From 6c6a7b8a99e066220ec5d00e9d43ab1ffdd0026b Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 10:23:13 -0400 Subject: [PATCH 1/9] start refactor --- CHANGELOG.md | 6 +++ common/data.tf | 24 ++++++++++ common/output.tf | 9 ++++ common/ports.tf | 57 +++++++++++++++++++++++ common/resources.tf | 111 ++++++++++++++++++++++++++++++++++++++++++++ common/variables.tf | 83 +++++++++++++++++++++++++++++++++ common/version.tf | 3 ++ common/versions.tf | 4 ++ 8 files changed, 297 insertions(+) create mode 100644 CHANGELOG.md create mode 100644 common/data.tf create mode 100644 common/output.tf create mode 100644 common/ports.tf create mode 100644 common/resources.tf create mode 100644 common/variables.tf create mode 100644 common/version.tf create mode 100644 common/versions.tf diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..8cce8a2 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,6 @@ +# CHANGELOG + +# v2.0.0 -- 20210528 + - create a common set of files to not replicate the logic + - consolidate all the submodules to use the common structure + diff --git a/common/data.tf b/common/data.tf new file mode 100644 index 0000000..517cde8 --- /dev/null +++ b/common/data.tf @@ -0,0 +1,24 @@ +data "aws_caller_identity" "current" {} + +data "aws_arn" "current" { + arn = data.aws_caller_identity.current.arn +} + +data "aws_region" "current" {} + +# output "caller_account_id" { +# value = data.aws_caller_identity.current.account_id +# } +# +# output "account_caller_arn" { +# value = data.aws_caller_identity.current.arn +# } +# +# output "account_caller_arn_partition" { +# value = data.aws_arn.current.partition +# } +# +# output "account_region_name" { +# value = data.aws_region.current.name +# } + diff --git a/common/output.tf b/common/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/common/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/common/ports.tf b/common/ports.tf new file mode 100644 index 0000000..35102ec --- /dev/null +++ b/common/ports.tf @@ -0,0 +1,57 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] + n_riverbed = ["172.24.100.107/32"] + source_groups = ["all", "external"] + name = var.name + ports = [ + [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], + [22, 22, "tcp", "SSH", local.n_census, ["external"]], + [25, 25, "tcp", "SMTP", local.n_all, ["external"]], + [123, 123, "udp", "NTP", local.n_all, ["external"]], + [161, 161, "udp", "SNMP", local.n_all, ["external"]], + [443, 443, "tcp", "https", local.n_all, ["external"]], + [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]], + [5001, 5003, "tcp", "iperf", local.n_all, ["external"]], + [5001, 5003, "udp", "iperf", local.n_all, ["external"]], + [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]], + [5201, 5201, "udp", "iperf3", local.n_all, ["external"]], + + [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]], + [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]], + [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]], + [10082, 10082, "tcp", "Netbackup-spoold", local.n_all, ["external"]], + [10102, 10102, "tcp", "Netbackup-spad", local.n_all, ["external"]], + + [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]], + [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]], + [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]], + [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} + +# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,8080,8080 range=0.0.0.0/0 +# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,1571,1571 range=0.0.0.0/0 diff --git a/common/resources.tf b/common/resources.tf new file mode 100644 index 0000000..2ad3927 --- /dev/null +++ b/common/resources.tf @@ -0,0 +1,111 @@ +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + logs_region = data.aws_region.current.name + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + + base_tags = { + "Organization" = "census:aditcio:csvd" + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + "boc:vpc:info" = join(" ", compact(list(var.vpc_id, var.vpc_full_name))) + } +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + map("Name", "sg-${local.name}"), + ) +} diff --git a/common/variables.tf b/common/variables.tf new file mode 100644 index 0000000..8235220 --- /dev/null +++ b/common/variables.tf @@ -0,0 +1,83 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "it-linux-base" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Linux Common Base Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Linux" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +data "aws_vpc" "selected" { + id = "${var.vpc_id}" +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/common/version.tf b/common/version.tf new file mode 100644 index 0000000..6b49608 --- /dev/null +++ b/common/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "2.0.0" +} diff --git a/common/versions.tf b/common/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/common/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From dfb9a200e0412047e7a10e2cc52334006698051a Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 10:25:01 -0400 Subject: [PATCH 2/9] add to refactor --- common/README.md | 52 +++++++++++++++++++ general/CHANGELOG.md | 2 + general/README.md | 69 ++++++++++++++++++++++++ general/main.tf | 121 +++++++++++++++++++++++++++++++++++++++++++ general/output.tf | 9 ++++ general/ports.tf | 59 +++++++++++++++++++++ general/variables.tf | 83 +++++++++++++++++++++++++++++ general/version.tf | 3 ++ general/versions.tf | 4 ++ 9 files changed, 402 insertions(+) create mode 100644 common/README.md create mode 100644 general/CHANGELOG.md create mode 100644 general/README.md create mode 100644 general/main.tf create mode 100644 general/output.tf create mode 100644 general/ports.tf create mode 100644 general/variables.tf create mode 100644 general/version.tf create mode 100644 general/versions.tf diff --git a/common/README.md b/common/README.md new file mode 100644 index 0000000..a04f3b0 --- /dev/null +++ b/common/README.md @@ -0,0 +1,52 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"it-linux-base"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Linux"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/general/CHANGELOG.md b/general/CHANGELOG.md new file mode 100644 index 0000000..642dea2 --- /dev/null +++ b/general/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210429 + * create new general submodule diff --git a/general/README.md b/general/README.md new file mode 100644 index 0000000..d4b7039 --- /dev/null +++ b/general/README.md @@ -0,0 +1,69 @@ +# About it-windows-base + +This describes how to use the aws-common-security-groups submodule for it-windows-base. + +Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP, +monit, munin, iperf, netperf, NetBackup and Opsware. + +## Usage + +```hcl +module "it-windows-base" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base" + + # name = "it-windows-base" + vpc_id = var.vpc_id + # Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"Windows Common Base Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"it-windows-base"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Windows"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/general/main.tf b/general/main.tf new file mode 100644 index 0000000..2c45a16 --- /dev/null +++ b/general/main.tf @@ -0,0 +1,121 @@ +/** +* # About it-windows-base +* +* This describes how to use the aws-common-security-groups submodule for it-windows-base. +* +* Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP, +* monit, munin, iperf, netperf, NetBackup and Opsware. +* +* ## Usage +* +* ```hcl +* module "it-windows-base" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base" +* +* # name = "it-windows-base" +* vpc_id = var.vpc_id +* # Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + # vpc_id = "${data.aws_vpc.selected.id}" + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/general/output.tf b/general/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/general/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/general/ports.tf b/general/ports.tf new file mode 100644 index 0000000..6b9aee2 --- /dev/null +++ b/general/ports.tf @@ -0,0 +1,59 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +## % python modify-security-groups.py list sg-00fb5065 +## sg_id=sg-00fb5065 sg_name='it-windows-base' vpc_id=vpc-2ea5664b sg_description='Windows Common Base Security Group' +## direction=ingress pft=udp,161,161 range=0.0.0.0/0 +## direction=ingress pft=tcp,1556,1556 range=10.193.0.0/22 +## direction=ingress pft=tcp,5986,5986 range=172.24.12.239/32 +## direction=ingress pft=tcp,3389,3389 range=148.129.0.0/16,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 +## direction=ingress pft=icmp,-1,-1 range=0.0.0.0/0 +## direction=egress pft=all range=0.0.0.0/0 + +## this adds iperf3 +locals { + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] + n_backup = ["10.193.0.0/22"] + n_ansible = ["172.24.12.239/32"] + n_encase = ["148.129.121.72/32"] + n_riverbed = ["172.24.100.107/32"] + n_hpsa = ["172.24.100.141/32", "172.24.100.154/32", "172.24.100.165/32"] + n_hpom = ["172.24.105.24/32"] + source_groups = ["all", "external"] + name = var.name + ports = [ + [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], + [161, 161, "udp", "SNMP", local.n_all, ["external"]], + [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]], + [5201, 5201, "udp", "iperf3", local.n_all, ["external"]], + [1556, 1556, "tcp", "Netbackup", local.n_backup, ["external"]], + [3389, 3389, "tcp", "RDP", local.n_census, ["external"]], + [4445, 4445, "tcp", "EnCase", local.n_encase, ["external"]], + [5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"]], + [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]], + [1002, 1002, "tcp", "HPSA", local.n_hpsa, ["external"]], + [383, 383, "tcp", "HPOM", local.n_hpom, ["external"]], + [383, 383, "udp", "HPOM", local.n_hpom, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/general/variables.tf b/general/variables.tf new file mode 100644 index 0000000..0e4f382 --- /dev/null +++ b/general/variables.tf @@ -0,0 +1,83 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "it-windows-base" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Windows Common Base Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Windows" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +data "aws_vpc" "selected" { + id = "${var.vpc_id}" +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/general/version.tf b/general/version.tf new file mode 100644 index 0000000..1ee6619 --- /dev/null +++ b/general/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.2.0" +} diff --git a/general/versions.tf b/general/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/general/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 3e539f9e7d7b8aa386db4a4206beb4ce6c445ffd Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:40:38 -0400 Subject: [PATCH 3/9] v2.1.0: refactor and use sas as the first common module --- CHANGELOG.md | 16 +++- common/README.md | 10 +-- common/data.tf | 16 ---- common/data.vpc.tf | 14 ++++ common/ports.tf | 42 +++------- common/resources.tf | 35 +------- common/variables.common.tf | 41 +++++++++ common/variables.tf | 83 ------------------- common/variables.tf.example | 19 +++++ common/variables.vpc.tf | 12 +++ common/version.tf | 2 +- sas/README.md | 119 +++++++++++++++++++++++++++ sas/data.tf | 1 + sas/data.vpc.tf | 1 + sas/logs/fmt.20211021.1634841547.log | 6 ++ sas/main.tf | 74 +++++++++++++++++ sas/output.tf | 1 + sas/ports.tf | 48 +++++++++++ sas/resources.tf | 1 + sas/settings.tf | 7 ++ sas/variables.common.tf | 1 + sas/variables.tf | 19 +++++ sas/variables.vpc.tf | 1 + sas/version.tf | 1 + sas/versions.tf | 1 + 25 files changed, 400 insertions(+), 171 deletions(-) create mode 100644 common/data.vpc.tf create mode 100644 common/variables.common.tf delete mode 100644 common/variables.tf create mode 100644 common/variables.tf.example create mode 100644 common/variables.vpc.tf create mode 100644 sas/README.md create mode 120000 sas/data.tf create mode 120000 sas/data.vpc.tf create mode 100644 sas/logs/fmt.20211021.1634841547.log create mode 100644 sas/main.tf create mode 120000 sas/output.tf create mode 100644 sas/ports.tf create mode 120000 sas/resources.tf create mode 100644 sas/settings.tf create mode 120000 sas/variables.common.tf create mode 100644 sas/variables.tf create mode 120000 sas/variables.vpc.tf create mode 120000 sas/version.tf create mode 120000 sas/versions.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cce8a2..fd239b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,20 @@ # CHANGELOG -# v2.0.0 -- 20210528 +* v2.0.0 -- 20210528 - create a common set of files to not replicate the logic - consolidate all the submodules to use the common structure +* v2.1.0 -- 20211021 + - sas + - add sas submodule, which can be used for a general module or a specific application module + +## web + +* v1.0.0 -- 20210604 + - add module version, update tags + +* v1.1.0 -- 20210915 + - enable use of ingress_networks and egress_networks for pre-defined port list + +* v1.1.1 -- 20210929 + - fix default egress to be 0/0 for web submodule diff --git a/common/README.md b/common/README.md index a04f3b0..6c851f6 100644 --- a/common/README.md +++ b/common/README.md @@ -24,22 +24,18 @@ No modules. | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | -| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | -| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | -| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [name](#input\_name) | Security Group Name | `string` | `"it-linux-base"` | no | -| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Linux"` | no | -| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | diff --git a/common/data.tf b/common/data.tf index 517cde8..7e23a04 100644 --- a/common/data.tf +++ b/common/data.tf @@ -6,19 +6,3 @@ data "aws_arn" "current" { data "aws_region" "current" {} -# output "caller_account_id" { -# value = data.aws_caller_identity.current.account_id -# } -# -# output "account_caller_arn" { -# value = data.aws_caller_identity.current.arn -# } -# -# output "account_caller_arn_partition" { -# value = data.aws_arn.current.partition -# } -# -# output "account_region_name" { -# value = data.aws_region.current.name -# } - diff --git a/common/data.vpc.tf b/common/data.vpc.tf new file mode 100644 index 0000000..bdc98ab --- /dev/null +++ b/common/data.vpc.tf @@ -0,0 +1,14 @@ +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} diff --git a/common/ports.tf b/common/ports.tf index 35102ec..ebb8931 100644 --- a/common/ports.tf +++ b/common/ports.tf @@ -6,41 +6,24 @@ # cidr_block # list of: all, external (more added as needed) +# example only. Use your own values as appropraite + locals { n_all = ["0.0.0.0/0"] n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] - n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] - n_riverbed = ["172.24.100.107/32"] source_groups = ["all", "external"] - name = var.name - ports = [ - [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], - [22, 22, "tcp", "SSH", local.n_census, ["external"]], - [25, 25, "tcp", "SMTP", local.n_all, ["external"]], - [123, 123, "udp", "NTP", local.n_all, ["external"]], - [161, 161, "udp", "SNMP", local.n_all, ["external"]], - [443, 443, "tcp", "https", local.n_all, ["external"]], - [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]], - [5001, 5003, "tcp", "iperf", local.n_all, ["external"]], - [5001, 5003, "udp", "iperf", local.n_all, ["external"]], - [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]], - [5201, 5201, "udp", "iperf3", local.n_all, ["external"]], - - [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]], - [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]], - [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]], - [10082, 10082, "tcp", "Netbackup-spoold", local.n_all, ["external"]], - [10102, 10102, "tcp", "Netbackup-spad", local.n_all, ["external"]], - [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]], - [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]], - [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]], - [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]], + ports = [ + [80, 80, "tcp", "http", local.n_census, ["external"]], + [443, 443, "tcp", "https", local.n_census, ["external"]], + [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]], + [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]], ] - # these are ignored - ingress_networks = var.ingress_networks - egress_networks = var.egress_networks + # ingress_networks = var.ingress_networks + ingress_networks = [] + # egress_networks = var.egress_networks + egress_networks = local.n_all # these are ignored ingress_sg = var.ingress_security_groups @@ -52,6 +35,3 @@ locals { s => [for p in local.p_map : p if contains(p["source_group"], s)] } } - -# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,8080,8080 range=0.0.0.0/0 -# + sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 sg_id=sg-9b19a7fe sg_name='it-linux-base' vpc_id=vpc-95ff37f0 direction=ingress pft=tcp,1571,1571 range=0.0.0.0/0 diff --git a/common/resources.tf b/common/resources.tf index 2ad3927..41d3adb 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -1,38 +1,9 @@ -data "aws_vpc" "this_vpc" { - count = var.use_vpc_cidr ? 1 : 0 - id = var.vpc_id -} - -data "aws_security_group" "ingress_security_groups" { - count = length(var.ingress_security_groups) - id = element(var.ingress_security_groups, count.index) -} - -data "aws_security_group" "egress_security_groups" { - count = length(var.egress_security_groups) - id = element(var.egress_security_groups, count.index) -} - -locals { - account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id - logs_region = data.aws_region.current.name - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - - base_tags = { - "Organization" = "census:aditcio:csvd" - "boc:tf_module_version" = local._module_version - "boc:created_by" = "terraform" - "boc:vpc:info" = join(" ", compact(list(var.vpc_id, var.vpc_full_name))) - } -} - locals { vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) self = var.enable_self ? [1] : [] - short_description = var.short_description == "" ? var.description : var.short_description } resource "aws_security_group" "this_security_group" { @@ -49,7 +20,7 @@ resource "aws_security_group" "this_security_group" { from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] - cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks))) } } @@ -85,7 +56,7 @@ resource "aws_security_group" "this_security_group" { from_port = 0 to_port = 0 protocol = -1 - cidr_blocks = local.egress_networks + cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks))) } # egress security group ids (all) @@ -102,10 +73,10 @@ resource "aws_security_group" "this_security_group" { } tags = merge( + map("Name", "sg-${local.name}"), var.tags, map("boc:created_by", "terraform"), map("boc:tf_module_version", local._module_version), map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), - map("Name", "sg-${local.name}"), ) } diff --git a/common/variables.common.tf b/common/variables.common.tf new file mode 100644 index 0000000..d001a04 --- /dev/null +++ b/common/variables.common.tf @@ -0,0 +1,41 @@ +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +variable "ingress_networks" { + description = "List of ingress networks for access (with all pre-defined ingress ports)" + type = list(string) + default = [] +} + +variable "egress_networks" { + description = "List of egress networks (with all pre-defined egress ports)" + type = list(string) + default = [] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = {} +} diff --git a/common/variables.tf b/common/variables.tf deleted file mode 100644 index 8235220..0000000 --- a/common/variables.tf +++ /dev/null @@ -1,83 +0,0 @@ -#--- -# change between different modules as needed -#--- -variable "name" { - description = "Security Group Name" - type = string - default = "it-linux-base" -} - -variable "description" { - description = "Security Group Description" - type = string - default = "Linux Common Base Security Group" -} - -variable "short_description" { - description = "Security Group Short Description" - type = string - default = "Linux" -} - -variable "enable_self" { - description = "Enable|Disable self full access" - type = bool - default = false -} - -variable "use_vpc_cidr" { - description = "Enable|Disable use of VPC CIDR block in the ingress_networks" - type = bool - default = false -} - -#--- -# others with defaults -#--- -variable "vpc_id" { - description = "VPC ID Number" - type = string -} - -data "aws_vpc" "selected" { - id = "${var.vpc_id}" -} - -variable "vpc_full_name" { - description = "VPC Name" - type = string - default = "" -} - -variable "ingress_networks" { - description = "List of ingress networks for external access (not all ports)" - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "egress_networks" { - description = "List of egress networks (all ports)" - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "ingress_security_groups" { - description = "List of ingress security groups for all ports" - type = list(string) - default = [] -} - -variable "egress_security_groups" { - description = "List of egress security groups (all ports)" - type = list(string) - default = [] -} - -variable "tags" { - description = "Extra security group tags" - type = map - default = { - "CostAllocation" = "csvd:infrastructure" - "Environment" = "csvd-infrastructure" - } -} diff --git a/common/variables.tf.example b/common/variables.tf.example new file mode 100644 index 0000000..1738dcf --- /dev/null +++ b/common/variables.tf.example @@ -0,0 +1,19 @@ +# copy this file, and replace it with the appropriate defaults for a module + +variable "name" { + description = "Security Group Name" + type = string +# default = "REPLACE" +} + +variable "description" { + description = "Security Group Description" + type = string +# default = "REPLACE" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string +# default = "REPLACE" +} diff --git a/common/variables.vpc.tf b/common/variables.vpc.tf new file mode 100644 index 0000000..9e52219 --- /dev/null +++ b/common/variables.vpc.tf @@ -0,0 +1,12 @@ +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + + diff --git a/common/version.tf b/common/version.tf index 6b49608..55a44df 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.0.0" + _module_version = "2.1.0" } diff --git a/sas/README.md b/sas/README.md new file mode 100644 index 0000000..d558655 --- /dev/null +++ b/sas/README.md @@ -0,0 +1,119 @@ +# About sas + +This describes how to use the aws-common-security-groups submodule for sas. For use as an application-specific +security group, we recommend enabling `enable_self`, as this will apply so that all servers which hold this +SG are able to communicate with each other. For a moduluar SAS global SG, like `m-sas`, this is not recommended +and will actually be disabled (if the name is empty or `m-{something}`. + +The list of SAS ports is as follows: + +## General Purpose SG + +| Desscription | Protocol | Port Range | Direction | Source | +|------------------|----------|------------|----------------|--------| +| SAS OLAP Server | TCP | 5450-5460 | Inbound | All Client CIDRS:
148.129/16
172.16/12192.168/16
10/8 | +| SAS Environment Manager Dashboard Port (HTTP) | TCP | 7080-7090 | Inbound | | +| SAS Document Conversion | TCP | 7111 | Inbound | | +| SAS Environment Manager Dashboard Secure Port (HTTPS) | TCP | 7443 | Inbound | | +| SAS/CONNECT Spawner Operator | TCP | 7540-7560 | Inbound | | +| SAS/CONNECT Server | TCP | Inbound | | +| SAS Web Server HTTP Port | TCP | 7980-7990 | Inbound | | +| SAS Web Server HTTPS Port | TCP | 8343-8353 | Inbound | | +| SAS Web Application Server HTTPS Server 1 Port | TCP | 8443-8453 | Inbound | | +| Operating System Services Scheduler | TCP | 8451-8461 | Inbound | | +| SAS Metadata, Object Spawner, Workspace and Stored Processs Servers | TCP | 8540-8640 | Inbound | | +| SAS Pooled Workspace Server | TCP | 8701-8711 | Inbound | | +| SAS Object Spanwer - Pooled Workspace Server ports | TCP | 8800-8830 | Inbound | | +| Web Infrastructure Platform Database Server | TCP | 9431-9441 | Inbound | | +| SAS Data Remediation Data Server | TCP | 9831-9841 | Inbound | | + +## Application Specific SG + +| Desscription | Protocol | Port Range | Direction | Source | +|------------------|----------|------------|----------------|--------| +| Server to Server Communication | TCP | * | Inbound | This Security Group | +| Server to Server Communication | UDP | * | Inbound | This Security Group | + +## Usage: General Purpose SAS + +```hcl +module "app_sas" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" + + vpc_id = var.vpc_id + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Usage: Application Specific SG + +```hcl +module "app_sas" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" + + name = "sas-{org}-{app}" + description = "SAS Ports for application {org}-{app}" + short_description = "SAS" + vpc_id = var.vpc_id + enable_self = true + ## optional + # ingress_networks = [ "1.2.3.0/24" ] + # egress_networks = [ "1.2.3.0/24" ] + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | n/a | yes | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | n/a | yes | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | n/a | yes | +| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/sas/data.tf b/sas/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/sas/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/sas/data.vpc.tf b/sas/data.vpc.tf new file mode 120000 index 0000000..197ea98 --- /dev/null +++ b/sas/data.vpc.tf @@ -0,0 +1 @@ +../common/data.vpc.tf \ No newline at end of file diff --git a/sas/logs/fmt.20211021.1634841547.log b/sas/logs/fmt.20211021.1634841547.log new file mode 100644 index 0000000..ec1a424 --- /dev/null +++ b/sas/logs/fmt.20211021.1634841547.log @@ -0,0 +1,6 @@ +# starting v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 time 1634841547 + +ports.tf +settings.tf +# ending v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 start 1634841547 end 1634841547 elapsed 0 + diff --git a/sas/main.tf b/sas/main.tf new file mode 100644 index 0000000..0ebf769 --- /dev/null +++ b/sas/main.tf @@ -0,0 +1,74 @@ +/* +* # About sas +* +* This describes how to use the aws-common-security-groups submodule for sas. For use as an application-specific +* security group, we recommend enabling `enable_self`, as this will apply so that all servers which hold this +* SG are able to communicate with each other. For a moduluar SAS global SG, like `m-sas`, this is not recommended +* and will actually be disabled (if the name is empty or `m-{something}`. +* +* The list of SAS ports is as follows: +* +* ## General Purpose SG +* +* | Desscription | Protocol | Port Range | Direction | Source | +* |------------------|----------|------------|----------------|--------| +* | SAS OLAP Server | TCP | 5450-5460 | Inbound | All Client CIDRS:
148.129/16
172.16/12192.168/16
10/8 | +* | SAS Environment Manager Dashboard Port (HTTP) | TCP | 7080-7090 | Inbound | | +* | SAS Document Conversion | TCP | 7111 | Inbound | | +* | SAS Environment Manager Dashboard Secure Port (HTTPS) | TCP | 7443 | Inbound | | +* | SAS/CONNECT Spawner Operator | TCP | 7540-7560 | Inbound | | +* | SAS/CONNECT Server | TCP | Inbound | | +* | SAS Web Server HTTP Port | TCP | 7980-7990 | Inbound | | +* | SAS Web Server HTTPS Port | TCP | 8343-8353 | Inbound | | +* | SAS Web Application Server HTTPS Server 1 Port | TCP | 8443-8453 | Inbound | | +* | Operating System Services Scheduler | TCP | 8451-8461 | Inbound | | +* | SAS Metadata, Object Spawner, Workspace and Stored Processs Servers | TCP | 8540-8640 | Inbound | | +* | SAS Pooled Workspace Server | TCP | 8701-8711 | Inbound | | +* | SAS Object Spanwer - Pooled Workspace Server ports | TCP | 8800-8830 | Inbound | | +* | Web Infrastructure Platform Database Server | TCP | 9431-9441 | Inbound | | +* | SAS Data Remediation Data Server | TCP | 9831-9841 | Inbound | | +* +* ## Application Specific SG +* +* | Desscription | Protocol | Port Range | Direction | Source | +* |------------------|----------|------------|----------------|--------| +* | Server to Server Communication | TCP | * | Inbound | This Security Group | +* | Server to Server Communication | UDP | * | Inbound | This Security Group | +* +* ## Usage: General Purpose SAS +* +* ```hcl +* module "app_sas" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" +* +* vpc_id = var.vpc_id +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +* +* ## Usage: Application Specific SG +* +* ```hcl +* module "app_sas" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" +* +* name = "sas-{org}-{app}" +* description = "SAS Ports for application {org}-{app}" +* short_description = "SAS" +* vpc_id = var.vpc_id +* enable_self = true +* ## optional +* # ingress_networks = [ "1.2.3.0/24" ] +* # egress_networks = [ "1.2.3.0/24" ] +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +* +*/ + +# all of the code is in resource.tf, this is here for documention + + diff --git a/sas/output.tf b/sas/output.tf new file mode 120000 index 0000000..1297ffd --- /dev/null +++ b/sas/output.tf @@ -0,0 +1 @@ +../common/output.tf \ No newline at end of file diff --git a/sas/ports.tf b/sas/ports.tf new file mode 100644 index 0000000..45bf367 --- /dev/null +++ b/sas/ports.tf @@ -0,0 +1,48 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + networks = { + "all" = ["0.0.0.0/0"] + "census" = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + } + source_groups = ["all", "external"] + + name = var.name + ports = [ + [5450, 5460, "tcp", "OLAP Server", local.networks["all"], ["external"]], + [7080, 7090, "tcp", "Environment Manager HTTP", local.networks["all"], ["external"]], + [7111, 7111, "tcp", "Dcoument Conversion", local.networks["all"], ["external"]], + [7443, 7443, "tcp", "Environment Manager HTTPS", local.networks["all"], ["external"]], + [7540, 7560, "tcp", "CONNECT