diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8cce8a2..fd239b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,20 @@
# CHANGELOG
-# v2.0.0 -- 20210528
+* v2.0.0 -- 20210528
- create a common set of files to not replicate the logic
- consolidate all the submodules to use the common structure
+* v2.1.0 -- 20211021
+ - sas
+ - add sas submodule, which can be used for a general module or a specific application module
+
+## web
+
+* v1.0.0 -- 20210604
+ - add module version, update tags
+
+* v1.1.0 -- 20210915
+ - enable use of ingress_networks and egress_networks for pre-defined port list
+
+* v1.1.1 -- 20210929
+ - fix default egress to be 0/0 for web submodule
diff --git a/common/README.md b/common/README.md
index a04f3b0..6c851f6 100644
--- a/common/README.md
+++ b/common/README.md
@@ -24,22 +24,18 @@ No modules.
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
-| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [description](#input\_description) | Security Group Description | `string` | `"Linux Common Base Security Group"` | no |
-| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
-| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| [name](#input\_name) | Security Group Name | `string` | `"it-linux-base"` | no |
-| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Linux"` | no |
-| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
diff --git a/common/data.tf b/common/data.tf
index 517cde8..7e23a04 100644
--- a/common/data.tf
+++ b/common/data.tf
@@ -6,19 +6,3 @@ data "aws_arn" "current" {
data "aws_region" "current" {}
-# output "caller_account_id" {
-# value = data.aws_caller_identity.current.account_id
-# }
-#
-# output "account_caller_arn" {
-# value = data.aws_caller_identity.current.arn
-# }
-#
-# output "account_caller_arn_partition" {
-# value = data.aws_arn.current.partition
-# }
-#
-# output "account_region_name" {
-# value = data.aws_region.current.name
-# }
-
diff --git a/common/data.vpc.tf b/common/data.vpc.tf
new file mode 100644
index 0000000..bdc98ab
--- /dev/null
+++ b/common/data.vpc.tf
@@ -0,0 +1,14 @@
+data "aws_vpc" "this_vpc" {
+ count = var.use_vpc_cidr ? 1 : 0
+ id = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+ count = length(var.ingress_security_groups)
+ id = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+ count = length(var.egress_security_groups)
+ id = element(var.egress_security_groups, count.index)
+}
diff --git a/common/ports.tf b/common/ports.tf
index 35102ec..ebb8931 100644
--- a/common/ports.tf
+++ b/common/ports.tf
@@ -6,41 +6,24 @@
# cidr_block
# list of: all, external (more added as needed)
+# example only. Use your own values as appropraite
+
locals {
n_all = ["0.0.0.0/0"]
n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
- n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"]
- n_riverbed = ["172.24.100.107/32"]
source_groups = ["all", "external"]
- name = var.name
- ports = [
- [-1, -1, "icmp", "ICMP", local.n_all, ["external"]],
- [22, 22, "tcp", "SSH", local.n_census, ["external"]],
- [25, 25, "tcp", "SMTP", local.n_all, ["external"]],
- [123, 123, "udp", "NTP", local.n_all, ["external"]],
- [161, 161, "udp", "SNMP", local.n_all, ["external"]],
- [443, 443, "tcp", "https", local.n_all, ["external"]],
- [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]],
- [5001, 5003, "tcp", "iperf", local.n_all, ["external"]],
- [5001, 5003, "udp", "iperf", local.n_all, ["external"]],
- [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]],
- [5201, 5201, "udp", "iperf3", local.n_all, ["external"]],
-
- [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]],
- [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]],
- [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]],
- [10082, 10082, "tcp", "Netbackup-spoold", local.n_all, ["external"]],
- [10102, 10102, "tcp", "Netbackup-spad", local.n_all, ["external"]],
- [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]],
- [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]],
- [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]],
- [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]],
+ ports = [
+ [80, 80, "tcp", "http", local.n_census, ["external"]],
+ [443, 443, "tcp", "https", local.n_census, ["external"]],
+ [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
+ [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
]
- # these are ignored
- ingress_networks = var.ingress_networks
- egress_networks = var.egress_networks
