Skip to content

T
terraform-aws-security-group
Commit ac988ca2 authored by Anton Babenko's avatar Anton Babenko Committed by GitHub
Browse files
Options

feat: Create group optionally (#218)

parent 18bb00a9
Hide whitespace changes
Inline Side-by-side
Showing with 170 additions and 17 deletions
README.md
View file @ ac988ca2
......@@ -4,11 +4,6 @@
Terraform module which creates [EC2 security group within VPC](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) on AWS.
These types of resources are supported:
* [EC2-VPC Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
* [EC2-VPC Security Group Rule](https://www.terraform.io/docs/providers/aws/r/security_group_rule.html)
## Features
This module aims to implement **ALL** combinations of arguments supported by AWS and latest stable version of Terraform:
......@@ -18,7 +13,7 @@ This module aims to implement **ALL** combinations of arguments supported by AWS
* Access from self
* Named rules ([see the rules here](https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/rules.tf))
* Named groups of rules with ingress (inbound) and egress (outbound) ports open for common scenarios (eg, [ssh](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ssh), [http-80](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/http-80), [mysql](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/mysql), see the whole list [here](https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/modules/README.md))
* Conditionally create security group and all required security group rules ("single boolean switch").
* Conditionally create security group and/or all required security group rules.
Ingress and egress rules can be configured in a variety of ways. See [inputs section](#inputs) for all supported arguments and [complete example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/complete) for the complete use-case.
......@@ -26,7 +21,7 @@ If there is a missing feature or a bug - [open an issue](https://github.com/terr
## Terraform versions
For Terraform 0.12 use version `v3.*` of this module or newer.
For Terraform 0.12 use version `v4.*` of this module or newer.
If you are using Terraform 0.11 you can use versions `v2.*`.
......@@ -143,6 +138,7 @@ module "vote_service_sg" {
## Examples
* [Complete Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/complete) shows all available parameters to configure security group.
* [Security Group "Rules Only" example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/complete) shows how to manage just rules of a security group that is created outside.
* [HTTP Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/http) shows more applicable security groups for common web-servers.
* [Disable creation of Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/disabled) shows how to disable creation of security group.
* [Dynamic values inside Security Group rules example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/dynamic) shows how to specify values inside security group rules (data-sources and variables are allowed).
......@@ -217,6 +213,7 @@ No modules.
| <a name="input_computed_ingress_with_self"></a> [computed\_ingress\_with\_self](#input\_computed\_ingress\_with\_self) | List of computed ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
| <a name="input_computed_ingress_with_source_security_group_id"></a> [computed\_ingress\_with\_source\_security\_group\_id](#input\_computed\_ingress\_with\_source\_security\_group\_id) | List of computed ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
| <a name="input_create"></a> [create](#input\_create) | Whether to create security group and all rules | `bool` | `true` | no |
| <a name="input_create_sg"></a> [create\_sg](#input\_create\_sg) | Whether to create security group | `bool` | `true` | no |
| <a name="input_description"></a> [description](#input\_description) | Description of security group | `string` | `"Security Group managed by Terraform"` | no |
| <a name="input_egress_cidr_blocks"></a> [egress\_cidr\_blocks](#input\_egress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all egress rules | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_egress_ipv6_cidr_blocks"></a> [egress\_ipv6\_cidr\_blocks](#input\_egress\_ipv6\_cidr\_blocks) | List of IPv6 CIDR ranges to use on all egress rules | `list(string)` | <pre>[<br> "::/0"<br>]</pre> | no |
......@@ -234,7 +231,7 @@ No modules.
