add ingress self port list

CHANGELOG.md

@@ -12,6 +12,10 @@
   - custom
     - create custom submodule, requires port list passed
 
+* v2.2.1 -- 20211022
+  - custom
+    - add ingress_self_* option
+
 # OLDER
 
 ## web

common/README.md

@@ -30,11 +30,15 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |

common/resources.tf

@@ -3,7 +3,7 @@ locals {
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
   ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
   egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
-  self                      = var.enable_self ? [1] : []
+  self                      = var.enable_self ? local.self_ports : []
 }
 
 resource "aws_security_group" "this_security_group" {
@@ -20,7 +20,7 @@ resource "aws_security_group" "this_security_group" {
       from_port   = p.value["from"]
       to_port     = p.value["to"]
       protocol    = p.value["proto"]
-      cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
     }
   }
 
@@ -42,10 +42,10 @@ resource "aws_security_group" "this_security_group" {
     for_each = local.self
     iterator = sg
     content {
-      description = "${local.short_description}: from self"
-      from_port   = 0
-      to_port     = 0
-      protocol    = -1
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
       self        = true
     }
   }
@@ -56,7 +56,7 @@ resource "aws_security_group" "this_security_group" {
     from_port   = 0
     to_port     = 0
     protocol    = -1
-    cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
+    cidr_blocks = distinct(flatten(compact(concat(local.egress_networks, var.egress_networks))))
   }
 
   # egress security group ids (all)

common/variables.common.tf

@@ -17,9 +17,9 @@ variable "ingress_networks" {
 }
 
 variable "egress_networks" {
-  description = "List of egress networks (with all pre-defined egress ports)"
+  description = "List of egress networks (with all pre-defined egress ports) (default: any)"
   type        = list(string)
-  default     = []
+  default     = ["0.0.0.0/0"]
 }
 
 variable "ingress_security_groups" {

common/variables.port_list.tf

@@ -0,0 +1,35 @@
+variable "ingress_port_list" {
+  description = "Ingress port list of 5-tuple: from, to, proto, description, and cidr(list)"
+  #  type        = list(tuple([number, number, any, string, list]))
+  default = []
+}
+
+variable "ingress_port_map" {
+  description = "Ingress port list of objects: from, to, proto, description and cidr(list)"
+  type = list(object({
+    from        = number
+    to          = number
+    proto       = any
+    description = string
+    cidr        = list(string)
+  }))
+  default = []
+}
+
+variable "ingress_self_port_list" {
+  description = "Ingress port list of 4-tuple: from, to, proto, description"
+  #  type        = list(tuple([number, number, any, string]))
+  default = [[0, 0, -1, "all"]]
+}
+
+variable "ingress_self_port_map" {
+  description = "Ingress self access port list of objects: from, to, proto, description"
+  type = list(object({
+    from        = number
+    to          = number
+    proto       = any
+    description = string
+  }))
+  default = []
+}
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.0"
+  _module_version = "2.2.2"
 }

custom/README.md

@@ -94,13 +94,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `""` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
 | <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name (required) | `string` | n/a | yes |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |

custom/ports.tf

@@ -11,4 +11,10 @@ locals {
   p_fields = ["from", "to", "proto", "description", "cidr"]
   p_map    = length(var.ingress_port_list) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : var.ingress_port_map
   port_map = { "external" = local.p_map }
+
+  # ingres
+  #variables.port_list.tf:variable "ingress_self_port_list" {
+  #variables.port_list.tf:variable "ingress_self_port_map" {
+  self_port_list = [{ from = 0, to = 0, proto = -1, description = "all" }]
+  self_ports     = local.self_port_list
 }

custom/variables.port_list.tf

@@ -0,0 +1 @@
+../common/variables.port_list.tf

custom/variables.tf

@@ -14,23 +14,3 @@ variable "short_description" {
   type        = string
   default     = ""
 }
-
-
-variable "ingress_port_list" {
-  description = "Ingress port list of 5-tuple: from, to, proto, description, and cidr(list)"
-  #  type        = list(tuple([number, number, any, string, list]))
-  default = []
-}
-
-variable "ingress_port_map" {
-  description = "Ingress port list of objects: from, to, proto, description and cidr(list)"
-  type = list(object({
-    from        = number
-    to          = number
-    proto       = any
-    description = string
-    cidr        = list(string)
-  }))
-  default = []
-}
-

sas/README.md

@@ -100,11 +100,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `""` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  [<br>    0,<br>    0,<br>    -1,<br>    "all"<br>  ]<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `""` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |

sas/ports.tf

@@ -45,4 +45,7 @@ locals {
   port_map = { for s in local.source_groups :
     s => [for p in local.p_map : p if contains(p["source_group"], s)]
   }
+
+  self_port_list = [{ from = 0, to = 0, proto = -1, description = "all" }]
+  self_ports     = local.self_port_list
 }

sas/variables.port_list.tf

@@ -0,0 +1 @@
+../common/variables.port_list.tf