diff --git a/CHANGELOG.md b/CHANGELOG.md index 45b7e40..2e7ebec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -101,3 +101,5 @@ * 2.10.0 -- 2026-03-03 - rds-mysql: add prefix list capability +* 2.11.0 -- 2026-03-19 + - it-windows-base: refactor to use prefix lists and a YAML file diff --git a/common/version.tf b/common/version.tf index a57e56b..ac684e2 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.10.0" + _module_version = "2.11.0" } diff --git a/it-windows-base/README.md b/it-windows-base/README.md index 56b26b9..ac8d962 100644 --- a/it-windows-base/README.md +++ b/it-windows-base/README.md @@ -22,7 +22,7 @@ | Name | Type | |------|------| -| [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_vpc_security_group_egress_rule.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | | [aws_vpc_security_group_ingress_rule.cidr_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | | [aws_vpc_security_group_ingress_rule.prefix_lists](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | diff --git a/it-windows-base/main.tf b/it-windows-base/main.tf index f442550..ab0a358 100644 --- a/it-windows-base/main.tf +++ b/it-windows-base/main.tf @@ -18,31 +18,34 @@ locals { locals { _sg = yamldecode(file("${path.module}/ports.yml")) - sg = [merge(sg, { ingress_networks = flatten(distinct(compact(concat(local.ingress_networks, sg.vpc_cidr ? [data.aws_vpc.this_vpc.cidr_block] : [])))) })] - sg_ingress_prefix_lists = distinct(compact([for sgr in local.sg[0].ingress : try(sgr.prefix_list, null)])) - sg_egress_prefix_lists = try(distinct(compact([for sgr in local.sg[0].egress : try(sgr.prefix_list, null)])), null) - sg_c1 = flatten([for k, v in local.sg : [for i in v.ingress : merge(i, { - key = k, - label = format("%v:%v:%v", k, i.from, i.proto) - cidr_blocks = try(i.cidr_blocks, null) == "%%INCOMING%%" ? local.ingress_networks : [] + sg = merge(local._sg, { ingress_networks = flatten(distinct(compact(concat(local.ingress_networks, var.use_vpc_cidr ? [data.aws_vpc.this_vpc.cidr_block] : [])))) }) + sg_ingress_prefix_lists = distinct(compact([for sgr in local.sg.ingress : try(sgr.prefix_list, null)])) + sg_egress_prefix_lists = try(distinct(compact([for sgr in local.sg.egress : try(sgr.prefix_list, null)])), []) + sg_c1 = flatten([for i in local.sg.ingress : merge(i, { + key = local.sg.name, + # label = format("%v:%v:%v", local.sg.name, i.from, i.proto) + label = format("%v:%v:%v", i.from, i.to, i.proto) + # cidr_blocks = try(i.cidr_blocks, null) == "%%INCOMING%%" ? local.ingress_networks : [] + cidr_blocks = try(i.cidr_blocks, []) } - )]]) + )]) sg_cidr = flatten([for sg in local.sg_c1 : [for c in sg.cidr_blocks : merge(sg, { cidr_label = format("%v:%v", sg.label, c) cidr_block = c } )]]) - sg_sg = flatten([for k, v in local.sg : [for i in try(v.ingress_security_groups, []) : merge(v, { - key = k, - label = format("%v:%v", k, i) + sg_sg = flatten([for i in try(local.sg.ingress_security_groups, []) : merge(local.sg, { + key = local.sg.name, + # label = format("%v:%v", local.sg.name, i) + label = i security_group_name = i } - )]]) + )]) sg_pl = flatten([for sg in local.sg_c1 : [for plk, plv in data.aws_ec2_managed_prefix_list.ingress : merge(sg, { prefix_list_label = format("%v:%v", sg.label, plk) prefix_list_id = plv.id - } - )]]) + }) if try(sg.prefix_list, null) == plk + ]]) } data "aws_ec2_managed_prefix_list" "ingress" { @@ -62,24 +65,29 @@ data "aws_ec2_managed_prefix_list" "egress" { } # create group with just egress. Add all ingress via secondary resource -resource "aws_security_group" "sg" { - for_each = local.sg - name = format("%v-%v", var.name_prefix, each.key) - description = trimspace(format("%v %v", var.description_prefix, each.value.description)) +#resource "aws_security_group" "sg" { +resource "aws_security_group" "this_security_group" { + # for_each = { for sg in local.sg: sg.name => sg } + # name = format("%v-%v", var.name_prefix, each.key) + name = local.sg.name + # description = trimspace(format("%v %v", var.description_prefix, each.value.description)) + description = trimspace(local.sg.description) vpc_id = var.vpc_id tags = merge( - local.base_tags, + # local.base_tags, var.tags, - { "Name" = format("sg-%v-%v", var.name_prefix, each.key) } + # { "Name" = format("sg-%v-%v", var.name_prefix, each.key) } + { "Name" = format("sg-%v", local.sg.name) } ) } # egress: all resource "aws_vpc_security_group_egress_rule" "all" { - for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id } + # for_each = { for k, v in local.sg : k => aws_security_group.this_security_group[k].id } + # for_each = { for k, v in local.sg : k => aws_security_group.this_security_group.id } - security_group_id = each.value + security_group_id = aws_security_group.this_security_group.id description = "ALL" ip_protocol = -1 # cidr_block = local.egress_networks @@ -89,7 +97,7 @@ resource "aws_vpc_security_group_egress_rule" "all" { # ingress: self resource "aws_vpc_security_group_ingress_rule" "self" { - for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id if try(v.self, false) } + for_each = try(local.sg.self, false) ? { (local.sg.name) = aws_security_group.this_security_group.id } : {} security_group_id = each.value description = "self" @@ -101,17 +109,17 @@ resource "aws_vpc_security_group_ingress_rule" "self" { resource "aws_vpc_security_group_ingress_rule" "security_group" { for_each = { for x in local.sg_sg : x.label => x } - security_group_id = aws_security_group.sg[each.value.key].id + security_group_id = aws_security_group.this_security_group.id description = "self" ip_protocol = -1 - referenced_security_group_id = aws_security_group.sg[each.value.security_group_name].id + referenced_security_group_id = aws_security_group.this_security_group.id } # ingress: by cidr_block resource "aws_vpc_security_group_ingress_rule" "cidr_block" { for_each = { for x in local.sg_cidr : x.cidr_label => x } - security_group_id = aws_security_group.sg[each.value.key].id + security_group_id = aws_security_group.this_security_group.id description = each.value.short from_port = each.value.from to_port = each.value.to @@ -123,7 +131,7 @@ resource "aws_vpc_security_group_ingress_rule" "cidr_block" { resource "aws_vpc_security_group_ingress_rule" "prefix_lists" { for_each = { for x in local.sg_pl : x.prefix_list_label => x } - security_group_id = aws_security_group.sg[each.value.key].id + security_group_id = aws_security_group.this_security_group.id description = each.value.short from_port = each.value.from to_port = each.value.to diff --git a/it-windows-base/ports.yml b/it-windows-base/ports.yml index a95a9c8..692cf7e 100644 --- a/it-windows-base/ports.yml +++ b/it-windows-base/ports.yml @@ -19,24 +19,30 @@ ingress: to: -1 proto: icmp short: "ICMP" - all: true - # cidr_blocks: 0.0.0.0/0 +# all: true + cidr_blocks: + - 0.0.0.0/0 - from: 161 to: 161 proto: udp short: "SNMP" - all: true - # cidr_blocks: 0.0.0.0/0 + # all: true + cidr_blocks: + - 0.0.0.0/0 - from: 5201 to: 5201 proto: udp short: "iperf3" - all: true + # all: true + cidr_blocks: + - 0.0.0.0/0 - from: 5201 to: 5201 proto: tcp short: "iperf3" - all: true + # all: true + cidr_blocks: + - 0.0.0.0/0 - from: 1556 to: 1556 proto: tcp