+ # ingress_networks = var.ingress_networks
+ ingress_networks = []
+ # egress_networks = var.egress_networks
+ egress_networks = local.n_all
# these are ignored
ingress_sg = var.ingress_security_groups
@@ -52,6 +35,3 @@ locals {
s => [for p in local.p_map : p if contains(p["source_group"], s)]
}
}
-
-# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,8080,8080 range=0.0.0.0/0
-# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,1571,1571 range=0.0.0.0/0
diff --git a/common/resources.tf b/common/resources.tf
index 2ad3927..41d3adb 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -1,38 +1,9 @@
-data "aws_vpc" "this_vpc" {
- count = var.use_vpc_cidr ? 1 : 0
- id = var.vpc_id
-}
-
-data "aws_security_group" "ingress_security_groups" {
- count = length(var.ingress_security_groups)
- id = element(var.ingress_security_groups, count.index)
-}
-
-data "aws_security_group" "egress_security_groups" {
- count = length(var.egress_security_groups)
- id = element(var.egress_security_groups, count.index)
-}
-
-locals {
- account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
- logs_region = data.aws_region.current.name
- account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-
- base_tags = {
- "Organization" = "census:aditcio:csvd"
- "boc:tf_module_version" = local._module_version
- "boc:created_by" = "terraform"
- "boc:vpc:info" = join(" ", compact(list(var.vpc_id, var.vpc_full_name)))
- }
-}
-
locals {
vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
self = var.enable_self ? [1] : []
- short_description = var.short_description == "" ? var.description : var.short_description
}
resource "aws_security_group" "this_security_group" {
@@ -49,7 +20,7 @@ resource "aws_security_group" "this_security_group" {
from_port = p.value["from"]
to_port = p.value["to"]
protocol = p.value["proto"]
- cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+ cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
}
}
@@ -85,7 +56,7 @@ resource "aws_security_group" "this_security_group" {
from_port = 0
to_port = 0
protocol = -1
- cidr_blocks = local.egress_networks
+ cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
}
# egress security group ids (all)
@@ -102,10 +73,10 @@ resource "aws_security_group" "this_security_group" {
}
tags = merge(
+ map("Name", "sg-${local.name}"),
var.tags,
map("boc:created_by", "terraform"),
map("boc:tf_module_version", local._module_version),
map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
- map("Name", "sg-${local.name}"),
)
}
diff --git a/common/variables.common.tf b/common/variables.common.tf
new file mode 100644
index 0000000..d001a04
--- /dev/null
+++ b/common/variables.common.tf
@@ -0,0 +1,41 @@
+variable "enable_self" {
+ description = "Enable|Disable self full access"
+ type = bool
+ default = false
+}
+
+variable "use_vpc_cidr" {
+ description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+ type = bool
+ default = false
+}
+
+variable "ingress_networks" {
+ description = "List of ingress networks for access (with all pre-defined ingress ports)"
+ type = list(string)
+ default = []
+}
+
+variable "egress_networks" {
+ description = "List of egress networks (with all pre-defined egress ports)"
+ type = list(string)
+ default = []
+}
+
+variable "ingress_security_groups" {
+ description = "List of ingress security groups for all ports"
+ type = list(string)
+ default = []
+}
+
+variable "egress_security_groups" {
+ description = "List of egress security groups (all ports)"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "Extra security group tags"
+ type = map
+ default = {}
+}
diff --git a/common/variables.tf b/common/variables.tf
deleted file mode 100644
index 8235220..0000000
--- a/common/variables.tf
+++ /dev/null
@@ -1,83 +0,0 @@
-#---
-# change between different modules as needed
-#---
-variable "name" {
- description = "Security Group Name"
- type = string
- default = "it-linux-base"
-}
-
-variable "description" {
- description = "Security Group Description"
- type = string
- default = "Linux Common Base Security Group"
-}
-
-variable "short_description" {
- description = "Security Group Short Description"
- type = string
- default = "Linux"
-}
-
-variable "enable_self" {
- description = "Enable|Disable self full access"
- type = bool
- default = false
-}
-
-variable "use_vpc_cidr" {
- description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
- type = bool
- default = false
-}
-
-#---