| <a name="input_ingress_with_ipv6_cidr_blocks"></a> [ingress\_with\_ipv6\_cidr\_blocks](#input\_ingress\_with\_ipv6\_cidr\_blocks) | List of ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| <a name="input_ingress_with_self"></a> [ingress\_with\_self](#input\_ingress\_with\_self) | List of ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
| <a name="input_ingress_with_source_security_group_id"></a> [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | List of ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
| <a name="input_name"></a> [name](#input\_name) | Name of security group | `string` | n/a | yes |
| <a name="input_name"></a> [name](#input\_name) | Name of security group - not required if create\_group is false | `string` | `null` | no |
| <a name="input_number_of_computed_egress_rules"></a> [number\_of\_computed\_egress\_rules](#input\_number\_of\_computed\_egress\_rules) | Number of computed egress rules to create by name | `number` | `0` | no |
| <a name="input_number_of_computed_egress_with_cidr_blocks"></a> [number\_of\_computed\_egress\_with\_cidr\_blocks](#input\_number\_of\_computed\_egress\_with\_cidr\_blocks) | Number of computed egress rules to create where 'cidr\_blocks' is used | `number` | `0` | no |
| <a name="input_number_of_computed_egress_with_ipv6_cidr_blocks"></a> [number\_of\_computed\_egress\_with\_ipv6\_cidr\_blocks](#input\_number\_of\_computed\_egress\_with\_ipv6\_cidr\_blocks) | Number of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no |
......@@ -247,9 +244,10 @@ No modules.
| <a name="input_number_of_computed_ingress_with_source_security_group_id"></a> [number\_of\_computed\_ingress\_with\_source\_security\_group\_id](#input\_number\_of\_computed\_ingress\_with\_source\_security\_group\_id) | Number of computed ingress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no |
| <a name="input_revoke_rules_on_delete"></a> [revoke\_rules\_on\_delete](#input\_revoke\_rules\_on\_delete) | Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. Enable for EMR. | `bool` | `false` | no |
| <a name="input_rules"></a> [rules](#input\_rules) | Map of known security group rules (define as 'name' = ['from port', 'to port', 'protocol', 'description']) | `map(list(any))` | <pre>{<br> "_": [<br> "",<br> "",<br> ""<br> ],<br> "activemq-5671-tcp": [<br> 5671,<br> 5671,<br> "tcp",<br> "ActiveMQ AMQP"<br> ],<br> "activemq-61614-tcp": [<br> 61614,<br> 61614,<br> "tcp",<br> "ActiveMQ STOMP"<br> ],<br> "activemq-61617-tcp": [<br> 61617,<br> 61617,<br> "tcp",<br> "ActiveMQ OpenWire"<br> ],<br> "activemq-61619-tcp": [<br> 61619,<br> 61619,<br> "tcp",<br> "ActiveMQ WebSocket"<br> ],<br> "activemq-8883-tcp": [<br> 8883,<br> 8883,<br> "tcp",<br> "ActiveMQ MQTT"<br> ],<br> "alertmanager-9093-tcp": [<br> 9093,<br> 9093,<br> "tcp",<br> "Alert