Added Splunk ports (#44)

6d7ae228 · Anton Babenko · GitHub · d42372c3 · 6d7ae228 · 6d7ae228
Commit 6d7ae228 authored Mar 02, 2018 by Anton Babenko Committed by GitHub Mar 02, 2018
7 changed files
--- a/modules/README.md
+++ b/modules/README.md
@@ -23,6 +23,7 @@ List of Security Groups implemented as Terraform modules
 * [rdp](rdp)
 * [redis](redis)
 * [redshift](redshift)
+* [splunk](splunk)
 * [ssh](ssh)
 * [storm](storm)
 * [web](web)

--- a/modules/splunk/auto_values.tf
+++ b/modules/splunk/auto_values.tf
+# This file was generated from values defined in rules.tf using update_groups.sh.
+###################################
+# DO NOT CHANGE THIS FILE MANUALLY
+###################################
+variable "auto_ingress_rules" {
+  description = "List of ingress rules to add automatically"
+  type        = "list"
+  default     = ["splunk-indexer-tcp", "splunk-clients-tcp", "splunk-splunkd-tcp"]
+}
+variable "auto_ingress_with_self" {
+  description = "List of maps defining ingress rules with self to add automatically"
+  type        = "list"
+  default = [{
+    "rule" = "all-all"
+  }]
+}
+variable "auto_egress_rules" {
+  description = "List of egress rules to add automatically"
+  type        = "list"
+  default     = ["all-all"]
+}
+variable "auto_egress_with_self" {
+  description = "List of maps defining egress rules with self to add automatically"
+  type        = "list"
+  default     = []
+}
--- a/modules/splunk/main.tf
+++ b/modules/splunk/main.tf
+module "sg" {
+  source = "../../"
+  create      = "${var.create}"
+  name        = "${var.name}"
+  description = "${var.description}"
+  vpc_id      = "${var.vpc_id}"
+  tags        = "${var.tags}"
+  ##########
+  # Ingress
+  ##########
+  # Rules by names - open for default CIDR
+  ingress_rules = ["${sort(distinct(concat(var.auto_ingress_rules, var.ingress_rules)))}"]
+  # Open for self
+  ingress_with_self = ["${concat(var.auto_ingress_with_self, var.ingress_with_self)}"]
+  # Open to IPv4 cidr blocks
+  ingress_with_cidr_blocks = ["${var.ingress_with_cidr_blocks}"]
+  # Open to IPv6 cidr blocks
+  ingress_with_ipv6_cidr_blocks = ["${var.ingress_with_ipv6_cidr_blocks}"]
+  # Open for security group id
+  ingress_with_source_security_group_id = ["${var.ingress_with_source_security_group_id}"]
+  # Default ingress CIDR blocks
+  ingress_cidr_blocks      = ["${var.ingress_cidr_blocks}"]
+  ingress_ipv6_cidr_blocks = ["${var.ingress_ipv6_cidr_blocks}"]
+  # Default prefix list ids
+  ingress_prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
+  #########
+  # Egress
+  #########
+  # Rules by names - open for default CIDR
+  egress_rules = ["${sort(distinct(concat(var.auto_egress_rules, var.egress_rules)))}"]
+  # Open for self
+  egress_with_self = ["${concat(var.auto_egress_with_self, var.egress_with_self)}"]
+  # Open to IPv4 cidr blocks
+  egress_with_cidr_blocks = ["${var.egress_with_cidr_blocks}"]
+  # Open to IPv6 cidr blocks
+  egress_with_ipv6_cidr_blocks = ["${var.egress_with_ipv6_cidr_blocks}"]
+  # Open for security group id
+  egress_with_source_security_group_id = ["${var.egress_with_source_security_group_id}"]
+  # Default egress CIDR blocks
+  egress_cidr_blocks      = ["${var.egress_cidr_blocks}"]
+  egress_ipv6_cidr_blocks = ["${var.egress_ipv6_cidr_blocks}"]
+  # Default prefix list ids
+  egress_prefix_list_ids = ["${var.egress_prefix_list_ids}"]
+}
--- a/modules/splunk/outputs.tf
+++ b/modules/splunk/outputs.tf
+output "this_security_group_id" {
+  description = "The ID of the security group"
+  value       = "${module.sg.this_security_group_id}"
+}
+output "this_security_group_vpc_id" {
+  description = "The VPC ID"
+  value       = "${module.sg.this_security_group_vpc_id}"
+}
+output "this_security_group_owner_id" {
+  description = "The owner ID"
+  value       = "${module.sg.this_security_group_owner_id}"
+}
+output "this_security_group_name" {
+  description = "The name of the security group"
+  value       = "${module.sg.this_security_group_name}"
+}
+output "this_security_group_description" {
+  description = "The description of the security group"
+  value       = "${module.sg.this_security_group_description}"
+}
--- a/modules/splunk/variables.tf
+++ b/modules/splunk/variables.tf
+#################
+# Security group
+#################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+variable "vpc_id" {
+  description = "ID of the VPC where to create security group"
+}
+variable "name" {
+  description = "Name of security group"
+}
+variable "description" {
+  description = "Description of security group"
+  default     = "Security Group managed by Terraform"
+}
+variable "tags" {
+  description = "A mapping of tags to assign to security group"
+  default     = {}
+}
+##########
+# Ingress
+##########
+variable "ingress_rules" {
+  description = "List of ingress rules to create by name"
+  default     = []
+}
+variable "ingress_with_self" {
+  description = "List of ingress rules to create where 'self' is defined"
+  default     = []
+}
+variable "ingress_with_cidr_blocks" {
+  description = "List of ingress rules to create where 'cidr_blocks' is used"
+  default     = []
+}
+variable "ingress_with_ipv6_cidr_blocks" {
+  description = "List of ingress rules to create where 'ipv6_cidr_blocks' is used"
+  default     = []
+}
+variable "ingress_with_source_security_group_id" {
+  description = "List of ingress rules to create where 'source_security_group_id' is used"
+  default     = []
+}
+variable "ingress_cidr_blocks" {
+  description = "List of IPv4 CIDR ranges to use on all ingress rules"
+  default     = []
+}
+variable "ingress_ipv6_cidr_blocks" {
+  description = "List of IPv6 CIDR ranges to use on all ingress rules"
+  default     = []
+}
+variable "ingress_prefix_list_ids" {
+  description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules"
+  default     = []
+}
+#########
+# Egress
+#########
+variable "egress_rules" {
+  description = "List of egress rules to create by name"
+  default     = []
+}
+variable "egress_with_self" {
+  description = "List of egress rules to create where 'self' is defined"
+  default     = []
+}
+variable "egress_with_cidr_blocks" {
+  description = "List of egress rules to create where 'cidr_blocks' is used"
+  default     = []
+}
+variable "egress_with_ipv6_cidr_blocks" {
+  description = "List of egress rules to create where 'ipv6_cidr_blocks' is used"
+  default     = []
+}
+variable "egress_with_source_security_group_id" {
+  description = "List of egress rules to create where 'source_security_group_id' is used"
+  default     = []
+}
+variable "egress_cidr_blocks" {
+  description = "List of IPv4 CIDR ranges to use on all egress rules"
+  default     = ["0.0.0.0/0"]
+}
+variable "egress_ipv6_cidr_blocks" {
+  description = "List of IPv6 CIDR ranges to use on all egress rules"
+  default     = ["::/0"]
+}
+variable "egress_prefix_list_ids" {
+  description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules"
+  default     = []
+}
--- a/rules.tf
+++ b/rules.tf
@@ -101,6 +101,11 @@ variable "rules" {
    # Redshift
    redshift-tcp = [5439, 5439, "tcp", "Redshift"]
+    # Splunk
+    splunk-indexer-tcp = [9997, 9997, "tcp", "Splunk indexer"]
+    splunk-clients-tcp = [8080, 8080, "tcp", "Splunk clients"]
+    splunk-splunkd-tcp = [8089, 8089, "tcp", "Splunkd"]
    # SSH
    ssh-tcp = [22, 22, "tcp", "SSH"]
@@ -269,6 +274,12 @@ variable "auto_groups" {
      egress_rules      = ["all-all"]
    }
+    splunk = {
+      ingress_rules     = ["splunk-indexer-tcp", "splunk-clients-tcp", "splunk-splunkd-tcp"]
+      ingress_with_self = ["all-all"]
+      egress_rules      = ["all-all"]
+    }
    ssh = {
      ingress_rules     = ["ssh-tcp"]
      ingress_with_self = ["all-all"]

--- a/update_groups.sh
+++ b/update_groups.sh
@@ -140,4 +140,4 @@ EOF
  echo "Done!"
 }
 main
\ No newline at end of file