr_blocks
ingress_with_cidr_blocks = ["${var.ingress_with_cidr_blocks}"]
# Open for security group id
ingress_with_source_security_group_id = ["${var.ingress_with_source_security_group_id}"]
# Default ingress CIDR blocks
ingress_cidr_blocks = ["${var.ingress_cidr_blocks}"]
ingress_ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
# Default prefix list ids
ingress_prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
#########
# Egress
#########
# Rules by names - open for default CIDR
egress_rules = ["${sort(distinct(concat(var.auto_egress_rules, var.egress_rules)))}"]
# Open for self
egress_with_self = ["${concat(var.auto_egress_with_self, var.egress_with_self)}"]
# Open to cidr_blocks
egress_with_cidr_blocks = ["${var.egress_with_cidr_blocks}"]
# Open for security group id
egress_with_source_security_group_id = ["${var.egress_with_source_security_group_id}"]
# Default egress CIDR blocks
egress_cidr_blocks = ["${var.egress_cidr_blocks}"]
egress_ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
# Default prefix list ids
egress_prefix_list_ids = ["${var.egress_prefix_list_ids}"]
}
modules/http/outputs.tf 0 → 100644
View file @ 08901240
output "this_security_group_id" {
description = "The ID of the security group"
value = "${module.sg.this_security_group_id}"
}
output "this_security_group_vpc_id" {
description = "The VPC ID"
value = "${module.sg.this_security_group_vpc_id}"
}
output "this_security_group_owner_id" {
description = "The owner ID"
value = "${module.sg.this_security_group_owner_id}"
}
output "this_security_group_name" {
description = "The name of the security group"
value = "${module.sg.this_security_group_name}"
}
output "this_security_group_description" {
description = "The description of the security group"
value = "${module.sg.this_security_group_description}"
}
output "this_security_group_ingress" {
description = "The ingress rules"
value = "${module.sg.this_security_group_ingress}"
}
output "this_security_group_egress" {
description = "The egress rules"
value = "${module.sg.this_security_group_egress}"
}
modules/http/variables.tf 0 → 100644
View file @ 08901240
#################
# Security group
#################
variable "vpc_id" {
description = "ID of VPC to create security group into"
}
variable "name" {
description = "Name of security group"
}
variable "description" {
description = "Description of security group"
default = "Security Group managed by Terraform"
}
variable "tags" {
description = "A mapping of tags to assign to security group"
default = {}
}
##########
# Ingress
##########
variable "ingress_rules" {
description = "List of ingress rules to create by name"
default = []
}
variable "ingress_with_self" {
description = "List of ingress rules to create where 'self' is defined"
default = []
}
variable "ingress_with_cidr_blocks" {
description = "List of ingress rules to create where 'cidr_blocks' is used"
default = []
}
variable "ingress_with_source_security_group_id" {
description = "List of ingress rules to create where 'source_security_group_id' is used"
default = []
}
variable "ingress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all ingress rules"
default = ["0.0.0.0/0"]
}
variable "ingress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all ingress rules"
default = ["::/0"]
}
variable "ingress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules"
default = []
}
#########
# Egress
#########
variable "egress_rules" {
description = "List of egress rules to create by name"
default = []
}
variable "egress_with_self" {
description = "List of egress rules to create where 'self' is defined"
default = []
}
variable "egress_with_cidr_blocks" {
description = "List of egress rules to create where 'cidr_blocks' is used"
default = []
}
variable "egress_with_source_security_group_id" {
description = "List of egress rules to create where 'source_security_group_id' is used"
default = []
}
variable "egress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all egress rules"
default = ["0.0.0.0/0"]
}
variable "egress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all egress rules"
default = ["::/0"]
}
variable "egress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules"
default = []