Manager"<br> ],<br> "alertmanager-9094-tcp": [<br> 9094,<br> 9094,<br> "tcp",<br> "Alert Manager Cluster"<br> ],<br> "all-all": [<br> -1,<br> -1,<br> "-1",<br> "All protocols"<br> ],<br> "all-icmp": [<br> -1,<br> -1,<br> "icmp",<br> "All IPV4 ICMP"<br> ],<br> "all-ipv6-icmp": [<br> -1,<br> -1,<br> 58,<br> "All IPV6 ICMP"<br> ],<br> "all-tcp": [<br> 0,<br> 65535,<br> "tcp",<br> "All TCP ports"<br> ],<br> "all-udp": [<br> 0,<br> 65535,<br> "udp",<br> "All UDP ports"<br> ],<br> "carbon-admin-tcp": [<br> 2004,<br> 2004,<br> "tcp",<br> "Carbon admin"<br> ],<br> "carbon-gui-udp": [<br> 8081,<br> 8081,<br> "tcp",<br> "Carbon GUI"<br> ],<br> "carbon-line-in-tcp": [<br> 2003,<br> 2003,<br> "tcp",<br> "Carbon line-in"<br> ],<br> "carbon-line-in-udp": [<br> 2003,<br> 2003,<br> "udp",<br> "Carbon line-in"<br> ],<br> "carbon-pickle-tcp": [<br> 2013,<br> 2013,<br> "tcp",<br> "Carbon pickle"<br> ],<br> "carbon-pickle-udp": [<br> 2013,<br> 2013,<br> "udp",<br> "Carbon pickle"<br> ],<br> "cassandra-clients-tcp": [<br> 9042,<br> 9042,<br> "tcp",<br> "Cassandra clients"<br> ],<br> "cassandra-jmx-tcp": [<br> 7199,<br> 7199,<br> "tcp",<br> "JMX"<br> ],<br> "cassandra-thrift-clients-tcp": [<br> 9160,<br> 9160,<br> "tcp",<br> "Cassandra Thrift clients"<br> ],<br> "consul-cli-rpc-tcp": [<br> 8400,<br> 8400,<br> "tcp",<br> "Consul CLI RPC"<br> ],<br> "consul-dns-tcp": [<br> 8600,<br> 8600,<br> "tcp",<br> "Consul DNS"<br> ],<br> "consul-dns-udp": [<br> 8600,<br> 8600,<br> "udp",<br> "Consul DNS"<br> ],<br> "consul-serf-lan-tcp": [<br> 8301,<br> 8301,<br> "tcp",<br> "Serf LAN"<br> ],<br> "consul-serf-lan-udp": [<br> 8301,<br> 8301,<br> "udp",<br> "Serf LAN"<br> ],<br> "consul-serf-wan-tcp": [<br> 8302,<br> 8302,<br> "tcp",<br> "Serf WAN"<br> ],<br> "consul-serf-wan-udp": [<br> 8302,<br> 8302,<br> "udp",<br> "Serf WAN"<br> ],<br> "consul-tcp": [<br> 8300,<br> 8300,<br> "tcp",<br> "Consul server"<br> ],<br> "consul-webui-tcp": [<br> 8500,<br> 8500,<br> "tcp",<br> "Consul web UI"<br> ],<br> "dns-tcp": [<br> 53,<br> 53,<br> "tcp",<br> "DNS"<br> ],<br> "dns-udp": [<br> 53,<br> 53,<br> "udp",<br> "DNS"<br> ],<br> "docker-swarm-mngmt-tcp": [<br> 2377,<br> 2377,<br> "tcp",<br> "Docker Swarm cluster management"<br> ],<br> "docker-swarm-node-tcp": [<br> 7946,<br> 7946,<br> "tcp",<br> "Docker Swarm node"<br> ],<br> "docker-swarm-node-udp": [<br> 7946,<br> 7946,<br> "udp",<br> "Docker Swarm node"<br> ],<br> "docker-swarm-overlay-udp": [<br> 4789,<br> 4789,<br> "udp",<br> "Docker Swarm Overlay Network Traffic"<br> ],<br> "elasticsearch-java-tcp": [<br> 9300,<br> 9300,<br> "tcp",<br> "Elasticsearch Java interface"<br> ],<br> "elasticsearch-rest-tcp": [<br> 9200,<br> 9200,<br> "tcp",<br> "Elasticsearch REST interface"<br> ],<br> "grafana-tcp": [<br> 3000,<br> 3000,<br> "tcp",<br> "Grafana Dashboard"<br> ],<br> "graphite-2003-tcp": [<br> 