From bf8060b92f9231f754e8c74631cb6fa79d709193 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 27 May 2021 15:53:51 -0400 Subject: [PATCH 1/5] rds-mysql_security-group-module --- rds-mysql/CHANGELOG.md | 2 + rds-mysql/README.md | 69 +++++++++++++++++++++++ rds-mysql/main.tf | 121 +++++++++++++++++++++++++++++++++++++++++ rds-mysql/output.tf | 9 +++ rds-mysql/ports.tf | 33 +++++++++++ rds-mysql/variables.tf | 79 +++++++++++++++++++++++++++ rds-mysql/version.tf | 3 + rds-mysql/versions.tf | 4 ++ 8 files changed, 320 insertions(+) create mode 100644 rds-mysql/CHANGELOG.md create mode 100644 rds-mysql/README.md create mode 100644 rds-mysql/main.tf create mode 100644 rds-mysql/output.tf create mode 100644 rds-mysql/ports.tf create mode 100644 rds-mysql/variables.tf create mode 100644 rds-mysql/version.tf create mode 100644 rds-mysql/versions.tf diff --git a/rds-mysql/CHANGELOG.md b/rds-mysql/CHANGELOG.md new file mode 100644 index 0000000..bc7fc37 --- /dev/null +++ b/rds-mysql/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210421 + - add module version, update tags diff --git a/rds-mysql/README.md b/rds-mysql/README.md new file mode 100644 index 0000000..9cc7a1d --- /dev/null +++ b/rds-mysql/README.md @@ -0,0 +1,69 @@ +# About rds-postgres + +This describes how to use the aws-common-security-groups submodule for rds-postgres. + +Default and auxilliary ports are included in this. They are opened to everything. + +## Usage + +```hcl +module "postgres" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres" + + vpc_id = var.vpc_id + ## optional + # name = "m-postgres-db" + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"RDS PostgreSQL Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-postgres-db"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"PostgreSQL"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/rds-mysql/main.tf b/rds-mysql/main.tf new file mode 100644 index 0000000..df214b3 --- /dev/null +++ b/rds-mysql/main.tf @@ -0,0 +1,121 @@ +/** +* # About rds-mysql +* +* This describes how to use the aws-common-security-groups submodule for rds-mysql. +* +* Default and auxilliary ports are included in this. They are opened to everything. +* +* ## Usage +* +* ```hcl +* module "mysql" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql" +* +* vpc_id = var.vpc_id +* ## optional +* # name = "m-mysql-db" +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/rds-mysql/output.tf b/rds-mysql/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/rds-mysql/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/rds-mysql/ports.tf b/rds-mysql/ports.tf new file mode 100644 index 0000000..b7e21a7 --- /dev/null +++ b/rds-mysql/ports.tf @@ -0,0 +1,33 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + description = "module: PostgreSQL common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external"] + + name = var.name + ports = [ + [3356, 3356, "tcp", "mysql-db", local.n_census, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/rds-mysql/variables.tf b/rds-mysql/variables.tf new file mode 100644 index 0000000..f9b8a68 --- /dev/null +++ b/rds-mysql/variables.tf @@ -0,0 +1,79 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "m-mysql-db" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "MySQL Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "MySQL" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/rds-mysql/version.tf b/rds-mysql/version.tf new file mode 100644 index 0000000..fa2705b --- /dev/null +++ b/rds-mysql/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.0.0" +} diff --git a/rds-mysql/versions.tf b/rds-mysql/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/rds-mysql/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 5fb9253f66a69d4e78b20fab31facd7c1dfb9b61 Mon Sep 17 00:00:00 2001 From: Roy D Ashley Jr Date: Thu, 27 May 2021 15:55:59 -0400 Subject: [PATCH 2/5] Update CHANGELOG.md --- rds-mysql/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds-mysql/CHANGELOG.md b/rds-mysql/CHANGELOG.md index bc7fc37..bed4f16 100644 --- a/rds-mysql/CHANGELOG.md +++ b/rds-mysql/CHANGELOG.md @@ -1,2 +1,2 @@ -# v1.0.0 -- 20210421 +# v1.0.0 -- 20210527 - add module version, update tags From 48ea19d389c2c94d6a73c2d721aa10f3c4afc2ac Mon Sep 17 00:00:00 2001 From: Roy D Ashley Jr Date: Thu, 27 May 2021 16:00:20 -0400 Subject: [PATCH 3/5] Update README.md --- rds-mysql/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rds-mysql/README.md b/rds-mysql/README.md index 9cc7a1d..80b54bd 100644 --- a/rds-mysql/README.md +++ b/rds-mysql/README.md @@ -1,18 +1,18 @@ -# About rds-postgres +# About rds-mysql -This describes how to use the aws-common-security-groups submodule for rds-postgres. +This describes how to use the aws-common-security-groups submodule for rds-mysql. Default and auxilliary ports are included in this. They are opened to everything. ## Usage ```hcl -module "postgres" { - source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres" +module "mysql" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql" vpc_id = var.vpc_id ## optional - # name = "m-postgres-db" + # name = "m-mysql-db" ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } @@ -48,14 +48,14 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"RDS PostgreSQL Security Group"` | no | +| [description](#input\_description) | Security Group Description | `string` | `"RDS MySQL Security Group"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | | [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [name](#input\_name) | Security