}
modules/ssh/auto_values.tf 0 → 100644
View file @ 08901240
# This file was generated from values defined in rules.tf using update_groups.sh.
###################################
# DO NOT CHANGE THIS FILE MANUALLY
###################################
variable "auto_ingress_rules" {
description = "List of ingress rules to add automatically"
type = "list"
default = ["http", "ssh"]
}
variable "auto_ingress_with_self" {
description = "List of ingress rules with self to add automatically"
type = "list"
default = []
}
variable "auto_egress_rules" {
description = "List of egress rules to add automatically"
type = "list"
default = ["all-all"]
}
variable "auto_egress_with_self" {
description = "List of egress rules with self to add automatically"
type = "list"
default = []
}
modules/ssh/main.tf 0 → 100644
View file @ 08901240
module "sg" {
source = "../../"
name = "${var.name}"
description = "${var.description}"
vpc_id = "${var.vpc_id}"
tags = "${var.tags}"
##########
# Ingress
##########
# Rules by names - open for default CIDR
ingress_rules = ["${sort(distinct(concat(var.auto_ingress_rules, var.ingress_rules)))}"]
# Open for self
ingress_with_self = ["${concat(var.auto_ingress_with_self, var.ingress_with_self)}"]
# Open to cidr_blocks
ingress_with_cidr_blocks = ["${var.ingress_with_cidr_blocks}"]
# Open for security group id
ingress_with_source_security_group_id = ["${var.ingress_with_source_security_group_id}"]
# Default ingress CIDR blocks
ingress_cidr_blocks = ["${var.ingress_cidr_blocks}"]
ingress_ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
# Default prefix list ids
ingress_prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
#########
# Egress
#########
# Rules by names - open for default CIDR
egress_rules = ["${sort(distinct(concat(var.auto_egress_rules, var.egress_rules)))}"]
# Open for self
egress_with_self = ["${concat(var.auto_egress_with_self, var.egress_with_self)}"]
# Open to cidr_blocks
egress_with_cidr_blocks = ["${var.egress_with_cidr_blocks}"]
# Open for security group id
egress_with_source_security_group_id = ["${var.egress_with_source_security_group_id}"]
# Default egress CIDR blocks
egress_cidr_blocks = ["${var.egress_cidr_blocks}"]
egress_ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
# Default prefix list ids
egress_prefix_list_ids = ["${var.egress_prefix_list_ids}"]
}
modules/ssh/outputs.tf 0 → 100644
View file @ 08901240
output "this_security_group_id" {
description = "The ID of the security group"
value = "${module.sg.this_security_group_id}"
}
output "this_security_group_vpc_id" {
description = "The VPC ID"
value = "${module.sg.this_security_group_vpc_id}"
}
output "this_security_group_owner_id" {
description = "The owner ID"
value = "${module.sg.this_security_group_owner_id}"
}
output "this_security_group_name" {
description = "The name of the security group"
value = "${module.sg.this_security_group_name}"
}
output "this_security_group_description" {
description = "The description of the security group"
value = "${module.sg.this_security_group_description}"
}
output "this_security_group_ingress" {
description = "The ingress rules"
value = "${module.sg.this_security_group_ingress}"
}
output "this_security_group_egress" {
description = "The egress rules"
value = "${module.sg.this_security_group_egress}"
}
modules/ssh/variables.tf 0 → 100644
View file @ 08901240
#################
# Security group
#################
variable "vpc_id" {
description = "ID of VPC to create security group into"
}
variable "name" {
description = "Name of security group"
}
variable "description" {
description = "Description of security group"
default = "Security Group managed by Terraform"
}
variable "tags" {
description = "A mapping of tags to assign to security group"
default = {}
}
##########
# Ingress
##########
variable "ingress_rules" {
description = "List of ingress rules to create by name"
default = []
}
variable "ingress_with_self" {
description = "List of ingress rules to create where 'self' is defined"
default = []
}
variable "ingress_with_cidr_blocks" {
description = "List of ingress rules to create where 'cidr_blocks' is used"
default = []
}
variable "ingress_with_source_security_group_id" {
description = "List of ingress rules to create where 'source_security_group_id' is used"
default = []
}
variable "ingress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all ingress rules"
default = ["0.0.0.0/0"]
}
variable "ingress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all ingress rules"
default = ["::/0"]
}
variable "ingress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules"
default = []
}
#########
# Egress
#########
variable "egress_rules" {
description = "List of egress rules to create by name"
default = []
}
variable "egress_with_self" {
description = "List of egress rules to create where 'self' is defined"
default = []
}
variable "egress_with_cidr_blocks" {
description = "List of egress rules to create where 'cidr_blocks' is used"
default = []
}
variable "egress_with_source_security_group_id" {
description = "List of egress rules to create where 'source_security_group_id' is used"
default = []
}
variable "egress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all egress rules"
default = ["0.0.0.0/0"]
}
variable "egress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all egress rules"
default = ["::/0"]
}
variable "egress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules"
default = []
}
outputs.tf 0 → 100644
View file @ 08901240
output "this_security_group_id" {
description = "The ID of the security group"
value = "${aws_security_group.this.id}"
}
output "this_security_group_vpc_id" {
description = "The VPC ID"
value = "${aws_security_group.this.vpc_id}"
}
output "this_security_group_owner_id" {
description = "The owner ID"
value = "${aws_security_group.this.owner_id}"
}
output "this_security_group_name" {
description = "The name of the security group"
value = "${aws_security_group.this.name}"
}
output "this_security_group_description" {
description = "The description of the security group"
value = "${aws_security_group.this.description}"
}
output "this_security_group_ingress" {
description = "The ingress rules"
value = "${aws_security_group.this.ingress}"
}
output "this_security_group_egress" {
description = "The egress rules"
value = "${aws_security_group.this.egress}"
}
rules.tf 0 → 100644
View file @ 08901240
This diff is collapsed.
update_groups.sh 0 → 100755
View file @ 08901240
#!/usr/bin/env bash
# @todo: generate content of each public module (eg, "http") from the json list.
# outputs.tf and variables.tf for all group modules are the same for all
set -e
# Change location to the directory where this script it located
cd "$(dirname "${BASH_SOURCE[0]}")"
# Assert that a given binary is installed
function assert_is_installed {
local readonly name="$1"
}
check_dependencies() {
if [[ ! $(command -v json2hcl) ]]; then
echo "ERROR: The binary 'json2hcl' is required by this script but is not installed or in the system's PATH."
echo "Check documentation: https://github.com/kvz/json2hcl"
exit 1
fi
if [[ ! $(command -v jq) ]]; then
echo "ERROR: The binary 'jq' is required by this script but is not installed or in the system's PATH."
echo "Check documentation: https://github.com/stedolan/jq"
exit 1
fi
}
auto_groups_data() {
json2hcl -reverse < rules.tf | jq -r '..|.auto_groups?|values|.[0]|.default|.[0]'
}
auto_groups_keys() {
local readonly data=$1
echo $data | jq -r ".|keys|@sh" | tr -d "'"
}
get_auto_value() {
local readonly data=$1
local readonly group=$2
local readonly var=$3
echo $data | jq -rc '.[$group][0][$var]' --arg group "$group" --arg var "$var"
}
set_list_if_null() {
if [[ "null" == "$1" ]]; then
echo "[]"
else
echo "$1"
fi
}
main() {
check_dependencies
readonly local auto_groups_data="$(auto_groups_data)"
if [[ -z "$(auto_groups_data)" ]]; then
echo "There are no modules to update. Check values of auto_groups inside rules.tf"
exit 0
fi
readonly local auto_groups_keys=($(auto_groups_keys "$auto_groups_data"))
local ingress_rules=""
local ingress_with_self=""
local egress_rules=""
local egress_with_self=""
local list_of_modules=""
for group in "${auto_groups_keys[@]}"; do
echo "Making group: $group"
mkdir -p "modules/$group"
cp modules/_templates/{main,outputs,variables}.tf "modules/$group"
# Get group values
ingress_rules=$(get_auto_value "$auto_groups_data" "$group" "ingress_rules")