2003,<br> 2003,<br> "tcp",<br> "Carbon receiver plain text"<br> ],<br> "graphite-2004-tcp": [<br> 2004,<br> 2004,<br> "tcp",<br> "Carbon receiver pickle"<br> ],<br> "graphite-2023-tcp": [<br> 2023,<br> 2023,<br> "tcp",<br> "Carbon aggregator plaintext"<br> ],<br> "graphite-2024-tcp": [<br> 2024,<br> 2024,<br> "tcp",<br> "Carbon aggregator pickle"<br> ],<br> "graphite-8080-tcp": [<br> 8080,<br> 8080,<br> "tcp",<br> "Graphite gunicorn port"<br> ],<br> "graphite-8125-tcp": [<br> 8125,<br> 8125,<br> "tcp",<br> "Statsd TCP"<br> ],<br> "graphite-8125-udp": [<br> 8125,<br> 8125,<br> "udp",<br> "Statsd UDP default"<br> ],<br> "graphite-8126-tcp": [<br> 8126,<br> 8126,<br> "tcp",<br> "Statsd admin"<br> ],<br> "graphite-webui": [<br> 80,<br> 80,<br> "tcp",<br> "Graphite admin interface"<br> ],<br> "http-80-tcp": [<br> 80,<br> 80,<br> "tcp",<br> "HTTP"<br> ],<br> "http-8080-tcp": [<br> 8080,<br> 8080,<br> "tcp",<br> "HTTP"<br> ],<br> "https-443-tcp": [<br> 443,<br> 443,<br> "tcp",<br> "HTTPS"<br> ],<br> "https-8443-tcp": [<br> 8443,<br> 8443,<br> "tcp",<br> "HTTPS"<br> ],<br> "ipsec-4500-udp": [<br> 4500,<br> 4500,<br> "udp",<br> "IPSEC NAT-T"<br> ],<br> "ipsec-500-udp": [<br> 500,<br> 500,<br> "udp",<br> "IPSEC ISAKMP"<br> ],<br> "kafka-broker-tcp": [<br> 9092,<br> 9092,<br> "tcp",<br> "Kafka broker 0.8.2+"<br> ],<br> "kafka-broker-tls-tcp": [<br> 9094,<br> 9094,<br> "tcp",<br> "Kafka TLS enabled broker 0.8.2+"<br> ],<br> "kafka-jmx-exporter-tcp": [<br> 11001,<br> 11001,<br> "tcp",<br> "Kafka JMX Exporter"<br> ],<br> "kafka-node-exporter-tcp": [<br> 11002,<br> 11002,<br> "tcp",<br> "Kafka Node Exporter"<br> ],<br> "kibana-tcp": [<br> 5601,<br> 5601,<br> "tcp",<br> "Kibana Web Interface"<br> ],<br> "kubernetes-api-tcp": [<br> 6443,<br> 6443,<br> "tcp",<br> "Kubernetes API Server"<br> ],<br> "ldap-tcp": [<br> 389,<br> 389,<br> "tcp",<br> "LDAP"<br> ],<br> "ldaps-tcp": [<br> 636,<br> 636,<br> "tcp",<br> "LDAPS"<br> ],<br> "logstash-tcp": [<br> 5044,<br> 5044,<br> "tcp",<br> "Logstash"<br> ],<br> "memcached-tcp": [<br> 11211,<br> 11211,<br> "tcp",<br> "Memcached"<br> ],<br> "minio-tcp": [<br> 9000,<br> 9000,<br> "tcp",<br> "MinIO"<br> ],<br> "mongodb-27017-tcp": [<br> 27017,<br> 27017,<br> "tcp",<br> "MongoDB"<br> ],<br> "mongodb-27018-tcp": [<br> 27018,<br> 27018,<br> "tcp",<br> "MongoDB shard"<br> ],<br> "mongodb-27019-tcp": [<br> 27019,<br> 27019,<br> "tcp",<br> "MongoDB config server"<br> ],<br> "mssql-analytics-tcp": [<br> 2383,<br> 2383,<br> "tcp",<br> "MSSQL Analytics"<br> ],<br> "mssql-broker-tcp": [<br> 4022,<br> 4022,<br> "tcp",<br> "MSSQL Broker"<br> ],<br> "mssql-tcp": [<br> 1433,<br> 1433,<br> "tcp",<br> "MSSQL Server"<br> ],<br> "mssql-udp": [<br> 1434,<br> 1434,<br> "udp",<br> "MSSQL Browser"<br> ],<br> "mysql-tcp": [<br> 3306,<br> 3306,<br> "tcp",<br> "MySQL/Aurora"<br> ],<br> "nfs-tcp": [<br> 2049,<br> 2049,<br> "tcp",<br> "NFS/EFS"<br> ],<br> "nomad-http-tcp": [<br> 4646,<br> 4646,<br> "tcp",<br> "Nomad HTTP"<br> ],<br> "nomad-rpc-tcp": [<br> 4647,<br> 4647,<br> "tcp",<br> "Nomad RPC"<br> ],<br> "nomad-serf-tcp": [<br> 4648,<br> 4648,<br> "tcp",<br> "Serf"<br> ],<br> "nomad-serf-udp": [<br> 4648,<br> 4648,<br> "udp",<br> "Serf"<br> ],<br> "ntp-udp": [<br> 123,<br> 123,<br> "udp",<br> "NTP"<br> ],<br> "openvpn-https-tcp": [<br> 443,<br> 443,<br> "tcp",<br> "OpenVPN"<br> ],<br> "openvpn-tcp": [<br> 943,<br> 943,<br> "tcp",<br> "OpenVPN"<br> ],<br> "openvpn-udp": [<br> 1194,<br> 1194,<br> "udp",<br> "OpenVPN"<br> ],<br> "oracle-db-tcp": [<br> 1521,<br> 1521,<br> "tcp",<br> "Oracle"<br> ],<br> "postgresql-tcp": [<br> 5432,<br> 5432,<br> "tcp",<br> "PostgreSQL"<br> ],<br> "prometheus-http-tcp": [<br> 9090,<br> 9090,<br> "tcp",<br> "Prometheus"<br> ],<br> "prometheus-pushgateway-http-tcp": [<br> 9091,<br> 9091,<br> "tcp",<br> "Prometheus Pushgateway"<br> ],<br> "puppet-tcp": [<br> 8140,<br> 8140,<br> "tcp",<br> "Puppet"<br> ],<br> "puppetdb-tcp": [<br> 8081,<br> 8081,<br> "tcp",<br> "PuppetDB"<br> ],<br> "rabbitmq-15672-tcp": [<br> 15672,<br> 15672,<br> "tcp",<br> "RabbitMQ"<br> ],<br> "rabbitmq-25672-tcp": [<br> 25672,<br> 25672,<br> "tcp",<br> "RabbitMQ"<br> ],<br> "rabbitmq-4369-tcp": [<br> 4369,<br> 4369,<br> "tcp",<br> "RabbitMQ epmd"<br> ],<br> "rabbitmq-5671-tcp": [<br> 5671,<br> 5671,<br> "tcp",<br> "RabbitMQ"<br> ],<br> "rabbitmq-5672-tcp": [<br> 5672,<br> 5672,<br> "tcp",<br> "RabbitMQ"<br> ],<br> "rdp-tcp": [<br> 3389,<br> 3389,<br> "tcp",<br> "Remote Desktop"<br> ],<br> "rdp-udp": [<br> 3389,<br> 3389,<br> "udp",<br> "Remote Desktop"<br> ],<br> "redis-tcp": [<br> 6379,<br> 6379,<br> "tcp",<br> "Redis"<br> ],<br> "redshift-tcp": [<br> 5439,<br> 5439,<br> "tcp",<br> "Redshift"<br> ],<br> "solr-tcp": [<br> 8983,<br> 8987,<br> "tcp",<br> "Solr"<br> ],<br> "splunk-hec-tcp": [<br> 8088,<br> 8088,<br> "tcp",<br> "Splunk HEC"<br> ],<br> "splunk-indexer-tcp": [<br> 9997,<br> 9997,<br> "tcp",<br> "Splunk indexer"<br> ],<br> "splunk-splunkd-tcp": [<br> 8089,<br> 8089,<br> "tcp",<br> "Splunkd"<br> ],<br> "splunk-web-tcp": [<br> 8000,<br> 8000,<br> "tcp",<br> "Splunk Web"<br> ],<br> "squid-proxy-tcp": [<br> 3128,<br> 3128,<br> "tcp",<br> "Squid default proxy"<br> ],<br> "ssh-tcp": [<br> 22,<br> 22,<br> "tcp",<br> "SSH"<br> ],<br> "storm-nimbus-tcp": [<br> 6627,<br> 6627,<br> "tcp",<br> "Nimbus"<br> ],<br> "storm-supervisor-tcp": [<br> 6700,<br> 6703,<br> "tcp",<br> "Supervisor"<br> ],<br> "storm-ui-tcp": [<br> 8080,<br> 8080,<br> "tcp",<br> "Storm UI"<br> ],<br> "web-jmx-tcp": [<br> 1099,<br> 1099,<br> "tcp",<br> "JMX"<br> ],<br> "winrm-http-tcp": [<br> 5985,<br> 5985,<br> "tcp",<br> "WinRM HTTP"<br> ],<br> "winrm-https-tcp": [<br> 5986,<br> 5986,<br> "tcp",<br> "WinRM HTTPS"<br> ],<br> "zipkin-admin-query-tcp": [<br> 9901,<br> 9901,<br> "tcp",<br> "Zipkin Admin port query"<br> ],<br> "zipkin-admin-tcp": [<br> 9990,<br> 9990,<br> "tcp",<br> "Zipkin Admin port collector"<br> ],<br> "zipkin-admin-web-tcp": [<br> 9991,<br> 9991,<br> "tcp",<br> "Zipkin Admin port web"<br> ],<br> "zipkin-query-tcp": [<br> 9411,<br> 9411,<br> "tcp",<br> "Zipkin query port"<br> ],<br> "zipkin-web-tcp": [<br> 8080,<br> 8080,<br> "tcp",<br> "Zipkin web port"<br> ],<br> "zookeeper-2181-tcp": [<br> 2181,<br> 2181,<br> "tcp",<br> "Zookeeper"<br> ],<br> "zookeeper-2888-tcp": [<br> 2888,<br> 2888,<br> "tcp",<br> "Zookeeper"<br> ],<br> "zookeeper-3888-tcp": [<br> 3888,<br> 3888,<br> "tcp",<br> "Zookeeper"<br> ],<br> "zookeeper-jmx-tcp": [<br> 7199,<br> 7199,<br> "tcp",<br> "JMX"<br> ]<br>}</pre> | no |
| <a name="input_security_group_id"></a> [security\_group\_id](#input\_security\_group\_id) | ID of existing security group whose rules we will manage | `string` | `null` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to security group | `map(string)` | `{}` | no |
| <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Whether to use name\_prefix or fixed name. Should be true to able to update security group name after initial creation | `bool` | `true` | no |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where to create security group | `string` | n/a | yes |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC where to create security group | `string` | `null` | no |
## Outputs
......
examples/complete/README.md
View file @ ac988ca2
......@@ -35,6 +35,7 @@ No requirements.
| <a name="module_fixed_name_sg"></a> [fixed\_name\_sg](#module\_fixed\_name\_sg) | ../../ | |
| <a name="module_ipv4_ipv6_example"></a> [ipv4\_ipv6\_example](#module\_ipv4\_ipv6\_example) | ../../ | |
| <a name="module_main_sg"></a> [main\_sg](#module\_main\_sg) | ../../ | |
| <a name="module_only_rules"></a> [only\_rules](#module\_only\_rules) | ../../ | |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | |
## Resources
......
examples/complete/main.tf
View file @ ac988ca2
......@@ -380,3 +380,20 @@ module "fixed_name_sg" {
ingress_rules = ["https-443-tcp"]
}
############################
# Only security group rules
############################
module "only_rules" {
source = "../../"
create_sg = false
security_group_id = module.complete_sg.security_group_id
ingress_with_source_security_group_id = [
{
description = "http from service one"
rule = "http-80-tcp"
source_security_group_id = data.aws_security_group.default.id
},
]
}
examples/rules-only/README.md 0 → 100644
View file @ ac988ca2
# Create rules only
Configuration in this directory creates two security groups using native Terraform resources, and then uses the module to add rules.
Data sources are used to discover existing VPC resources (VPC and default security group).
## Usage
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
No requirements.
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rules_one"></a> [rules\_one](#module\_rules\_one) | ../../ | |
| <a name="module_rules_two"></a> [rules\_two](#module\_rules\_two) | ../../ | |
## Resources
| Name | Type |
|------|------|
| [aws_security_group.service_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.service_two](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
## Inputs
No inputs.
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_service_one_security_group_id"></a> [service\_one\_security\_group\_id](#output\_service\_one\_security\_group\_id) | The ID of the security group for service one |
| <a name="output_service_two_security_group_id"></a> [service\_two\_security\_group\_id](#output\_service\_two\_security\_group\_id) | The ID of the security group for service two |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
examples/rules-only/main.tf 0 → 100644
View file @ ac988ca2
provider "aws" {
region = "eu-west-1"
}
#############################################################
# Data sources to get VPC and default security group details
#############################################################
data "aws_vpc" "default" {
default = true
}
data "aws_security_group" "default" {
name = "default"
vpc_id = data.aws_vpc.default.id
}
########################################################
# Create SGs
########################################################
resource "aws_security_group" "service_one" {
name = "service_one"
description = "Allow access from service two"
}
resource "aws_security_group" "service_two" {
name = "service_two"
description = "Allow access from service one"
}
########################################################
# Add SG rules
########################################################
module "rules_one" {
source = "../../"
create_sg = false
security_group_id = aws_security_group.service_one.id
ingress_with_source_security_group_id = [
{
description = "http from service two"
rule = "http-80-tcp"
source_security_group_id = aws_security_group.service_two.id
},
]
}
module "rules_two" {
source = "../../"
create_sg = false
security_group_id = aws_security_group.service_two.id
ingress_with_source_security_group_id = [
{
description = "http from service one"
rule = "http-80-tcp"
source_security_group_id = aws_security_group.service_one.id
},
]
}
examples/rules-only/outputs.tf 0 → 100644
View file @ ac988ca2
output "service_one_security_group_id" {
description = "The ID of the security group for service one"
value = aws_security_group.service_one.id
}
output "service_two_security_group_id" {
description = "The ID of the security group for service two"
value = aws_security_group.service_two.id
}
main.tf
View file @ ac988ca2
......@@ -2,18 +2,14 @@
# Get ID of created Security Group
##################################
locals {
this_sg_id = concat(
aws_security_group.this.*.id,
aws_security_group.this_name_prefix.*.id,
[""],
)[0]
this_sg_id = var.create_sg ? concat(aws_security_group.this.*.id, aws_security_group.this_name_prefix.*.id, [""])[0] : var.security_group_id
}
##########################
# Security group with name
##########################
resource "aws_security_group" "this" {
count = var.create && false == var.use_name_prefix ? 1 : 0
count = var.create && var.create_sg && !var.use_name_prefix ? 1 : 0
name = var.name
description = var.description
......@@ -32,7 +28,7 @@ resource "aws_security_group" "this" {
# Security group with name_prefix
#################################
resource "aws_security_group" "this_name_prefix" {
count = var.create && var.use_name_prefix ? 1 : 0
count = var.create && var.create_sg && var.use_name_prefix ? 1 : 0
name_prefix = "${var.name}-"
description = var.description
......
variables.tf
View file @ ac988ca2
......@@ -7,14 +7,28 @@ variable "create" {
default = true
}
variable "create_sg" {
description = "Whether to create security group"
type = bool
default = true
}
variable "security_group_id" {
description = "ID of existing security group whose rules we will manage"
type = string
default = null
}
variable "vpc_id" {
description = "ID of the VPC where to create security group"
type = string
default = null
}
variable "name" {
description = "Name of security group"
description = "Name of security group - not required if create_group is false"
type = string
default = null
}
variable "use_name_prefix" {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment