From f9ca54ba0913b43056e6c85817df67a26753cf2b Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 3 Jun 2020 17:41:25 -0400 Subject: [PATCH 01/12] Setup sg it linux base (#2) * initial * add smtp port 25 * add tf_module_version * fix cidr range * fix comments --- it-linux-base/.x/main.tf | 59 +++++++++++++++++++++ it-linux-base/.x/output.tf | 9 ++++ it-linux-base/.x/variables.tf | 19 +++++++ it-linux-base/.x/version.tf | 5 ++ it-linux-base/.x/versions.tf | 4 ++ it-linux-base/CHANGELOG.md | 3 ++ it-linux-base/main.tf | 98 +++++++++++++++++++++++++++++++++++ it-linux-base/output.tf | 9 ++++ it-linux-base/ports.tf | 51 ++++++++++++++++++ it-linux-base/variables.tf | 83 +++++++++++++++++++++++++++++ it-linux-base/version.tf | 5 ++ it-linux-base/versions.tf | 4 ++ 12 files changed, 349 insertions(+) create mode 100644 it-linux-base/.x/main.tf create mode 100644 it-linux-base/.x/output.tf create mode 100644 it-linux-base/.x/variables.tf create mode 100644 it-linux-base/.x/version.tf create mode 100644 it-linux-base/.x/versions.tf create mode 100644 it-linux-base/CHANGELOG.md create mode 100644 it-linux-base/main.tf create mode 100644 it-linux-base/output.tf create mode 100644 it-linux-base/ports.tf create mode 100644 it-linux-base/variables.tf create mode 100644 it-linux-base/version.tf create mode 100644 it-linux-base/versions.tf diff --git a/it-linux-base/.x/main.tf b/it-linux-base/.x/main.tf new file mode 100644 index 0000000..fd805bc --- /dev/null +++ b/it-linux-base/.x/main.tf @@ -0,0 +1,59 @@ +/** +* # About +* +* This describes how to use the aws-common-security-groups submodule for it-linux-base +* +* # Usage +* +* ```code +* module "it-linux-base" { +* source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-common-security-groups.git//it-linux-base" +* +* # name = "m-it-linux-base" +* vpc_id = var.vpc_id +* # Name, CostAllocation, and Environment are pre-set +* # tags = { } +* } +* ``` +*/ + +locals { + description = "Linux Common Base Ports" + short_description = "Linux" + name = var.name + ports = [ + [ 1433, 1433, "tcp" ], + [ 5023, 5023, "tcp" ] + ] +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = local.description + vpc_id = var.vpc_id + + dynamic "ingress" { + for_each = local.ports + iterator = p + content { + description = local.description + from_port = p.value[0] + to_port = p.value[1] + protocol = p.value[2] + cidr_blocks = [ "0.0.0.0/0" ] + } + } + + egress { + description = "ALL ${local.description}" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = [ "0.0.0.0/0" ] + } + + tags = merge( + map("Name", local.name), + var.tags, + ) +} diff --git a/it-linux-base/.x/output.tf b/it-linux-base/.x/output.tf new file mode 100644 index 0000000..f9c3840 --- /dev/null +++ b/it-linux-base/.x/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/it-linux-base/.x/variables.tf b/it-linux-base/.x/variables.tf new file mode 100644 index 0000000..f0d6a0e --- /dev/null +++ b/it-linux-base/.x/variables.tf @@ -0,0 +1,19 @@ +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "name" { + description = "Security group Name" + type = string + default = "m-rds-mssql" +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/it-linux-base/.x/version.tf b/it-linux-base/.x/version.tf new file mode 100644 index 0000000..82a588a --- /dev/null +++ b/it-linux-base/.x/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.4" +} diff --git a/it-linux-base/.x/versions.tf b/it-linux-base/.x/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/it-linux-base/.x/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/it-linux-base/CHANGELOG.md b/it-linux-base/CHANGELOG.md new file mode 100644 index 0000000..e8a2db0 --- /dev/null +++ b/it-linux-base/CHANGELOG.md @@ -0,0 +1,3 @@ +# v1.0 -- 20200603 + +* create from running security group for use throughout diff --git a/it-linux-base/main.tf b/it-linux-base/main.tf new file mode 100644 index 0000000..cadecc8 --- /dev/null +++ b/it-linux-base/main.tf @@ -0,0 +1,98 @@ +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + # vpc_id = "${data.aws_vpc.selected.id}" + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + var.tags, + map("boc:tf_module_version", var._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + map("Name", "sg-${local.name}"), + ) +} diff --git a/it-linux-base/output.tf b/it-linux-base/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/it-linux-base/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf new file mode 100644 index 0000000..995332d --- /dev/null +++ b/it-linux-base/ports.tf @@ -0,0 +1,51 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] + source_groups = ["all", "external"] + name = var.name + ports = [ + [ -1, -1, "icmp", "ICMP", local.n_all, ["external"] ], + [ 22, 22, "tcp", "SSH", local.n_census, ["external"] ], + [ 25, 25, "tcp", "SMTP", local.n_all, ["external"] ], + [ 123, 123, "udp", "NTP", local.n_all, ["external"] ], + [ 161, 161, "udp", "SNMP", local.n_all, ["external"] ], + [ 443, 443, "tcp", "https", local.n_all, ["external"] ], + [ 4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"] ], + [ 5001, 5003, "tcp", "iperf", local.n_all, ["external"] ], + [ 5001, 5003, "udp", "iperf", local.n_all, ["external"] ], + + [ 1556, 1556, "tcp", "Netbackup", local.n_all, ["external"] ], + [ 13724, 13724, "tcp", "Netbackup", local.n_all, ["external"] ], + [ 13782, 13782, "tcp", "Netbackup", local.n_all, ["external"] ], + + [ 1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23" ], ["external"]], + + [ 1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"] ], + [ 9080, 9080, "tcp", "", [local.n_census[2] ], ["external"]], + [ 10082, 10082, "tcp", "", local.n_all, ["external"] ], + [ 10102, 10102, "tcp", "", local.n_all, ["external"] ], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/it-linux-base/variables.tf b/it-linux-base/variables.tf new file mode 100644 index 0000000..8235220 --- /dev/null +++ b/it-linux-base/variables.tf @@ -0,0 +1,83 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "it-linux-base" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Linux Common Base Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Linux" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +data "aws_vpc" "selected" { + id = "${var.vpc_id}" +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/it-linux-base/version.tf b/it-linux-base/version.tf new file mode 100644 index 0000000..84fd21a --- /dev/null +++ b/it-linux-base/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.0" +} diff --git a/it-linux-base/versions.tf b/it-linux-base/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/it-linux-base/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From e92d80cb6554bb62dd3ca87807f76130f58bc26f Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Thu, 4 Jun 2020 08:22:32 -0400 Subject: [PATCH 02/12] add version.tf, include version in tags, update comments --- it-linux-base/main.tf | 2 +- it-linux-base/ports.tf | 4 ++-- it-linux-base/version.tf | 2 +- ois-scanner/main.tf | 6 +++--- rds-mssql/CHANGELOG.md | 4 ++++ rds-mssql/main.tf | 2 ++ rds-mssql/version.tf | 2 +- rds-oracle/main.tf | 5 +++-- 8 files changed, 17 insertions(+), 10 deletions(-) diff --git a/it-linux-base/main.tf b/it-linux-base/main.tf index cadecc8..d09b4b8 100644 --- a/it-linux-base/main.tf +++ b/it-linux-base/main.tf @@ -90,9 +90,9 @@ resource "aws_security_group" "this_security_group" { } tags = merge( + map("Name", "sg-${local.name}"), var.tags, map("boc:tf_module_version", var._module_version), map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), - map("Name", "sg-${local.name}"), ) } diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf index 995332d..5d6c81d 100644 --- a/it-linux-base/ports.tf +++ b/it-linux-base/ports.tf @@ -31,8 +31,8 @@ locals { [ 1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"] ], [ 9080, 9080, "tcp", "", [local.n_census[2] ], ["external"]], - [ 10082, 10082, "tcp", "", local.n_all, ["external"] ], - [ 10102, 10102, "tcp", "", local.n_all, ["external"] ], + [ 10082, 10082, "tcp", "Netbackup-spoold", local.n_all, ["external"] ], + [ 10102, 10102, "tcp", "Netbackup-spad", local.n_all, ["external"] ], ] # these are ignored diff --git a/it-linux-base/version.tf b/it-linux-base/version.tf index 84fd21a..3c275e9 100644 --- a/it-linux-base/version.tf +++ b/it-linux-base/version.tf @@ -1,5 +1,5 @@ variable "_module_version" { description = "Module version number" type = string - default = "1.0" + default = "1.0.1" } diff --git a/ois-scanner/main.tf b/ois-scanner/main.tf index 99bfc3a..52042ba 100644 --- a/ois-scanner/main.tf +++ b/ois-scanner/main.tf @@ -55,10 +55,10 @@ resource "aws_security_group" "this_security_group" { } tags = merge( - { - "Name" = "sg-${var.name}" - }, + map("Name", "sg-${var.name}"), var.tags, + map("boc:tf_module_version", var._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), ) } diff --git a/rds-mssql/CHANGELOG.md b/rds-mssql/CHANGELOG.md index 3714839..a43aed8 100644 --- a/rds-mssql/CHANGELOG.md +++ b/rds-mssql/CHANGELOG.md @@ -2,3 +2,7 @@ * add version.tf * add port 5023 to rds-mssql + +# v1.5 -- 20200604 + +* update tags to include module version diff --git a/rds-mssql/main.tf b/rds-mssql/main.tf index 0cf630c..77c9805 100644 --- a/rds-mssql/main.tf +++ b/rds-mssql/main.tf @@ -54,5 +54,7 @@ resource "aws_security_group" "this_security_group" { tags = merge( map("Name", local.name), var.tags, + map("boc:tf_module_version", var._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), ) } diff --git a/rds-mssql/version.tf b/rds-mssql/version.tf index 82a588a..4284311 100644 --- a/rds-mssql/version.tf +++ b/rds-mssql/version.tf @@ -1,5 +1,5 @@ variable "_module_version" { description = "Module version number" type = string - default = "1.4" + default = "1.5" } diff --git a/rds-oracle/main.tf b/rds-oracle/main.tf index e2ae845..dd3e339 100644 --- a/rds-oracle/main.tf +++ b/rds-oracle/main.tf @@ -44,8 +44,9 @@ resource "aws_security_group" "this_security_group" { } tags = merge( - var.tags, - map("VPC", var.vpc_full_name), map("Name", "sg-${local.name}"), + var.tags, + map("boc:tf_module_version", var._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), ) } From 44d5c2c916ee843abcf6317688f50361c2fc82a7 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Thu, 4 Jun 2020 15:43:20 -0400 Subject: [PATCH 03/12] add CHANGELOG.md, version.tf --- ois-scanner/CHANGELOG.md | 3 +++ ois-scanner/version.tf | 5 +++++ rds-oracle/CHANGELOG.md | 3 +++ rds-oracle/version.tf | 5 +++++ 4 files changed, 16 insertions(+) create mode 100644 ois-scanner/CHANGELOG.md create mode 100644 ois-scanner/version.tf create mode 100644 rds-oracle/CHANGELOG.md create mode 100644 rds-oracle/version.tf diff --git a/ois-scanner/CHANGELOG.md b/ois-scanner/CHANGELOG.md new file mode 100644 index 0000000..250eb5c --- /dev/null +++ b/ois-scanner/CHANGELOG.md @@ -0,0 +1,3 @@ +# v1.16 -- 20200604 + +* add version number, update tags diff --git a/ois-scanner/version.tf b/ois-scanner/version.tf new file mode 100644 index 0000000..bb082f5 --- /dev/null +++ b/ois-scanner/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.16" +} diff --git a/rds-oracle/CHANGELOG.md b/rds-oracle/CHANGELOG.md new file mode 100644 index 0000000..239a373 --- /dev/null +++ b/rds-oracle/CHANGELOG.md @@ -0,0 +1,3 @@ +# v1.3 -- 20200604 + +* add module version, update tags diff --git a/rds-oracle/version.tf b/rds-oracle/version.tf new file mode 100644 index 0000000..38fadfd --- /dev/null +++ b/rds-oracle/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.3" +} From 95d46b173e2b3f42a02d57bff6c9866a3af099fa Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Mon, 29 Jun 2020 12:11:55 -0400 Subject: [PATCH 04/12] add docs now that terraform-docs works with 0.12 --- it-linux-base/README.md | 190 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 it-linux-base/README.md diff --git a/it-linux-base/README.md b/it-linux-base/README.md new file mode 100644 index 0000000..40f1574 --- /dev/null +++ b/it-linux-base/README.md @@ -0,0 +1,190 @@ +## Requirements + +The following requirements are needed by this module: + +- terraform (>= 0.12) + +## Providers + +The following providers are used by this module: + +- aws + +## Required Inputs + +The following input variables are required: + +### vpc\_id + +Description: VPC ID Number + +Type: `string` + +## Optional Inputs + +The following input variables are optional (have default values): + +### \_module\_version + +Description: Module version number + +Type: `string` + +Default: `"1.0.1"` + +### description + +Description: Security Group Description + +Type: `string` + +Default: `"Linux Common Base Security Group"` + +### egress\_networks + +Description: List of egress networks (all ports) + +Type: `list(string)` + +Default: + +```json +[ + "0.0.0.0/0" +] +``` + +### egress\_security\_groups + +Description: List of egress security groups (all ports) + +Type: `list(string)` + +Default: `[]` + +### enable\_self + +Description: Enable\|Disable self full access + +Type: `bool` + +Default: `false` + +### ingress\_networks + +Description: List of ingress networks for external access (not all ports) + +Type: `list(string)` + +Default: + +```json +[ + "0.0.0.0/0" +] +``` + +### ingress\_security\_groups + +Description: List of ingress security groups for all ports + +Type: `list(string)` + +Default: `[]` + +### name + +Description: Security Group Name + +Type: `string` + +Default: `"it-linux-base"` + +### short\_description + +Description: Security Group Short Description + +Type: `string` + +Default: `"Linux"` + +### tags + +Description: Extra security group tags + +Type: `map` + +Default: + +```json +{ + "CostAllocation": "csvd:infrastructure", + "Environment": "csvd-infrastructure" +} +``` + +### use\_vpc\_cidr + +Description: Enable\|Disable use of VPC CIDR block in the ingress\_networks + +Type: `bool` + +Default: `false` + +### vpc\_full\_name + +Description: VPC Name + +Type: `string` + +Default: `""` + +## Outputs + +The following outputs are exported: + +### this\_security\_group\_arn + +Description: Created security group ARN + +### this\_security\_group\_id + +Description: Created security group ID + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"1.0.1"` | no | +| description | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | +| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| enable\_self | Enable\|Disable self full access | `bool` | `false` | no | +| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| name | Security Group Name | `string` | `"it-linux-base"` | no | +| short\_description | Security Group Short Description | `string` | `"Linux"` | no | +| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| vpc\_full\_name | VPC Name | `string` | `""` | no | +| vpc\_id | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| this\_security\_group\_arn | Created security group ARN | +| this\_security\_group\_id | Created security group ID | + From 904b4c5de1b3b50804410abf540d4ab4aff6f579 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Mon, 29 Jun 2020 12:22:15 -0400 Subject: [PATCH 05/12] add usage, update document --- it-linux-base/README.md | 57 +++++++++++++++-------------------------- it-linux-base/main.tf | 22 ++++++++++++++++ 2 files changed, 42 insertions(+), 37 deletions(-) diff --git a/it-linux-base/README.md b/it-linux-base/README.md index 40f1574..dca6bee 100644 --- a/it-linux-base/README.md +++ b/it-linux-base/README.md @@ -1,3 +1,23 @@ +# About it-linux-base + +This describes how to use the aws-common-security-groups submodule for it-linux-base. + +Commonly used ports and services are set up here, including ICMP, SSH, NTP, DNS, SNMP, +monit, munin, iperf, netperf, NetBackup and Opsware. + +## Usage + +```hcl +module "it-linux-base" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base" + + # name = "m-it-linux-base" + vpc_id = var.vpc_id + # Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + ## Requirements The following requirements are needed by this module: @@ -151,40 +171,3 @@ Description: Created security group ARN Description: Created security group ID -## Requirements - -| Name | Version | -|------|---------| -| terraform | >= 0.12 | - -## Providers - -| Name | Version | -|------|---------| -| aws | n/a | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"1.0.1"` | no | -| description | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | -| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | -| enable\_self | Enable\|Disable self full access | `bool` | `false` | no | -| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| name | Security Group Name | `string` | `"it-linux-base"` | no | -| short\_description | Security Group Short Description | `string` | `"Linux"` | no | -| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | -| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | -| vpc\_full\_name | VPC Name | `string` | `""` | no | -| vpc\_id | VPC ID Number | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| this\_security\_group\_arn | Created security group ARN | -| this\_security\_group\_id | Created security group ID | - diff --git a/it-linux-base/main.tf b/it-linux-base/main.tf index d09b4b8..81bfdc0 100644 --- a/it-linux-base/main.tf +++ b/it-linux-base/main.tf @@ -1,3 +1,25 @@ +/** +* # About it-linux-base +* +* This describes how to use the aws-common-security-groups submodule for it-linux-base. +* +* Commonly used ports and services are set up here, including ICMP, SSH, NTP, DNS, SNMP, +* monit, munin, iperf, netperf, NetBackup and Opsware. +* +* ## Usage +* +* ```hcl +* module "it-linux-base" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base" +* +* # name = "m-it-linux-base" +* vpc_id = var.vpc_id +* # Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + data "aws_vpc" "this_vpc" { count = var.use_vpc_cidr ? 