ingress_with_self=$(get_auto_value "$auto_groups_data" "$group" "ingress_with_self")
egress_rules=$(get_auto_value "$auto_groups_data" "$group" "egress_rules")
egress_with_self=$(get_auto_value "$auto_groups_data" "$group" "egress_with_self")
# Set to empty lists, if no value was specified
ingress_rules=$(set_list_if_null "$ingress_rules")
ingress_with_self=$(set_list_if_null "$ingress_with_self")
egress_rules=$(set_list_if_null "$egress_rules")
egress_with_self=$(set_list_if_null "$egress_with_self")
# ingress_with_self and egress_with_self are stored as simple lists (like this - ["all-all","all-tcp"]),
# so we make map (like this - [{"rule"="all-all"},{"rule"="all-tcp"}])
ingress_with_self=$(echo "$ingress_with_self" | jq -rc "[{rule:.[]}]" | tr ':' '=')
egress_with_self=$(echo "$egress_with_self" | jq -rc "[{rule:.[]}]" | tr ':' '=')
cat <<EOF > "modules/$group/auto_values.tf"
# This file was generated from values defined in rules.tf using update_groups.sh.
###################################
# DO NOT CHANGE THIS FILE MANUALLY
###################################
variable "auto_ingress_rules" {
description = "List of ingress rules to add automatically"
type = "list"
default = $ingress_rules
}
variable "auto_ingress_with_self" {
description = "List of ingress rules with self to add automatically"
type = "list"
default = $ingress_with_self
}
variable "auto_egress_rules" {
description = "List of egress rules to add automatically"
type = "list"
default = $egress_rules
}
variable "auto_egress_with_self" {
description = "List of egress rules with self to add automatically"
type = "list"
default = $egress_with_self
}
EOF
local list_of_modules=$(echo "$list_of_modules"; echo "* [$group]($group)")
# terraform fmt -diff=true "modules/$group"
done
echo "Updating list of security group modules"
cat <<EOF > modules/README.md
List of Security Groups implemented as Terraform modules
========================================================
$list_of_modules
EOF
echo "Done!"
}
main
\ No newline at end of file
variables.tf 0 → 100644
View file @ 08901240
#################
# Security group
#################
variable "vpc_id" {
description = "ID of the VPC where to create security group"
}
variable "name" {
description = "Name of security group"
}
variable "description" {
description = "Description of security group"
default = "Security Group managed by Terraform"
}
variable "tags" {
description = "A mapping of tags to assign to security group"
default = {}
}
##########
# Ingress
##########
variable "ingress_rules" {
description = "List of ingress rules to create by name"
default = []
}
variable "ingress_with_self" {
description = "List of ingress rules to create where 'self' is defined"
default = []
}
variable "ingress_with_cidr_blocks" {
description = "List of ingress rules to create where 'cidr_blocks' is used"
default = []
}
variable "ingress_with_source_security_group_id" {
description = "List of ingress rules to create where 'source_security_group_id' is used"
default = []
}
variable "ingress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all ingress rules"
default = ["0.0.0.0/0"]
}
variable "ingress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all ingress rules"
default = ["::/0"]
}
variable "ingress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules"
default = []
}
#########
# Egress
#########
variable "egress_rules" {
description = "List of egress rules to create by name"
default = []
}
variable "egress_with_self" {
description = "List of egress rules to create where 'self' is defined"
default = []
}
variable "egress_with_cidr_blocks" {
description = "List of egress rules to create where 'cidr_blocks' is used"
default = []
}
variable "egress_with_source_security_group_id" {
description = "List of egress rules to create where 'source_security_group_id' is used"
default = []
}
variable "egress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all egress rules"
default = ["0.0.0.0/0"]
}
variable "egress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all egress rules"
default = ["::/0"]
}
variable "egress_prefix_list_ids" {
description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules"
default = []
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment