From 3e539f9e7d7b8aa386db4a4206beb4ce6c445ffd Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:40:38 -0400 Subject: [PATCH] v2.1.0: refactor and use sas as the first common module --- CHANGELOG.md | 16 +++- common/README.md | 10 +-- common/data.tf | 16 ---- common/data.vpc.tf | 14 ++++ common/ports.tf | 42 +++------- common/resources.tf | 35 +------- common/variables.common.tf | 41 +++++++++ common/variables.tf | 83 ------------------- common/variables.tf.example | 19 +++++ common/variables.vpc.tf | 12 +++ common/version.tf | 2 +- sas/README.md | 119 +++++++++++++++++++++++++++ sas/data.tf | 1 + sas/data.vpc.tf | 1 + sas/logs/fmt.20211021.1634841547.log | 6 ++ sas/main.tf | 74 +++++++++++++++++ sas/output.tf | 1 + sas/ports.tf | 48 +++++++++++ sas/resources.tf | 1 + sas/settings.tf | 7 ++ sas/variables.common.tf | 1 + sas/variables.tf | 19 +++++ sas/variables.vpc.tf | 1 + sas/version.tf | 1 + sas/versions.tf | 1 + 25 files changed, 400 insertions(+), 171 deletions(-) create mode 100644 common/data.vpc.tf create mode 100644 common/variables.common.tf delete mode 100644 common/variables.tf create mode 100644 common/variables.tf.example create mode 100644 common/variables.vpc.tf create mode 100644 sas/README.md create mode 120000 sas/data.tf create mode 120000 sas/data.vpc.tf create mode 100644 sas/logs/fmt.20211021.1634841547.log create mode 100644 sas/main.tf create mode 120000 sas/output.tf create mode 100644 sas/ports.tf create mode 120000 sas/resources.tf create mode 100644 sas/settings.tf create mode 120000 sas/variables.common.tf create mode 100644 sas/variables.tf create mode 120000 sas/variables.vpc.tf create mode 120000 sas/version.tf create mode 120000 sas/versions.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cce8a2..fd239b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,20 @@ # CHANGELOG -# v2.0.0 -- 20210528 +* v2.0.0 -- 20210528 - create a common set of files to not replicate the logic - consolidate all the submodules to use the common structure +* v2.1.0 -- 20211021 + - sas + - add sas submodule, which can be used for a general module or a specific application module + +## web + +* v1.0.0 -- 20210604 + - add module version, update tags + +* v1.1.0 -- 20210915 + - enable use of ingress_networks and egress_networks for pre-defined port list + +* v1.1.1 -- 20210929 + - fix default egress to be 0/0 for web submodule diff --git a/common/README.md b/common/README.md index a04f3b0..6c851f6 100644 --- a/common/README.md +++ b/common/README.md @@ -24,22 +24,18 @@ No modules. | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | -| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | -| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | -| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [name](#input\_name) | Security Group Name | `string` | `"it-linux-base"` | no | -| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Linux"` | no | -| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | diff --git a/common/data.tf b/common/data.tf index 517cde8..7e23a04 100644 --- a/common/data.tf +++ b/common/data.tf @@ -6,19 +6,3 @@ data "aws_arn" "current" { data "aws_region" "current" {} -# output "caller_account_id" { -# value = data.aws_caller_identity.current.account_id -# } -# -# output "account_caller_arn" { -# value = data.aws_caller_identity.current.arn -# } -# -# output "account_caller_arn_partition" { -# value = data.aws_arn.current.partition -# } -# -# output "account_region_name" { -# value = data.aws_region.current.name -# } - diff --git a/common/data.vpc.tf b/common/data.vpc.tf new file mode 100644 index 0000000..bdc98ab --- /dev/null +++ b/common/data.vpc.tf @@ -0,0 +1,14 @@ +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} diff --git a/common/ports.tf b/common/ports.tf index 35102ec..ebb8931 100644 --- a/common/ports.tf +++ b/common/ports.tf @@ -6,41 +6,24 @@ # cidr_block # list of: all, external (more added as needed) +# example only. Use your own values as appropraite + locals { n_all = ["0.0.0.0/0"] n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] - n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] - n_riverbed = ["172.24.100.107/32"] source_groups = ["all", "external"] - name = var.name - ports = [ - [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], - [22, 22, "tcp", "SSH", local.n_census, ["external"]], - [25, 25, "tcp", "SMTP", local.n_all, ["external"]], - [123, 