From 04edd3c70eb0e7467a78a280ff4c48bcaa720e5d Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 25 Oct 2021 12:04:51 -0400 Subject: [PATCH] try to fix --- common/ports.tf | 32 +++++++++++++++---- common/resources.tf | 78 +++++++++++++++++++++++++++++++++++++++++++-- custom/ports.tf | 31 +++++++++++++----- sas/README.md | 4 +-- sas/ports.tf | 29 +++++++++++++---- 5 files changed, 148 insertions(+), 26 deletions(-) diff --git a/common/ports.tf b/common/ports.tf index a603624..0896524 100644 --- a/common/ports.tf +++ b/common/ports.tf @@ -1,5 +1,5 @@ locals { - ports = var.ingress_port_list + ports = [] ingress_networks = var.ingress_networks egress_networks = var.egress_networks @@ -7,14 +7,30 @@ locals { ingress_sg = var.ingress_security_groups egress_sg = var.egress_security_groups + # ports p_fields = ["from", "to", "proto", "description", "cidr"] - # p_map = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map - p_map = length(var.ingress_port_list) > 0 ? [for p in compact(concat(local.ports, var.ingress_port_list)) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)] - port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) } + p_list1 = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : [] + p_list2 = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : [] + p_list3 = length(var.ingress_port_map) > 0 ? var.ingress_port_map : [] - p_self_fields = ["from", "to", "proto", "description"] - self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"] - self_port_map = compact(concat(local.self_port_list, var.ingress_self_port_map)) + port_map = { + "external" = [] + "module_ports" = p_list1 + "ingress_ports" = p_list2 + "ingress_map" = p_list3 + } + + # self ports + p_self_fields = ["from", "to", "proto", "description"] + sp_list1 = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : [] + sp_list2 = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : [] + sp_list3 = local._defaults["self_port_list"] + + self_port_map = { + "ingress_ports" = sp_list1 + "ingress_map" = sp_list2 + "default" = sp_list3 + } } # locals { @@ -46,3 +62,5 @@ locals { # } # # + + diff --git a/common/resources.tf b/common/resources.tf index 560ad3a..d6ac551 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -11,6 +11,9 @@ resource "aws_security_group" "this_security_group" { description = var.description vpc_id = var.vpc_id + #--- + # ingress + #--- # ingresss external port list (list + vpc if enabaled) dynamic "ingress" { for_each = local.port_map["external"] @@ -24,6 +27,45 @@ resource "aws_security_group" "this_security_group" { } } + # ingress module-defined ports + dynamic "ingress" { + for_each = local.port_map["module_ports"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks)))) + } + } + + # ingress_ports + dynamic "ingress" { + for_each = local.port_map["ingress_ports"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks)))) + } + } + + # ingress map + dynamic "ingress" { + for_each = local.port_map["ingress_ports"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks)))) + } + } + # ingress security group ids (all) dynamic "ingress" { for_each = local.ingress_sg @@ -37,9 +79,38 @@ resource "aws_security_group" "this_security_group" { } } - # ingress self (list with one or zero items) + #--- + # ingress self + #--- + # ingress self port list + dynamic "ingress" { + for_each = var.enable_self ? local.self_port_map["ingress_ports"] : [] + iterator = sg + content { + description = "${local.short_description}: self ${sg.value["description"]}" + from_port = sg.value["from"] + to_port = sg.value["to"] + protocol = sg.value["proto"] + self = true + } + } + + # ingress self port map + dynamic "ingress" { + for_each = var.enable_self ? local.self_port_map["ingress_map"] : [] + iterator = sg + content { + description = "${local.short_description}: self ${sg.value["description"]}" + from_port = sg.value["from"] + to_port = sg.value["to"] + protocol = sg.value["proto"] + self = true + } + } + + # ingress self port default dynamic "ingress" { - for_each = var.enable_self ? local.self_port_map : [] + for_each = var.enable_self ? local.self_port_map["default"] : [] iterator = sg content { description = "${local.short_description}: self ${sg.value["description"]}" @@ -50,6 +121,9 @@ resource "aws_security_group" "this_security_group" { } } + #--- + # egress + #--- # egress all egress { description = "${local.short_description}: All" diff --git a/custom/ports.tf b/custom/ports.tf index 7b5c97e..ece32b8 100644 --- a/custom/ports.tf +++ b/custom/ports.tf @@ -1,5 +1,5 @@ locals { - ports = [[]] + ports = [] ingress_networks = var.ingress_networks egress_networks = var.egress_networks @@ -7,13 +7,28 @@ locals { ingress_sg = var.ingress_security_groups egress_sg = var.egress_security_groups + # ports p_fields = ["from", "to", "proto", "description", "cidr"] - # p_map = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map - port_source = length(var.ingress_port_list) > 0 ? tolist(var.ingress_port_list) : tolist(local.ports) - p_map = [for p in local.port_source : zipmap(local.p_fields, p)] - port_map = { "external" = compact(concat(local.p_map, tolist(var.ingress_port_map))) } + p_list1 = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : [] + p_list2 = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : [] + p_list3 = length(var.ingress_port_map) > 0 ? var.ingress_port_map : [] - p_self_fields = ["from", "to", "proto", "description"] - self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"] - self_port_map = compact(concat(local.self_port_list, tolist(var.ingress_self_port_map))) + port_map = { + "external" = [] + "module_ports" = p_list1 + "ingress_ports" = p_list2 + "ingress_map" = p_list3 + } + + # self ports + p_self_fields = ["from", "to", "proto", "description"] + sp_list1 = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : [] + sp_list2 = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : [] + sp_list3 = local._defaults["self_port_list"] + + self_port_map = { + "ingress_ports" = sp_list1 + "ingress_map" = sp_list2 + "default" = sp_list3 + } } diff --git a/sas/README.md b/sas/README.md index 8d294d4..5f237db 100644 --- a/sas/README.md +++ b/sas/README.md @@ -104,10 +104,10 @@ No modules. | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | | [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | -| [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no | +| [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | 
[
  []
]
| no | | [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | 
list(object({
    from        = number
    to          = number
    proto       = any
    description = string
    cidr        = list(string)
  }))
| `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | 
[
  [
    0,
    0,
    -1,
    "all"
  ]
]
| no | +| [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | 
[
  []
]
| no | | [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | 
list(object({
    from        = number
    to          = number
    proto       = any
    description = string
  }))
| `[]` | no | | [name](#input\_name) | Security Group Name | `string` | `""` | no | | [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no | diff --git a/sas/ports.tf b/sas/ports.tf index b9bfc01..57526a9 100644 --- a/sas/ports.tf +++ b/sas/ports.tf @@ -33,19 +33,34 @@ locals { [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]], ] - ingress_networks = var.ingress_networks egress_networks = var.egress_networks ingress_sg = var.ingress_security_groups egress_sg = var.egress_security_groups + # ports p_fields = ["from", "to", "proto", "description", "cidr"] - # p_map = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map - p_map = length(var.ingress_port_list) > 0 ? [for p in concat(local.ports, var.ingress_port_list) : zipmap(local.p_fields, p)] : [for p in local.ports : zipmap(local.p_fields, p)] - port_map = { "external" = compact(concat(local.p_map, var.ingress_port_map)) } + p_list1 = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : [] + p_list2 = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : [] + p_list3 = length(var.ingress_port_map) > 0 ? var.ingress_port_map : [] + + port_map = { + "external" = [] + "module_ports" = p_list1 + "ingress_ports" = p_list2 + "ingress_map" = p_list3 + } - p_self_fields = ["from", "to", "proto", "description"] - self_port_list = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : local._defaults["self_port_list"] - self_port_map = compact(concat(local.self_port_list, var.ingress_self_port_map)) + # self ports + p_self_fields = ["from", "to", "proto", "description"] + sp_list1 = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : [] + sp_list2 = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : [] + sp_list3 = local._defaults["self_port_list"] + + self_port_map = { + "ingress_ports" = sp_list1 + "ingress_map" = sp_list2 + "default" = sp_list3 + } }