v2.2.4: add flag enable_default_egress

terraform-modules · Oct 27, 2021 · 1262dff · 1262dff
1 parent db54296
commit 1262dff
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,10 @@
   - sas
     - fix ports, self_port_list
 
+* v2.2.4 -- 20211027
+  - common (sas, custom)
+    - add flag `enable_default_egress` (ALL), default is true
+
 # OLDER
 
 ## web

diff --git a/common/README.md b/common/README.md
@@ -32,6 +32,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| <a name="input_enable_default_egress"></a> [enable\_default\_egress](#input\_enable\_default\_egress) | Enable\|Disable default egress of ALL | `bool` | `true` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |

diff --git a/common/resources.tf b/common/resources.tf
@@ -124,13 +124,17 @@ resource "aws_security_group" "this_security_group" {
   #---
   # egress 
   #---
-  # egress all
-  egress {
-    description = "${local.short_description}: All"
-    from_port   = 0
-    to_port     = 0
-    protocol    = -1
-    cidr_blocks = distinct(flatten(compact(concat(local.egress_networks, var.egress_networks))))
+  # egress all (with flag enable_default_egress)
+  dynamic "egress" {
+    for_each = var.enable_default_egress ? [1] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: All"
+      from_port   = 0
+      to_port     = 0
+      protocol    = -1
+      cidr_blocks = distinct(flatten(compact(concat(local.egress_networks, var.egress_networks))))
+    }
   }
 
   # egress security group ids (all)

diff --git a/common/variables.common.tf b/common/variables.common.tf
@@ -39,3 +39,9 @@ variable "tags" {
   type        = map
   default     = {}
 }
+
+variable "enable_default_egress" {
+  description = "Enable|Disable default egress of ALL"
+  type        = bool
+  default     = true
+}
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.3"
+  _module_version = "2.2.4"
 }
diff --git a/custom/README.md b/custom/README.md
@@ -12,6 +12,9 @@ as the `ingress_port_list` excluding the final `cidr` field.  Again, if both are
 # Usage
 ## Port list
 
+This creates a security group with the default egress of ALL, and with an ingress port list allowing access from
+all hosts into port 8080 and 8443. This is a typical web application security group.
+
 ```hcl
 module "mysg" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom"
@@ -33,6 +36,10 @@ module "mysg" {
 
 ## Port Map
 
+This creates a security group with the default egress of ALL, and with an ingress port list allowing access from
+all hosts into port 8080 and 8443. This is a typical web application security group.   This is the same as above,
+but showing the map format which may be easier to read and maintain.
+
 ```hcl
 module "mysg" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom"
@@ -64,6 +71,35 @@ module "mysg" {
 }
 ```
 
+## Ingress self only
+
+This creates a security group that has an ingress self-only set of ports and protocols.  All instances with this security
+group will be able to communicate on the `ingress_self_port_list` ports.  This also does **not** create the default
+egress rules to allow all outbound (it assumes if needed, it is on another security group).
+
+```hcl
+module "sg_test" {
+  source                 = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom"
+  name                   = "Test"
+  description            = "Test ingress self"
+
+  vpc_id                 = var.vpc_id
+  enable_self            = true
+  enable_default_egress  = false
+  ingress_self_port_list = [
+    [137 , 137 , "udp", "SMB"],
+    [138 , 138 , "udp", "SMB"],
+    [139 , 139 , "udp", "SMB"],
+    [445 , 445 , "udp", "CIFS"],
+    [445 , 445 , "tcp", "CIFS"],
+  ]
+
+  tags = merge(
+    local.common_tags,
+  )
+}
+```
+
 ## Requirements
 
 | Name | Version |
@@ -99,12 +135,13 @@ No modules.
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `""` | no |
 | <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| <a name="input_enable_default_egress"></a> [enable\_default\_egress](#input\_enable\_default\_egress) | Enable\|Disable default egress of ALL | `bool` | `true` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
-| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
 | <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | `[]` | no |
 | <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name (required) | `string` | n/a | yes |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |

diff --git a/custom/main.tf b/custom/main.tf
@@ -12,6 +12,9 @@
 *
 * # Usage
 * ## Port list
+* 
+* This creates a security group with the default egress of ALL, and with an ingress port list allowing access from
+* all hosts into port 8080 and 8443. This is a typical web application security group.
 *
 * ```hcl
 * module "mysg" {
@@ -34,6 +37,10 @@
 * 
 * ## Port Map
 *
+* This creates a security group with the default egress of ALL, and with an ingress port list allowing access from
+* all hosts into port 8080 and 8443. This is a typical web application security group.   This is the same as above,
+* but showing the map format which may be easier to read and maintain.
+*
 * ```hcl
 * module "mysg" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom"
@@ -64,6 +71,35 @@
 *   )
 * }
 * ```
+*
+* ## Ingress self only
+*
+* This creates a security group that has an ingress self-only set of ports and protocols.  All instances with this security
+* group will be able to communicate on the `ingress_self_port_list` ports.  This also does **not** create the default
+* egress rules to allow all outbound (it assumes if needed, it is on another security group).
+*
+* ```hcl
+* module "sg_test" {
+*   source                 = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//custom"
+*   name                   = "Test"
+*   description            = "Test ingress self"
+* 
+*   vpc_id                 = var.vpc_id
+*   enable_self            = true
+*   enable_default_egress  = false
+*   ingress_self_port_list = [
+*     [137 , 137 , "udp", "SMB"],
+*     [138 , 138 , "udp", "SMB"],
+*     [139 , 139 , "udp", "SMB"],
+*     [445 , 445 , "udp", "CIFS"],
+*     [445 , 445 , "tcp", "CIFS"],
+*   ]
+* 
+*   tags = merge(
+*     local.common_tags,
+*   )
+* }
+* ```
 */
 
 # all of the code is in resource.tf, this is here for documention