123, "udp", "NTP", local.n_all, ["external"]], - [161, 161, "udp", "SNMP", local.n_all, ["external"]], - [443, 443, "tcp", "https", local.n_all, ["external"]], - [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]], - [5001, 5003, "tcp", "iperf", local.n_all, ["external"]], - [5001, 5003, "udp", "iperf", local.n_all, ["external"]], - [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]], - [5201, 5201, "udp", "iperf3", local.n_all, ["external"]], - - [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]], - [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]], - [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]], - [10082, 10082, "tcp", "Netbackup-spoold", local.n_all, ["external"]], - [10102, 10102, "tcp", "Netbackup-spad", local.n_all, ["external"]], - [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]], - [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]], - [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]], - [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]], + ports = [ + [80, 80, "tcp", "http", local.n_census, ["external"]], + [443, 443, "tcp", "https", local.n_census, ["external"]], + [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]], + [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]], ] - # these are ignored - ingress_networks = var.ingress_networks - egress_networks = var.egress_networks + # ingress_networks = var.ingress_networks + ingress_networks = [] + # egress_networks = var.egress_networks + egress_networks = local.n_all # these are ignored ingress_sg = var.ingress_security_groups @@ -52,6 +35,3 @@ locals { s => [for p in local.p_map : p if contains(p["source_group"], s)] } } - -# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,8080,8080 range=0.0.0.0/0 -# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,1571,1571 range=0.0.0.0/0 diff --git a/common/resources.tf b/common/resources.tf index 2ad3927..41d3adb 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -1,38 +1,9 @@ -data "aws_vpc" "this_vpc" { - count = var.use_vpc_cidr ? 1 : 0 - id = var.vpc_id -} - -data "aws_security_group" "ingress_security_groups" { - count = length(var.ingress_security_groups) - id = element(var.ingress_security_groups, count.index) -} - -data "aws_security_group" "egress_security_groups" { - count = length(var.egress_security_groups) - id = element(var.egress_security_groups, count.index) -} - -locals { - account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id - logs_region = data.aws_region.current.name - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - - base_tags = { - "Organization" = "census:aditcio:csvd" - "boc:tf_module_version" = local._module_version - "boc:created_by" = "terraform" - "boc:vpc:info" = join(" ", compact(list(var.vpc_id, var.vpc_full_name))) - } -} - locals { vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) self = var.enable_self ? [1] : [] - short_description = var.short_description == "" ? var.description : var.short_description } resource "aws_security_group" "this_security_group" { @@ -49,7 +20,7 @@ resource "aws_security_group" "this_security_group" { from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] - cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks))) } } @@ -85,7 +56,7 @@ resource "aws_security_group" "this_security_group" { from_port = 0 to_port = 0 protocol = -1 - cidr_blocks = local.egress_networks + cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks))) } # egress security group ids (all) @@ -102,10 +73,10 @@ resource "aws_security_group" "this_security_group" { } tags = merge( + map("Name", "sg-${local.name}"), var.tags, map("boc:created_by", "terraform"), map("boc:tf_module_version", local._module_version), map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), - map("Name", "sg-${local.name}"), ) } diff --git a/common/variables.common.tf b/common/variables.common.tf new file mode 100644 index 0000000..d001a04 --- /dev/null +++ b/common/variables.common.tf @@ -0,0 +1,41 @@ +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +variable "ingress_networks" { + description = "List of ingress networks for access (with all pre-defined ingress ports)" + type = list(string) + default = [] +} + +variable "egress_networks" { + description = "List of egress networks (with all pre-defined egress ports)" + type = list(string) + default = [] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = {} +} diff --git a/common/variables.tf b/common/variables.tf deleted file mode 100644 index 8235220..0000000 --- a/common/variables.tf +++ /dev/null @@ -1,83 +0,0 @@ -#--- -# change between different modules as needed -#--- -variable "name" { - description = "Security Group Name" - type = string - default = "it-linux-base" -} - -variable "description" { - description = "Security Group Description" - type = string - default = "Linux Common Base Security Group" -} - -variable "short_description" { - description = "Security Group Short Description" - type = string - default = "Linux" -} - -variable "enable_self" { - description = "Enable|Disable self full access" - type = bool - default = false -} - -variable "use_vpc_cidr" { - description = "Enable|Disable use of VPC CIDR block in the ingress_networks" - type = bool - default = false -} - -#--- -# others with defaults -#--- -variable "vpc_id" { - description = "VPC ID Number" - type = string -} - -data "aws_vpc" "selected" { - id = "${var.vpc_id}" -} - -variable "vpc_full_name" { - description = "VPC Name" - type = string - default = "" -} - -variable "ingress_networks" { - description = "List of ingress networks for external access (not all ports)" - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "egress_networks" { - description = "List of egress networks (all ports)" - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "ingress_security_groups" { - description = "List of ingress security groups for all ports" - type = list(string) - default = [] -} - -variable "egress_security_groups" { - description = "List of egress security groups (all ports)" - type = list(string) - default = [] -} - -variable "tags" { - description = "Extra security group tags" - type = map - default = { - "CostAllocation" = "csvd:infrastructure" - "Environment" = "csvd-infrastructure" - } -} diff --git a/common/variables.tf.example b/common/variables.tf.example new file mode 100644 index 0000000..1738dcf --- /dev/null +++ b/common/variables.tf.example @@ -0,0 +1,19 @@ +# copy this file, and replace it with the appropriate defaults for a module + +variable "name" { + description = "Security Group Name" + type = string +# default = "REPLACE" +} + +variable "description" { + description = "Security Group Description" + type = string +# default = "REPLACE" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string +# default = "REPLACE" +} diff --git a/common/variables.vpc.tf b/common/variables.vpc.tf new file mode 100644 index 0000000..9e52219 --- /dev/null +++ b/common/variables.vpc.tf @@ -0,0 +1,12 @@ +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + + diff --git a/common/version.tf b/common/version.tf index 6b49608..55a44df 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.0.0" + _module_version = "2.1.0" } diff --git a/sas/README.md b/sas/README.md new file mode 100644 index 0000000..d558655 --- /dev/null +++ b/sas/README.md @@ -0,0 +1,119 @@ +# About sas + +This describes how to use the aws-common-security-groups submodule for sas. For use as an application-specific +security group, we recommend enabling `enable_self`, as this will apply so that all servers which hold this +SG are able to communicate with each other. For a moduluar SAS global SG, like `m-sas`, this is not recommended +and will actually be disabled (if the name is empty or `m-{something}`. + +The list of SAS ports is as follows: + +## General Purpose SG + +| Desscription | Protocol | Port Range | Direction | Source | +|------------------|----------|------------|----------------|--------| +| SAS OLAP Server | TCP | 5450-5460 | Inbound | All Client CIDRS:
148.129/16
172.16/12192.168/16
10/8 | +| SAS Environment Manager Dashboard Port (HTTP) | TCP | 7080-7090 | Inbound | | +| SAS Document Conversion | TCP | 7111 | Inbound | | +| SAS Environment Manager Dashboard Secure Port (HTTPS) | TCP | 7443 | Inbound | | +| SAS/CONNECT Spawner Operator | TCP | 7540-7560 | Inbound | | +| SAS/CONNECT Server | TCP | Inbound | | +| SAS Web Server HTTP Port | TCP | 7980-7990 | Inbound | | +| SAS Web Server HTTPS Port | TCP | 8343-8353 | Inbound | | +| SAS Web Application Server HTTPS Server 1 Port | TCP | 8443-8453 | Inbound | | +| Operating System Services Scheduler | TCP | 8451-8461 | Inbound | | +| SAS Metadata, Object Spawner, Workspace and Stored Processs Servers | TCP | 8540-8640 | Inbound | | +| SAS Pooled Workspace Server | TCP | 