-# others with defaults
-#---
-variable "vpc_id" {
- description = "VPC ID Number"
- type = string
-}
-
-data "aws_vpc" "selected" {
- id = "${var.vpc_id}"
-}
-
-variable "vpc_full_name" {
- description = "VPC Name"
- type = string
- default = ""
-}
-
-variable "ingress_networks" {
- description = "List of ingress networks for external access (not all ports)"
- type = list(string)
- default = ["0.0.0.0/0"]
-}
-
-variable "egress_networks" {
- description = "List of egress networks (all ports)"
- type = list(string)
- default = ["0.0.0.0/0"]
-}
-
-variable "ingress_security_groups" {
- description = "List of ingress security groups for all ports"
- type = list(string)
- default = []
-}
-
-variable "egress_security_groups" {
- description = "List of egress security groups (all ports)"
- type = list(string)
- default = []
-}
-
-variable "tags" {
- description = "Extra security group tags"
- type = map
- default = {
- "CostAllocation" = "csvd:infrastructure"
- "Environment" = "csvd-infrastructure"
- }
-}
diff --git a/common/variables.tf.example b/common/variables.tf.example
new file mode 100644
index 0000000..1738dcf
--- /dev/null
+++ b/common/variables.tf.example
@@ -0,0 +1,19 @@
+# copy this file, and replace it with the appropriate defaults for a module
+
+variable "name" {
+ description = "Security Group Name"
+ type = string
+# default = "REPLACE"
+}
+
+variable "description" {
+ description = "Security Group Description"
+ type = string
+# default = "REPLACE"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+# default = "REPLACE"
+}
diff --git a/common/variables.vpc.tf b/common/variables.vpc.tf
new file mode 100644
index 0000000..9e52219
--- /dev/null
+++ b/common/variables.vpc.tf
@@ -0,0 +1,12 @@
+variable "vpc_id" {
+ description = "VPC ID Number"
+ type = string
+}
+
+variable "vpc_full_name" {
+ description = "VPC Name"
+ type = string
+ default = ""
+}
+
+
diff --git a/common/version.tf b/common/version.tf
index 6b49608..55a44df 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.0.0"
+ _module_version = "2.1.0"
}
diff --git a/sas/README.md b/sas/README.md
new file mode 100644
index 0000000..d558655
--- /dev/null
+++ b/sas/README.md
@@ -0,0 +1,119 @@
+# About sas
+
+This describes how to use the aws-common-security-groups submodule for sas. For use as an application-specific
+security group, we recommend enabling `enable_self`, as this will apply so that all servers which hold this
+SG are able to communicate with each other. For a moduluar SAS global SG, like `m-sas`, this is not recommended
+and will actually be disabled (if the name is empty or `m-{something}`.
+
+The list of SAS ports is as follows:
+
+## General Purpose SG
+
+| Desscription | Protocol | Port Range | Direction | Source |
+|------------------|----------|------------|----------------|--------|
+| SAS OLAP Server | TCP | 5450-5460 | Inbound | All Client CIDRS:
148.129/16
172.16/12192.168/16
10/8 |
+| SAS Environment Manager Dashboard Port (HTTP) | TCP | 7080-7090 | Inbound | |
+| SAS Document Conversion | TCP | 7111 | Inbound | |
+| SAS Environment Manager Dashboard Secure Port (HTTPS) | TCP | 7443 | Inbound | |
+| SAS/CONNECT Spawner Operator | TCP | 7540-7560 | Inbound | |
+| SAS/CONNECT Server | TCP | Inbound | |
+| SAS Web Server HTTP Port | TCP | 7980-7990 | Inbound | |
+| SAS Web Server HTTPS Port | TCP | 8343-8353 | Inbound | |
+| SAS Web Application Server HTTPS Server 1 Port | TCP | 8443-8453 | Inbound | |
+| Operating System Services Scheduler | TCP | 8451-8461 | Inbound | |
+| SAS Metadata, Object Spawner, Workspace and Stored Processs Servers | TCP | 8540-8640 | Inbound | |
+| SAS Pooled Workspace Server | TCP | 8701-8711 | Inbound | |
+| SAS Object Spanwer - Pooled Workspace Server ports | TCP | 8800-8830 | Inbound | |
+| Web Infrastructure Platform Database Server | TCP | 9431-9441 | Inbound | |
+| SAS Data Remediation Data Server | TCP | 9831-9841 | Inbound | |
+
+## Application Specific SG
+
+| Desscription | Protocol | Port Range | Direction | Source |
+|------------------|----------|------------|----------------|--------|
+| Server to Server Communication | TCP | * | Inbound | This Security Group |
+| Server to Server Communication | UDP | * | Inbound | This Security Group |
+
+## Usage: General Purpose SAS
+
+```hcl
+module "app_sas" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas"
+
+ vpc_id = var.vpc_id
+ ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+ # tags = { }
