diff --git a/rds-postgres/CHANGELOG.md b/rds-postgres/CHANGELOG.md index 284dbd4..bc7fc37 100644 --- a/rds-postgres/CHANGELOG.md +++ b/rds-postgres/CHANGELOG.md @@ -1,3 +1,2 @@ -# v1.0 -- 20210421 - -* add module version, update tags +# v1.0.0 -- 20210421 + - add module version, update tags diff --git a/rds-postgres/README.md b/rds-postgres/README.md index 3ebe3d2..db3f8c0 100644 --- a/rds-postgres/README.md +++ b/rds-postgres/README.md @@ -1,16 +1,18 @@ -# About +# About rds-postgres -This describes how to use the aws-common-security-groups submodule for rds-postgres +This describes how to use the aws-common-security-groups submodule for rds-postgres. -# Usage +Default and auxilliary ports are included in this. They are opened to everything. -```code -module "rds-postgres" { - source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-common-security-groups.git//rds-postgres" +## Usage - # name = "m-rds-postgres" +```hcl +module "postgres" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres" + + # name = "rds-postgres" vpc_id = var.vpc_id - # Name, CostAllocation, and Environment are pre-set + # Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } } ``` @@ -19,39 +21,47 @@ module "rds-postgres" { | Name | Version | |------|---------| -| terraform | >= 0.12 | +| [terraform](#requirement\_terraform) | >= 0.12 | ## Providers | Name | Version | |------|---------| -| aws | n/a | +| [aws](#provider\_aws) | n/a | ## Modules -No Modules. +No modules. ## Resources -| Name | -|------| -| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"1.3"` | no | -| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| name | Security group Name | `string` | `"m-postgres-db"` | no | -| networks | List of ingress networks (applies to all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | -| vpc\_full\_name | VPC Name | `string` | `""` | no | -| vpc\_id | VPC ID Number | `string` | n/a | yes | +| [description](#input\_description) | Security Group Description | `string` | `"RDS PostgreSQL Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"rds-postgres"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"PostgreSQL"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| this\_security\_group\_arn | Created security group ARN | -| this\_security\_group\_id | Created security group ID | +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf index 84b5dae..ff82f12 100644 --- a/rds-postgres/main.tf +++ b/rds-postgres/main.tf @@ -1,52 +1,119 @@ /** -* # About -* -* This describes how to use the aws-common-security-groups submodule for rds-oracle -* -* # Usage -* -* ```code -* module "rds-postgres" { -* source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-common-security-groups.git//rds-postgres" -* -* # name = "m-rds-postgres" +* # About rds-postgres +* +* This describes how to use the aws-common-security-groups submodule for rds-postgres. +* +* Default and auxilliary ports are included in this. They are opened to everything. +* +* ## Usage +* +* ```hcl +* module "postgres" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres" +* +* # name = "rds-postgres" * vpc_id = var.vpc_id -* # Name, CostAllocation, and Environment are pre-set +* # Name, CostAllocation, and Environment are pre-set, but they can be overriden * # tags = { } * } * ``` */ +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + resource "aws_security_group" "this_security_group" { name = local.name - description = local.description + description = var.description vpc_id = var.vpc_id - # portlist + # ingresss external port list (list + vpc if enabaled) dynamic "ingress" { - for_each = local.ports_map + for_each = local.port_map["external"] iterator = p content { - description = "${local.description}: ${p.value["description"]}" + description = "${local.short_description}: ${p.value["description"]}" from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] - cidr_blocks = length(p.value["cidr"]) == 0 ? local.ingress_networks : p.value["cidr"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] } } + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all egress { - description = "${local.description}: All" + description = "${local.short_description}: All" from_port = 0 to_port = 0 protocol = -1 cidr_blocks = local.egress_networks } + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + tags = merge( map("Name", "sg-${local.name}"), var.tags, - map("boc:tf_module_version", var._module_version), + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), ) } diff --git a/rds-postgres/ports.tf b/rds-postgres/ports.tf index 75527b3..a8d2a8e 100644 --- a/rds-postgres/ports.tf +++ b/rds-postgres/ports.tf @@ -1,11 +1,33 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + locals { - description = "module: PostGres common ports" - name = var.name + description = "module: PostgreSQL common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external"] + + name = var.name ports = [ - [5482, 5482, "tcp", "postgres-db", []], + [5482, 5482, "tcp", "postgres-db", local.n_all, ["external"]], ] - ingress_networks = var.networks + + # these are ignored + ingress_networks = var.ingress_networks egress_networks = var.egress_networks - ports_fields = ["from", "to", "proto", "description", "cidr"] - ports_map = [for p in local.ports : zipmap(local.ports_fields, p)] + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } } diff --git a/rds-postgres/variables.tf b/rds-postgres/variables.tf index 3240eb8..a28c2af 100644 --- a/rds-postgres/variables.tf +++ b/rds-postgres/variables.tf @@ -10,13 +10,13 @@ variable "name" { variable "description" { description = "Security Group Description" type = string - default = "RDS Postgres Security Group" + default = "RDS PostgreSQL Security Group" } variable "short_description" { description = "Security Group Short Description" type = string - default = "Postgres" + default = "PostgreSQL" } variable "enable_self" { @@ -39,10 +39,6 @@ variable "vpc_id" { type = string } -data "aws_vpc" "selected" { - id = "${var.vpc_id}" -} - variable "vpc_full_name" { description = "VPC Name" type = string diff --git a/rds-postgres/version.tf b/rds-postgres/version.tf index 84fd21a..fa2705b 100644 --- a/rds-postgres/version.tf +++ b/rds-postgres/version.tf @@ -1,5 +1,3 @@ -variable "_module_version" { - description = "Module version number" - type = string - default = "1.0" +locals { + _module_version = "1.0.0" }