Skip to content

Commit

Permalink
try to fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Oct 25, 2021
1 parent 8341361 commit 04edd3c
Show file tree
Hide file tree
Showing 5 changed files with 148 additions and 26 deletions.
32 changes: 25 additions & 7 deletions common/ports.tf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,36 @@
locals {
ports = var.ingress_port_list
ports = []

ingress_networks = var.ingress_networks
egress_networks = var.egress_networks

ingress_sg = var.ingress_security_groups
egress_sg = var.egress_security_groups

# ports
p_fields = ["from", "to", "proto", "description", "cidr"]
# p_map = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
p_map = length(var.ingress_port_list) > 0 ? [for p in compact(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
p_list1 = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
p_list2 = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
p_list3 = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []

p_self_fields = ["from", "to", "proto", "description"]
self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
self_port_map = compact(concat(local.self_port_list, var.ingress_self_port_map))
port_map = {
"external" = []
"module_ports" = p_list1
"ingress_ports" = p_list2
"ingress_map" = p_list3
}

# self ports
p_self_fields = ["from", "to", "proto", "description"]
sp_list1 = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
sp_list2 = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
sp_list3 = local._defaults["self_port_list"]

self_port_map = {
"ingress_ports" = sp_list1
"ingress_map" = sp_list2
"default" = sp_list3
}
}

# locals {
Expand Down Expand Up @@ -46,3 +62,5 @@ locals {
# }
#
#


78 changes: 76 additions & 2 deletions common/resources.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ resource "aws_security_group" "this_security_group" {
description = var.description
vpc_id = var.vpc_id

#---
# ingress
#---
# ingresss external port list (list + vpc if enabaled)
dynamic "ingress" {
for_each = local.port_map["external"]
Expand All @@ -24,6 +27,45 @@ resource "aws_security_group" "this_security_group" {
}
}

# ingress module-defined ports
dynamic "ingress" {
for_each = local.port_map["module_ports"]
iterator = p
content {
description = "${local.short_description}: ${p.value["description"]}"
from_port = p.value["from"]
to_port = p.value["to"]
protocol = p.value["proto"]
cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
}
}

# ingress_ports
dynamic "ingress" {
for_each = local.port_map["ingress_ports"]
iterator = p
content {
description = "${local.short_description}: ${p.value["description"]}"
from_port = p.value["from"]
to_port = p.value["to"]
protocol = p.value["proto"]
cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
}
}

# ingress map
dynamic "ingress" {
for_each = local.port_map["ingress_ports"]
iterator = p
content {
description = "${local.short_description}: ${p.value["description"]}"
from_port = p.value["from"]
to_port = p.value["to"]
protocol = p.value["proto"]
cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
}
}

# ingress security group ids (all)
dynamic "ingress" {
for_each = local.ingress_sg
Expand All @@ -37,9 +79,38 @@ resource "aws_security_group" "this_security_group" {
}
}

# ingress self (list with one or zero items)
#---
# ingress self
#---
# ingress self port list
dynamic "ingress" {
for_each = var.enable_self ? local.self_port_map["ingress_ports"] : []
iterator = sg
content {
description = "${local.short_description}: self ${sg.value["description"]}"
from_port = sg.value["from"]
to_port = sg.value["to"]
protocol = sg.value["proto"]
self = true
}
}

# ingress self port map
dynamic "ingress" {
for_each = var.enable_self ? local.self_port_map["ingress_map"] : []
iterator = sg
content {
description = "${local.short_description}: self ${sg.value["description"]}"
from_port = sg.value["from"]
to_port = sg.value["to"]
protocol = sg.value["proto"]
self = true
}
}

# ingress self port default
dynamic "ingress" {
for_each = var.enable_self ? local.self_port_map : []
for_each = var.enable_self ? local.self_port_map["default"] : []
iterator = sg
content {
description = "${local.short_description}: self ${sg.value["description"]}"
Expand All @@ -50,6 +121,9 @@ resource "aws_security_group" "this_security_group" {
}
}

#---
# egress
#---
# egress all
egress {
description = "${local.short_description}: All"
Expand Down
31 changes: 23 additions & 8 deletions custom/ports.tf
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,34 @@
locals {
ports = [[]]
ports = []

ingress_networks = var.ingress_networks
egress_networks = var.egress_networks

ingress_sg = var.ingress_security_groups
egress_sg = var.egress_security_groups

# ports
p_fields = ["from", "to", "proto", "description", "cidr"]
# p_map = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
port_source = length(var.ingress_port_list) > 0 ? tolist(var.ingress_port_list) : tolist(local.ports)
p_map = [for p in local.port_source : zipmap(local.p_fields, p)]
port_map = { "external" = compact(concat(local.p_map, tolist(var.ingress_port_map))) }
p_list1 = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
p_list2 = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
p_list3 = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []

p_self_fields = ["from", "to", "proto", "description"]
self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
self_port_map = compact(concat(local.self_port_list, tolist(var.ingress_self_port_map)))
port_map = {
"external" = []
"module_ports" = p_list1
"ingress_ports" = p_list2
"ingress_map" = p_list3
}

# self ports
p_self_fields = ["from", "to", "proto", "description"]
sp_list1 = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
sp_list2 = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
sp_list3 = local._defaults["self_port_list"]

self_port_map = {
"ingress_ports" = sp_list1
"ingress_map" = sp_list2
"default" = sp_list3
}
}
4 changes: 2 additions & 2 deletions sas/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,10 +104,10 @@ No modules.
| <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
| <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br> []<br>]</pre> | no |
| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br> from = number<br> to = number<br> proto = any<br> description = string<br> cidr = list(string)<br> }))</pre> | `[]` | no |
| <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br> [<br> 0,<br> 0,<br> -1,<br> "all"<br> ]<br>]</pre> | no |
| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br> []<br>]</pre> | no |
| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br> from = number<br> to = number<br> proto = any<br> description = string<br> }))</pre> | `[]` | no |
| <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `""` | no |
| <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
Expand Down
29 changes: 22 additions & 7 deletions sas/ports.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,19 +33,34 @@ locals {
[9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]],
]


ingress_networks = var.ingress_networks
egress_networks = var.egress_networks

ingress_sg = var.ingress_security_groups
egress_sg = var.egress_security_groups

# ports
p_fields = ["from", "to", "proto", "description", "cidr"]
# p_map = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
p_map = length(var.ingress_port_list) > 0 ? [for p in concat(local.ports, var.ingress_port_list) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)]
port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) }
p_list1 = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
p_list2 = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
p_list3 = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []

port_map = {
"external" = []
"module_ports" = p_list1
"ingress_ports" = p_list2
"ingress_map" = p_list3
}

p_self_fields = ["from", "to", "proto", "description"]
self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"]
self_port_map = compact(concat(local.self_port_list, var.ingress_self_port_map))
# self ports
p_self_fields = ["from", "to", "proto", "description"]
sp_list1 = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
sp_list2 = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
sp_list3 = local._defaults["self_port_list"]

self_port_map = {
"ingress_ports" = sp_list1
"ingress_map" = sp_list2
"default" = sp_list3
}
}

0 comments on commit 04edd3c

Please sign in to comment.