Spawner Operator", local.networks["all"], ["external"]], + # [x, x, "tcp", "CONNECT Server", local.networks["all"], ["external"] ], + [7980, 7990, "tcp", "Web Server HTTP", local.networks["all"], ["external"]], + [8343, 8353, "tcp", "Web Server HTTPS", local.networks["all"], ["external"]], + [8443, 8453, "tcp", "Web Application Server HTTPS", local.networks["all"], ["external"]], + [8451, 8461, "tcp", "OS Services Scheduler", local.networks["all"], ["external"]], + [8540, 8640, "tcp", "Metadata", local.networks["all"], ["external"]], + [8701, 8711, "tcp", "Pooled Workspace", local.networks["all"], ["external"]], + [8800, 8830, "tcp", "Object Spawner", local.networks["all"], ["external"]], + [9431, 9441, "tcp", "Web Infra Platform", local.networks["all"], ["external"]], + [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]], + [9831, 9841, "tcp", "Data Remediation", local.networks["all"], ["external"]], + ] + + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/sas/resources.tf b/sas/resources.tf new file mode 120000 index 0000000..6dd8c84 --- /dev/null +++ b/sas/resources.tf @@ -0,0 +1 @@ +../common/resources.tf \ No newline at end of file diff --git a/sas/settings.tf b/sas/settings.tf new file mode 100644 index 0000000..c581597 --- /dev/null +++ b/sas/settings.tf @@ -0,0 +1,7 @@ +locals { + name = var.name != "" ? var.name : "m-sas" + is_modular = length(regexall("^m-", var.name)) > 0 + enable_self = var.enable_self ? ! local.is_modular : var.enable_self + description = var.description != "" ? var.description : format("Security Group for %v", local.name) + short_description = var.short_description != "" ? var.short_description : local.name +} diff --git a/sas/variables.common.tf b/sas/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/sas/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/sas/variables.tf b/sas/variables.tf new file mode 100644 index 0000000..a2e474b --- /dev/null +++ b/sas/variables.tf @@ -0,0 +1,19 @@ +# copy this file, and replace it with the appropriate defaults for a module + +variable "name" { + description = "Security Group Name" + type = string + # default = "REPLACE" +} + +variable "description" { + description = "Security Group Description" + type = string + # default = "REPLACE" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + # default = "REPLACE" +} diff --git a/sas/variables.vpc.tf b/sas/variables.vpc.tf new file mode 120000 index 0000000..11a6813 --- /dev/null +++ b/sas/variables.vpc.tf @@ -0,0 +1 @@ +../common/variables.vpc.tf \ No newline at end of file diff --git a/sas/version.tf b/sas/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/sas/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/sas/versions.tf b/sas/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/sas/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file From b3f1a2454301142a0dc6d60e69d2fb82ef4d97bb Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:43:21 -0400 Subject: [PATCH 4/9] update readme --- sas/README.md | 2 ++ sas/main.tf | 2 ++ 2 files changed, 4 insertions(+) diff --git a/sas/README.md b/sas/README.md index d558655..d4d5bef 100644 --- a/sas/README.md +++ b/sas/README.md @@ -29,6 +29,8 @@ The list of SAS ports is as follows: ## Application Specific SG +All of the above, plus a `self` option. + | Desscription | Protocol | Port Range | Direction | Source | |------------------|----------|------------|----------------|--------| | Server to Server Communication | TCP | * | Inbound | This Security Group | diff --git a/sas/main.tf b/sas/main.tf index 0ebf769..a94dc33 100644 --- a/sas/main.tf +++ b/sas/main.tf @@ -30,6 +30,8 @@ * * ## Application Specific SG * +* All of the above, plus a `self` option. +* * | Desscription | Protocol | Port Range | Direction | Source | * |------------------|----------|------------|----------------|--------| * | Server to Server Communication | TCP | * | Inbound | This Security Group | From 691c4d87449e6db3404d86c3ebeedcd2ed75e81c Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:48:40 -0400 Subject: [PATCH 5/9] update --- sas/README.md | 2 +- sas/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sas/README.md b/sas/README.md index d4d5bef..1456abf 100644 --- a/sas/README.md +++ b/sas/README.md @@ -39,7 +39,7 @@ All of the above, plus a `self` option. ## Usage: General Purpose SAS ```hcl -module "app_sas" { +module "sas" { source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" vpc_id = var.vpc_id diff --git a/sas/main.tf b/sas/main.tf index a94dc33..8da9f43 100644 --- a/sas/main.tf +++ b/sas/main.tf @@ -40,7 +40,7 @@ * ## Usage: General Purpose SAS * * ```hcl -* module "app_sas" { +* module "sas" { * source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//sas" * * vpc_id = var.vpc_id From cd5a217d70f36b175cfc222c39335499b902d76f Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:53:56 -0400 Subject: [PATCH 6/9] add defaults --- sas/defaults.tf | 7 +++++++ sas/settings.tf | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 sas/defaults.tf diff --git a/sas/defaults.tf b/sas/defaults.tf new file mode 100644 index 0000000..ab5a4e9 --- /dev/null +++ b/sas/defaults.tf @@ -0,0 +1,7 @@ +locals { + _defaults = { + name = "m-sas" + description = "Security group for SAS" + short_description = "SAS" + } +} diff --git a/sas/settings.tf b/sas/settings.tf index c581597..ffe1549 100644 --- a/sas/settings.tf +++ b/sas/settings.tf @@ -1,7 +1,7 @@ locals { - name = var.name != "" ? var.name : "m-sas" - is_modular = length(regexall("^m-", var.name)) > 0 - enable_self = var.enable_self ? ! local.is_modular : var.enable_self - description = var.description != "" ? var.description : format("Security Group for %v", local.name) - short_description = var.short_description != "" ? var.short_description : local.name + name = var.name != "" ? var.name : local._defaults["name"] + is_modular = var.name == "" || length(regexall("^m-", var.name)) > 0 + enable_self = var.enable_self ? ! local.is_modular : false + description = var.description != "" ? var.description : local._defaults["description"] + short_description = var.short_description != "" ? var.short_description : local._defaults["short_description"] } From 9225784d4fe2fc667b1b3f6a9874e53aae275c51 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:56:34 -0400 Subject: [PATCH 7/9] fix --- sas/ports.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/sas/ports.tf b/sas/ports.tf index 45bf367..e48e022 100644 --- a/sas/ports.tf +++ b/sas/ports.tf @@ -13,7 +13,6 @@ locals { } source_groups = ["all", "external"] - name = var.name ports = [ [5450, 5460, "tcp", "OLAP Server", local.networks["all"], ["external"]], [7080, 7090, "tcp", "Environment Manager HTTP", local.networks["all"], ["external"]], From e5f353d18953819cde541fe659a92f445d1e46fa Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 14:58:10 -0400 Subject: [PATCH 8/9] fix --- sas/README.md | 6 +++--- sas/logs/fmt.20211021.1634841547.log | 6 ------ sas/variables.tf | 6 +++--- 3 files changed, 6 insertions(+), 12 deletions(-) delete mode 100644 sas/logs/fmt.20211021.1634841547.log diff --git a/sas/README.md b/sas/README.md index 1456abf..a53501b 100644 --- a/sas/README.md +++ b/sas/README.md @@ -100,14 +100,14 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | n/a | yes | +| [description](#input\_description) | Security Group Description | `string` | `""` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | | [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [name](#input\_name) | Security Group Name | `string` | n/a | yes | -| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | n/a | yes | +| [name](#input\_name) | Security Group Name | `string` | `""` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no | | [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | diff --git a/sas/logs/fmt.20211021.1634841547.log b/sas/logs/fmt.20211021.1634841547.log deleted file mode 100644 index ec1a424..0000000 --- a/sas/logs/fmt.20211021.1634841547.log +++ /dev/null @@ -1,6 +0,0 @@ -# starting v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 time 1634841547 - -ports.tf -settings.tf -# ending v1.4.4 action fmt file logs/fmt.20211021.1634841547.log stamp 20211021.1634841547 start 1634841547 end 1634841547 elapsed 0 - diff --git a/sas/variables.tf b/sas/variables.tf index a2e474b..885b0fc 100644 --- a/sas/variables.tf +++ b/sas/variables.tf @@ -3,17 +3,17 @@ variable "name" { description = "Security Group Name" type = string - # default = "REPLACE" + default = "" } variable "description" { description = "Security Group Description" type = string - # default = "REPLACE" + default = "" } variable "short_description" { description = "Security Group Short Description" type = string - # default = "REPLACE" + default = "" } From 7d8ba17596871796db7f30f599c5b4946fd67b4a Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 21 Oct 2021 15:02:56 -0400 Subject: [PATCH 9/9] fix up ports for connect --- sas/ports.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sas/ports.tf b/sas/ports.tf index e48e022..9dd888d 100644 --- a/sas/ports.tf +++ b/sas/ports.tf @@ -18,8 +18,9 @@ locals { [7080, 7090, "tcp", "Environment Manager HTTP", local.networks["all"], ["external"]], [7111, 7111, "tcp", "Dcoument Conversion", local.networks["all"], ["external"]], [7443, 7443, "tcp", "Environment Manager HTTPS", local.networks["all"], ["external"]], - [7540, 7560, "tcp", "CONNECT Spawner Operator", local.networks["all"], ["external"]], - # [x, x, "tcp", "CONNECT Server", local.networks["all"], ["external"] ], + # [7541, 7541, "tcp", "CONNECT Spawner Operator", local.networks["all"], ["external"]], + # [7551, 7551, "tcp", "CONNECT Server", local.networks["all"], ["external"] ], + [7540, 7560, "tcp", "CONNECT", local.networks["all"], ["external"]], [7980, 7990, "tcp", "Web Server HTTP", local.networks["all"], ["external"]], [8343, 8353, "tcp", "Web Server HTTPS", local.networks["all"], ["external"]], [8443, 8453, "tcp", "Web Application Server HTTPS", local.networks["all"], ["external"]],