8701-8711 | Inbound | | +| SAS Object Spanwer - Pooled Workspace Server ports | TCP | 8800-8830 | Inbound | | +| Web Infrastructure Platform Database Server | TCP | 9431-9441 | Inbound | | +| SAS Data Remediation Data Server | TCP | 9831-9841 | Inbound | | + +## Application Specific SG + +| Desscription | Protocol | Port Range | Direction | Source | +|------------------|----------|------------|----------------|--------| +| Server to Server Communication | TCP | * | Inbound | This Security Group | +| Server to Server Communication | UDP | * | Inbound | This Security Group | + +## Usage: General Purpose SAS + +```hcl +module "app_sas" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" + + vpc_id = var.vpc_id + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Usage: Application Specific SG + +```hcl +module "app_sas" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" + + name = "sas-{org}-{app}" + description = "SAS Ports for application {org}-{app}" + short_description = "SAS" + vpc_id = var.vpc_id + enable_self = true + ## optional + # ingress_networks = [ "1.2.3.0/24" ] + # egress_networks = [ "1.2.3.0/24" ] + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | n/a | yes | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | n/a | yes | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | n/a | yes | +| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/sas/data.tf b/sas/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/sas/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/sas/data.vpc.tf b/sas/data.vpc.tf new file mode 120000 index 0000000..197ea98 --- /dev/null +++ b/sas/data.vpc.tf @@ -0,0 +1 @@ +../common/data.vpc.tf \ No newline at end of file diff --git a/sas/logs/fmt.20211021.1634841547.log b/sas/logs/fmt.20211021.1634841547.log new file mode 100644 index 0000000..ec1a424 --- /dev/null +++ b/sas/logs/fmt.20211021.1634841547.log @@ -0,0 +1,6 @@ +# starting v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 time 1634841547 + +ports.tf +settings.tf +# ending v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 start 1634841547 end 1634841547 elapsed 0 + diff --git a/sas/main.tf b/sas/main.tf new file mode 100644 index 0000000..0ebf769 --- /dev/null +++ b/sas/main.tf @@ -0,0 +1,74 @@ +/* +* # About sas +* +* This describes how to use the aws-common-security-groups submodule for sas. For use as an application-specific +* security group, we recommend enabling `enable_self`, as this will apply so that all servers which hold this +* SG are able to communicate with each other. For a moduluar SAS global SG, like `m-sas`, this is not recommended +* and will actually be disabled (if the name is empty or `m-{something}`. +* +* The list of SAS ports is as follows: +* +* ## General Purpose SG +* +* | Desscription | Protocol | Port Range | Direction | Source | +* |------------------|----------|------------|----------------|--------| +* | SAS OLAP Server | TCP | 5450-5460 | Inbound | All Client CIDRS:
148.129/16
172.16/12192.168/16
10/8 | +* | SAS Environment Manager Dashboard Port (HTTP) | TCP | 7080-7090 | Inbound | | +* | SAS Document Conversion | TCP | 7111 | Inbound | | +* | SAS Environment Manager Dashboard Secure Port (HTTPS) | TCP | 7443 | Inbound | | +* | SAS/CONNECT Spawner Operator | TCP | 7540-7560 | Inbound | | +* | SAS/CONNECT Server | TCP | Inbound | | +* | SAS Web Server HTTP Port | TCP | 7980-7990 | Inbound | | +* | SAS Web Server HTTPS Port | TCP | 8343-8353 | Inbound | | +* | SAS Web Application Server HTTPS Server 1 Port | TCP | 8443-8453 | Inbound | | +* | Operating System Services Scheduler | TCP | 8451-8461 | Inbound | | +* | SAS Metadata, Object Spawner, Workspace and Stored Processs Servers | TCP | 8540-8640 | Inbound | | +* | SAS Pooled Workspace Server | TCP | 8701-8711 | Inbound | | +* | SAS Object Spanwer - Pooled Workspace Server ports | TCP | 8800-8830 | Inbound | | +* | Web Infrastructure Platform Database Server | TCP | 9431-9441 | Inbound | | +* | SAS Data Remediation Data Server | TCP | 9831-9841 | Inbound | | +* +* ## Application Specific SG +* +* | Desscription | Protocol | Port Range | Direction | Source | +* |------------------|----------|------------|----------------|--------| +* | Server to Server Communication | TCP | * | Inbound | This Security Group | +* | Server to Server Communication | UDP | * | Inbound | This Security Group | +* +* ## Usage: General Purpose SAS +* +* ```hcl +* module "app_sas" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" +* +* vpc_id = var.vpc_id +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +* +* ## Usage: Application Specific SG +* +* ```hcl +* module "app_sas" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" +* +* name = "sas-{org}-{app}" +* description = "SAS Ports for application {org}-{app}" +* short_description = "SAS" +* vpc_id = var.vpc_id +* enable_self = true +* ## optional +* # ingress_networks = [ "1.2.3.0/24" ] +* # egress_networks = [ "1.2.3.0/24" ] +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +* +*/ + +# all of the code is in resource.tf, this is here for documention + + diff --git a/sas/output.tf b/sas/output.tf new file mode 120000 index 0000000..1297ffd --- /dev/null +++ b/sas/output.tf @@ -0,0 +1 @@ +../common/output.tf \ No newline at end of file diff --git a/sas/ports.tf b/sas/ports.tf new file mode 100644 index 0000000..45bf367 --- /dev/null +++ b/sas/ports.tf @@ -0,0 +1,48 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + networks = { + "all" = ["0.0.0.0/0"] + "census" = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + } + source_groups = ["all", "external"] + + name = var.name + ports = [ + [5450, 5460, "tcp", "OLAP Server", local.networks["all"], ["external"]], + [7080, 7090, "tcp", "Environment Manager HTTP", local.networks["all"], ["external"]], + [7111, 7111, "tcp", "Dcoument Conversion", local.networks["all"], ["external"]], + [7443, 7443, "tcp", "Environment Manager HTTPS", local.networks["all"], ["external"]], + [7540, 7560, "tcp", "CONNECT Spawner Operator", local.networks["all"], ["external"]], + # [x, x, "tcp", "CONNECT Server", local.networks["all"], ["external"] ], + [7980, 7990, "tcp", "Web Server HTTP", local.networks["all"], ["external"]], + [8343, 8353, "tcp", "Web Server HTTPS", local.networks["all"], ["external"]], + [8443, 8453, "tcp", "Web Application Server HTTPS", local.networks["all"], ["external"]], + [8451, 8461, "tcp", "OS Services Scheduler", local.networks["all"], ["external"]], + [8540, 8640, "tcp", "Metadata", local.networks["all"], ["external"]], + [8701, 8711, "tcp", "Pooled Workspace", local.networks["all"], ["external"]], + [8800, 8830, "tcp", "Object Spawner", local.networks["all"], ["external"]], + [9431, 9441, "tcp", "Web Infra Platform", local.networks["all"], ["external"]], + [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]], + [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]], + ] + + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/sas/resources.tf b/sas/resources.tf new file mode 120000 index 0000000..6dd8c84 --- /dev/null +++ b/sas/resources.tf @@ -0,0 +1 @@ +../common/resources.tf \ No newline at end of file diff --git a/sas/settings.tf b/sas/settings.tf new file mode 100644 index 0000000..c581597 --- /dev/null +++ b/sas/settings.tf @@ -0,0 +1,7 @@ +locals { + name = var.name != "" ? var.name : "m-sas" + is_modular = length(regexall("^m-", var.name)) > 0 + enable_self = var.enable_self ? ! local.is_modular : var.enable_self + description = var.description != "" ? var.description : format("Security Group for %v", local.name) + short_description = var.short_description != "" ? var.short_description : local.name +} diff --git a/sas/variables.common.tf b/sas/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/sas/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/sas/variables.tf b/sas/variables.tf new file mode 100644 index 0000000..a2e474b --- /dev/null +++ b/sas/variables.tf @@ -0,0 +1,19 @@ +# copy this file, and replace it with the appropriate defaults for a module + +variable "name" { + description = "Security Group Name" + type = string + # default = "REPLACE" +} + +variable "description" { + description = "Security Group Description" + type = string + # default = "REPLACE" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + # default = "REPLACE" +} diff --git a/sas/variables.vpc.tf b/sas/variables.vpc.tf new file mode 120000 index 0000000..11a6813 --- /dev/null +++ b/sas/variables.vpc.tf @@ -0,0 +1 @@ +../common/variables.vpc.tf \ No newline at end of file diff --git a/sas/version.tf b/sas/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/sas/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/sas/versions.tf b/sas/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/sas/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file