+}
+```
+
+## Usage: Application Specific SG
+
+```hcl
+module "app_sas" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas"
+
+ name = "sas-{org}-{app}"
+ description = "SAS Ports for application {org}-{app}"
+ short_description = "SAS"
+ vpc_id = var.vpc_id
+ enable_self = true
+ ## optional
+ # ingress_networks = [ "1.2.3.0/24" ]
+ # egress_networks = [ "1.2.3.0/24" ]
+
+ ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+ # tags = { }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [description](#input\_description) | Security Group Description | `string` | n/a | yes |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| [name](#input\_name) | Security Group Name | `string` | n/a | yes |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | n/a | yes |
+| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
+| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/sas/data.tf b/sas/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/sas/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/sas/data.vpc.tf b/sas/data.vpc.tf
new file mode 120000
index 0000000..197ea98
--- /dev/null
+++ b/sas/data.vpc.tf
@@ -0,0 +1 @@
+../common/data.vpc.tf
\ No newline at end of file
diff --git a/sas/logs/fmt.20211021.1634841547.log b/sas/logs/fmt.20211021.1634841547.log
new file mode 100644
index 0000000..ec1a424
--- /dev/null
+++ b/sas/logs/fmt.20211021.1634841547.log
@@ -0,0 +1,6 @@
+# starting v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 time 1634841547
+
+ports.tf
+settings.tf
+# ending v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 start 1634841547 end 1634841547 elapsed 0
+
diff --git a/sas/main.tf b/sas/main.tf
new file mode 100644
index 0000000..0ebf769
--- /dev/null
+++ b/sas/main.tf
@@ -0,0 +1,74 @@
+/*
+* # About sas
+*
+* This describes how to use the aws-common-security-groups submodule for sas. For use as an application-specific
+* security group, we recommend enabling `enable_self`, as this will apply so that all servers which hold this
+* SG are able to communicate with each other. For a moduluar SAS global SG, like `m-sas`, this is not recommended
+* and will actually be disabled (if the name is empty or `m-{something}`.
+*
+* The list of SAS ports is as follows:
+*
+* ## General Purpose SG
+*
+* | Desscription | Protocol | Port Range | Direction | Source |
+* |------------------|----------|------------|----------------|--------|
+* | SAS OLAP Server | TCP | 5450-5460 | Inbound | All Client CIDRS:
148.129/16
172.16/12192.168/16
10/8 |
+* | SAS Environment Manager Dashboard Port (HTTP) | TCP | 7080-7090 | Inbound | |
+* | SAS Document Conversion | TCP | 7111 | Inbound | |
+* | SAS Environment Manager Dashboard Secure Port (HTTPS) | TCP | 7443 | Inbound | |
+* | SAS/CONNECT Spawner Operator | TCP | 7540-7560 | Inbound | |
+* | SAS/CONNECT Server | TCP | Inbound | |
+* | SAS Web Server HTTP Port | TCP | 7980-7990 | Inbound | |
+* | SAS Web Server HTTPS Port | TCP | 8343-8353 | Inbound | |
+* | SAS Web Application Server HTTPS Server 1 Port | TCP | 8443-8453 | Inbound | |
+* | Operating System Services Scheduler | TCP | 8451-8461 | Inbound | |
+* | SAS Metadata, Object Spawner, Workspace and Stored Processs Servers | TCP | 8540-8640 | Inbound | |
+* | SAS Pooled Workspace Server | TCP | 8701-8711 | Inbound | |
+* | SAS Object Spanwer - Pooled Workspace Server ports | TCP | 8800-8830 | Inbound | |
+* | Web Infrastructure Platform Database Server | TCP | 9431-9441 | Inbound | |
+* | SAS Data Remediation Data Server | TCP | 9831-9841 | Inbound | |
+*
+* ## Application Specific SG
+*
+* | Desscription | Protocol | Port Range | Direction | Source |
+* |------------------|----------|------------|----------------|--------|
+* | Server to Server Communication | TCP | * | Inbound | This Security Group |
+* | Server to Server Communication | UDP | * | Inbound | This Security Group |
+*
+* ## Usage: General Purpose SAS
+*
+* ```hcl
+* module "app_sas" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas"
+*
+* vpc_id = var.vpc_id
+* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+* # tags = { }
+* }
+* ```
+*
+* ## Usage: Application Specific SG
+*
+* ```hcl
+* module "app_sas" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas"
+*
+* name = "sas-{org}-{app}"
+* description = "SAS Ports for application {org}-{app}"
+* short_description = "SAS"
+* vpc_id = var.vpc_id
+* enable_self = true
+* ## optional
+* # ingress_networks = [ "1.2.3.0/24" ]