Group Name | `string` | `"m-postgres-db"` | no | -| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"PostgreSQL"` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-mysql-db"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MySQL"` | no | | [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | From 2c0a14064a884fc773ff81cbffd10f749d2e9366 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 07:47:40 -0400 Subject: [PATCH 4/5] change port to default 3306 --- rds-mysql/README.md | 2 +- rds-mysql/main.tf | 2 +- rds-mysql/ports.tf | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rds-mysql/README.md b/rds-mysql/README.md index 80b54bd..4439a8d 100644 --- a/rds-mysql/README.md +++ b/rds-mysql/README.md @@ -48,7 +48,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"RDS MySQL Security Group"` | no | +| [description](#input\_description) | Security Group Description | `string` | `"MySQL Security Group"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | diff --git a/rds-mysql/main.tf b/rds-mysql/main.tf index df214b3..6204dc4 100644 --- a/rds-mysql/main.tf +++ b/rds-mysql/main.tf @@ -1,4 +1,4 @@ -/** +/* * # About rds-mysql * * This describes how to use the aws-common-security-groups submodule for rds-mysql. diff --git a/rds-mysql/ports.tf b/rds-mysql/ports.tf index b7e21a7..7fc84c3 100644 --- a/rds-mysql/ports.tf +++ b/rds-mysql/ports.tf @@ -7,14 +7,14 @@ # list of: all, external (more added as needed) locals { - description = "module: PostgreSQL common ports" + description = "module: MySQL common ports" n_all = ["0.0.0.0/0"] n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] source_groups = ["all", "external"] name = var.name ports = [ - [3356, 3356, "tcp", "mysql-db", local.n_census, ["external"]], + [3306, 3306, "tcp", "mysql-db", local.n_census, ["external"]], ] # these are ignored From 90cc30527346ba7bfb67eec4475d1df22c533a02 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 10:27:24 -0400 Subject: [PATCH 5/5] add rds-maria --- rds-maria/CHANGELOG.md | 2 + rds-maria/README.md | 69 +++++++++++++++++++++++ rds-maria/main.tf | 121 +++++++++++++++++++++++++++++++++++++++++ rds-maria/output.tf | 9 +++ rds-maria/ports.tf | 33 +++++++++++ rds-maria/variables.tf | 79 +++++++++++++++++++++++++++ rds-maria/version.tf | 3 + rds-maria/versions.tf | 4 ++ 8 files changed, 320 insertions(+) create mode 100644 rds-maria/CHANGELOG.md create mode 100644 rds-maria/README.md create mode 100644 rds-maria/main.tf create mode 100644 rds-maria/output.tf create mode 100644 rds-maria/ports.tf create mode 100644 rds-maria/variables.tf create mode 100644 rds-maria/version.tf create mode 100644 rds-maria/versions.tf diff --git a/rds-maria/CHANGELOG.md b/rds-maria/CHANGELOG.md new file mode 100644 index 0000000..d8a2e53 --- /dev/null +++ b/rds-maria/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210528 + - add module version, update tags diff --git a/rds-maria/README.md b/rds-maria/README.md new file mode 100644 index 0000000..5d98c50 --- /dev/null +++ b/rds-maria/README.md @@ -0,0 +1,69 @@ +# About rds-maria + +This describes how to use the aws-common-security-groups submodule for rds-maria. + +Default and auxilliary ports are included in this. They are opened to everything. + +## Usage + +```hcl +module "maria" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria" + + vpc_id = var.vpc_id + ## optional + # name = "m-maria-db" + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"MariaDB Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-maria-db"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MariaDB"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/rds-maria/main.tf b/rds-maria/main.tf new file mode 100644 index 0000000..dc04635 --- /dev/null +++ b/rds-maria/main.tf @@ -0,0 +1,121 @@ +/* +* # About rds-maria +* +* This describes how to use the aws-common-security-groups submodule for rds-maria. +* +* Default and auxilliary ports are included in this. They are opened to everything. +* +* ## Usage +* +* ```hcl +* module "maria" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria" +* +* vpc_id = var.vpc_id +* ## optional +* # name = "m-maria-db" +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/rds-maria/output.tf b/rds-maria/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/rds-maria/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/rds-maria/ports.tf b/rds-maria/ports.tf new file mode 100644 index 0000000..f722a8c --- /dev/null +++ b/rds-maria/ports.tf @@ -0,0 +1,33 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + description = "module: MariaDB common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external"] + + name = var.name + ports = [ + [3306, 3306, "tcp", "maria-db", local.n_census, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/rds-maria/variables.tf b/rds-maria/variables.tf new file mode 100644 index 0000000..b91227c --- /dev/null +++ b/rds-maria/variables.tf @@ -0,0 +1,79 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "m-maria-db" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "MariaDB Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "MariaDB" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/rds-maria/version.tf b/rds-maria/version.tf new file mode 100644 index 0000000..fa2705b --- /dev/null +++ b/rds-maria/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.0.0" +} diff --git a/rds-maria/versions.tf b/rds-maria/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/rds-maria/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +}