v2.1.0: refactor and use sas as the first common module

CHANGELOG.md

@@ -1,6 +1,20 @@
 # CHANGELOG
 
-# v2.0.0 -- 20210528
+* v2.0.0 -- 20210528
   - create a common set of files to not replicate the logic
   - consolidate all the submodules to use the common structure
 
+* v2.1.0 -- 20211021
+  - sas
+    - add sas submodule, which can be used for a general module or a specific application module
+
+## web
+
+* v1.0.0 -- 20210604
+  - add module version, update tags
+
+* v1.1.0 -- 20210915
+  - enable use of ingress_networks and egress_networks for pre-defined port list
+
+* v1.1.1 -- 20210929
+  - fix default egress to be 0/0 for web submodule

common/README.md

@@ -24,22 +24,18 @@ No modules.
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
-| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `"Linux Common Base Security Group"` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
-| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `"it-linux-base"` | no |
-| <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Linux"` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | <pre>{<br>  "CostAllocation": "csvd:infrastructure",<br>  "Environment": "csvd-infrastructure"<br>}</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |

common/data.tf

@@ -6,19 +6,3 @@ data "aws_arn" "current" {
 
 data "aws_region" "current" {}
 
-# output "caller_account_id" {
-#   value = data.aws_caller_identity.current.account_id
-# }
-#
-# output "account_caller_arn" {
-#   value = data.aws_caller_identity.current.arn
-# }
-#
-# output "account_caller_arn_partition" {
-#   value = data.aws_arn.current.partition
-# }
-#
-# output "account_region_name" {
-#   value = data.aws_region.current.name
-# }
-

common/data.vpc.tf

@@ -0,0 +1,14 @@
+data "aws_vpc" "this_vpc" {
+  count = var.use_vpc_cidr ? 1 : 0
+  id    = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+  count = length(var.ingress_security_groups)
+  id    = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+  count = length(var.egress_security_groups)
+  id    = element(var.egress_security_groups, count.index)
+}

common/ports.tf

@@ -6,41 +6,24 @@
 #   cidr_block
 #   list of: all, external (more added as needed)
 
+# example only.  Use your own values as appropraite
+
 locals {
   n_all         = ["0.0.0.0/0"]
   n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
-  n_mgmt        = ["148.129.162.0/24", "148.129.95.0/24"]
-  n_riverbed    = ["172.24.100.107/32"]
   source_groups = ["all", "external"]
-  name          = var.name
-  ports = [
-    [-1, -1, "icmp", "ICMP", local.n_all, ["external"]],
-    [22, 22, "tcp", "SSH", local.n_census, ["external"]],
-    [25, 25, "tcp", "SMTP", local.n_all, ["external"]],
-    [123, 123, "udp", "NTP", local.n_all, ["external"]],
-    [161, 161, "udp", "SNMP", local.n_all, ["external"]],
-    [443, 443, "tcp", "https", local.n_all, ["external"]],
-    [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]],
-    [5001, 5003, "tcp", "iperf", local.n_all, ["external"]],
-    [5001, 5003, "udp", "iperf", local.n_all, ["external"]],
-    [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]],
-    [5201, 5201, "udp", "iperf3", local.n_all, ["external"]],
-
-    [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]],
-    [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]],
-    [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]],
-    [10082, 10082, "tcp", "Netbackup-spoold", local.n_all, ["external"]],
-    [10102, 10102, "tcp", "Netbackup-spad", local.n_all, ["external"]],
 
-    [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]],
-    [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]],
-    [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]],
-    [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]],
+  ports = [
+    [80, 80, "tcp", "http", local.n_census, ["external"]],
+    [443, 443, "tcp", "https", local.n_census, ["external"]],
+    [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
+    [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
   ]
 
-  # these are ignored
-  ingress_networks = var.ingress_networks
-  egress_networks  = var.egress_networks
+  #  ingress_networks = var.ingress_networks
+  ingress_networks = []
+  #  egress_networks  = var.egress_networks
+  egress_networks = local.n_all
 
   # these are ignored
   ingress_sg = var.ingress_security_groups
@@ -52,6 +35,3 @@ locals {
     s => [for p in local.p_map : p if contains(p["source_group"], s)]
   }
 }
-
-# +  sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,8080,8080 range=0.0.0.0/0
-# +  sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,1571,1571 range=0.0.0.0/0

common/resources.tf

@@ -1,38 +1,9 @@
-data "aws_vpc" "this_vpc" {
-  count = var.use_vpc_cidr ? 1 : 0
-  id    = var.vpc_id
-}
-
-data "aws_security_group" "ingress_security_groups" {
-  count = length(var.ingress_security_groups)
-  id    = element(var.ingress_security_groups, count.index)
-}
-
-data "aws_security_group" "egress_security_groups" {
-  count = length(var.egress_security_groups)
-  id    = element(var.egress_security_groups, count.index)
-}
-
-locals {
-  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
-  logs_region         = data.aws_region.current.name
-  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-
-  base_tags = {
-    "Organization"          = "census:aditcio:csvd"
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-    "boc:vpc:info"          = join(" ", compact(list(var.vpc_id, var.vpc_full_name)))
-  }
-}
-
 locals {
   vpc_networks              = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
   ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
   egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
   self                      = var.enable_self ? [1] : []
-  short_description         = var.short_description == "" ? var.description : var.short_description
 }
 
 resource "aws_security_group" "this_security_group" {
@@ -49,7 +20,7 @@ resource "aws_security_group" "this_security_group" {
       from_port   = p.value["from"]
       to_port     = p.value["to"]
       protocol    = p.value["proto"]
-      cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
     }
   }
 
@@ -85,7 +56,7 @@ resource "aws_security_group" "this_security_group" {
     from_port   = 0
     to_port     = 0
     protocol    = -1
-    cidr_blocks = local.egress_networks
+    cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
   }
 
   # egress security group ids (all)
@@ -102,10 +73,10 @@ resource "aws_security_group" "this_security_group" {
   }
 
   tags = merge(
+    map("Name", "sg-${local.name}"),
     var.tags,
     map("boc:created_by", "terraform"),
     map("boc:tf_module_version", local._module_version),
     map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
-    map("Name", "sg-${local.name}"),
   )
 }

common/variables.common.tf

@@ -0,0 +1,41 @@
+variable "enable_self" {
+  description = "Enable|Disable self full access"
+  type        = bool
+  default     = false
+}
+
+variable "use_vpc_cidr" {
+  description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+  type        = bool
+  default     = false
+}
+
+variable "ingress_networks" {
+  description = "List of ingress networks for access (with all pre-defined ingress ports)"
+  type        = list(string)
+  default     = []
+}
+
+variable "egress_networks" {
+  description = "List of egress networks (with all pre-defined egress ports)"
+  type        = list(string)
+  default     = []
+}
+
+variable "ingress_security_groups" {
+  description = "List of ingress security groups for all ports"
+  type        = list(string)
+  default     = []
+}
+
+variable "egress_security_groups" {
+  description = "List of egress security groups (all ports)"
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "Extra security group tags"
+  type        = map
+  default     = {}
+}

common/variables.tf.example

@@ -0,0 +1,19 @@
+# copy this file, and replace it with the appropriate defaults for a module
+
+variable "name" {
+  description = "Security Group Name"
+  type        = string
+#  default     = "REPLACE"
+}
+
+variable "description" {
+  description = "Security Group Description"
+  type        = string
+#  default     = "REPLACE"
+}
+
+variable "short_description" {
+  description = "Security Group Short Description"
+  type        = string
+#  default     = "REPLACE"
+}

common/variables.vpc.tf

@@ -0,0 +1,12 @@
+variable "vpc_id" {
+  description = "VPC ID Number"
+  type        = string
+}
+
+variable "vpc_full_name" {
+  description = "VPC Name"
+  type        = string
+  default     = ""
+}
+
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.0.0"
+  _module_version = "2.1.0"
 }