+* # egress_networks = [ "1.2.3.0/24" ]
+*
+* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+* # tags = { }
+* }
+* ```
+*
+*/
+
+# all of the code is in resource.tf, this is here for documention
+
+
diff --git a/sas/output.tf b/sas/output.tf
new file mode 120000
index 0000000..1297ffd
--- /dev/null
+++ b/sas/output.tf
@@ -0,0 +1 @@
+../common/output.tf
\ No newline at end of file
diff --git a/sas/ports.tf b/sas/ports.tf
new file mode 100644
index 0000000..45bf367
--- /dev/null
+++ b/sas/ports.tf
@@ -0,0 +1,48 @@
+# ports = list of list of
+# from_port
+# to_port
+# proto
+# description
+# cidr_block
+# list of: all, external (more added as needed)
+
+locals {
+ networks = {
+ "all" = ["0.0.0.0/0"]
+ "census" = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+ }
+ source_groups = ["all", "external"]
+
+ name = var.name
+ ports = [
+ [5450, 5460, "tcp", "OLAP Server", local.networks["all"], ["external"]],
+ [7080, 7090, "tcp", "Environment Manager HTTP", local.networks["all"], ["external"]],
+ [7111, 7111, "tcp", "Dcoument Conversion", local.networks["all"], ["external"]],
+ [7443, 7443, "tcp", "Environment Manager HTTPS", local.networks["all"], ["external"]],
+ [7540, 7560, "tcp", "CONNECT Spawner Operator", local.networks["all"], ["external"]],
+ # [x, x, "tcp", "CONNECT Server", local.networks["all"], ["external"] ],
+ [7980, 7990, "tcp", "Web Server HTTP", local.networks["all"], ["external"]],
+ [8343, 8353, "tcp", "Web Server HTTPS", local.networks["all"], ["external"]],
+ [8443, 8453, "tcp", "Web Application Server HTTPS", local.networks["all"], ["external"]],
+ [8451, 8461, "tcp", "OS Services Scheduler", local.networks["all"], ["external"]],
+ [8540, 8640, "tcp", "Metadata", local.networks["all"], ["external"]],
+ [8701, 8711, "tcp", "Pooled Workspace", local.networks["all"], ["external"]],
+ [8800, 8830, "tcp", "Object Spawner", local.networks["all"], ["external"]],
+ [9431, 9441, "tcp", "Web Infra Platform", local.networks["all"], ["external"]],
+ [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]],
+ [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]],
+ ]
+
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
+ # these are ignored
+ ingress_sg = var.ingress_security_groups
+ egress_sg = var.egress_security_groups
+
+ p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+ p_map = [for p in local.ports : zipmap(local.p_fields, p)]
+ port_map = { for s in local.source_groups :
+ s => [for p in local.p_map : p if contains(p["source_group"], s)]
+ }
+}
diff --git a/sas/resources.tf b/sas/resources.tf
new file mode 120000
index 0000000..6dd8c84
--- /dev/null
+++ b/sas/resources.tf
@@ -0,0 +1 @@
+../common/resources.tf
\ No newline at end of file
diff --git a/sas/settings.tf b/sas/settings.tf
new file mode 100644
index 0000000..c581597
--- /dev/null
+++ b/sas/settings.tf
@@ -0,0 +1,7 @@
+locals {
+ name = var.name != "" ? var.name : "m-sas"
+ is_modular = length(regexall("^m-", var.name)) > 0
+ enable_self = var.enable_self ? ! local.is_modular : var.enable_self
+ description = var.description != "" ? var.description : format("Security Group for %v", local.name)
+ short_description = var.short_description != "" ? var.short_description : local.name
+}
diff --git a/sas/variables.common.tf b/sas/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/sas/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/sas/variables.tf b/sas/variables.tf
new file mode 100644
index 0000000..a2e474b
--- /dev/null
+++ b/sas/variables.tf
@@ -0,0 +1,19 @@
+# copy this file, and replace it with the appropriate defaults for a module
+
+variable "name" {
+ description = "Security Group Name"
+ type = string
+ # default = "REPLACE"
+}
+
+variable "description" {
+ description = "Security Group Description"
+ type = string
+ # default = "REPLACE"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+ # default = "REPLACE"
+}
diff --git a/sas/variables.vpc.tf b/sas/variables.vpc.tf
new file mode 120000
index 0000000..11a6813
--- /dev/null
+++ b/sas/variables.vpc.tf
@@ -0,0 +1 @@
+../common/variables.vpc.tf
\ No newline at end of file
diff --git a/sas/version.tf b/sas/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/sas/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/sas/versions.tf b/sas/versions.tf
new file mode 120000
index 0000000..41bb22f
--- /dev/null
+++ b/sas/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
\ No newline at end of file