1 : 0 id = var.vpc_id From 0e6cdea8eec695452ecd864b211ebb4ca78f6a44 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Mon, 29 Jun 2020 12:23:50 -0400 Subject: [PATCH 06/12] change to table --- it-linux-base/README.md | 172 +++++++--------------------------------- 1 file changed, 28 insertions(+), 144 deletions(-) diff --git a/it-linux-base/README.md b/it-linux-base/README.md index dca6bee..21fcf25 100644 --- a/it-linux-base/README.md +++ b/it-linux-base/README.md @@ -20,154 +20,38 @@ module "it-linux-base" { ## Requirements -The following requirements are needed by this module: - -- terraform (>= 0.12) +| Name | Version | +|------|---------| +| terraform | >= 0.12 | ## Providers -The following providers are used by this module: - -- aws - -## Required Inputs - -The following input variables are required: - -### vpc\_id - -Description: VPC ID Number - -Type: `string` - -## Optional Inputs - -The following input variables are optional (have default values): - -### \_module\_version - -Description: Module version number - -Type: `string` - -Default: `"1.0.1"` - -### description - -Description: Security Group Description - -Type: `string` - -Default: `"Linux Common Base Security Group"` - -### egress\_networks - -Description: List of egress networks (all ports) - -Type: `list(string)` - -Default: - -```json -[ - "0.0.0.0/0" -] -``` - -### egress\_security\_groups - -Description: List of egress security groups (all ports) - -Type: `list(string)` - -Default: `[]` - -### enable\_self - -Description: Enable\|Disable self full access - -Type: `bool` - -Default: `false` - -### ingress\_networks - -Description: List of ingress networks for external access (not all ports) - -Type: `list(string)` - -Default: - -```json -[ - "0.0.0.0/0" -] -``` - -### ingress\_security\_groups - -Description: List of ingress security groups for all ports - -Type: `list(string)` - -Default: `[]` - -### name - -Description: Security Group Name - -Type: `string` - -Default: `"it-linux-base"` - -### short\_description - -Description: Security Group Short Description - -Type: `string` - -Default: `"Linux"` - -### tags - -Description: Extra security group tags - -Type: `map` - -Default: - -```json -{ - "CostAllocation": "csvd:infrastructure", - "Environment": "csvd-infrastructure" -} -``` - -### use\_vpc\_cidr - -Description: Enable\|Disable use of VPC CIDR block in the ingress\_networks - -Type: `bool` - -Default: `false` - -### vpc\_full\_name - -Description: VPC Name - -Type: `string` - -Default: `""` +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"1.0.1"` | no | +| description | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | +| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| enable\_self | Enable\|Disable self full access | `bool` | `false` | no | +| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| name | Security Group Name | `string` | `"it-linux-base"` | no | +| short\_description | Security Group Short Description | `string` | `"Linux"` | no | +| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| vpc\_full\_name | VPC Name | `string` | `""` | no | +| vpc\_id | VPC ID Number | `string` | n/a | yes | ## Outputs -The following outputs are exported: - -### this\_security\_group\_arn - -Description: Created security group ARN - -### this\_security\_group\_id - -Description: Created security group ID +| Name | Description | +|------|-------------| +| this\_security\_group\_arn | Created security group ARN | +| this\_security\_group\_id | Created security group ID | From 12238ddd19fbf7ae2fbe99b38c699f9b7dac4df7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 31 Jul 2020 12:01:23 -0400 Subject: [PATCH 07/12] add it-windows-base --- it-windows-base/CHANGELOG.md | 3 + it-windows-base/README.md | 57 +++++++++++++++++ it-windows-base/main.tf | 120 +++++++++++++++++++++++++++++++++++ it-windows-base/output.tf | 9 +++ it-windows-base/ports.tf | 48 ++++++++++++++ it-windows-base/variables.tf | 83 ++++++++++++++++++++++++ it-windows-base/version.tf | 5 ++ it-windows-base/versions.tf | 4 ++ 8 files changed, 329 insertions(+) create mode 100644 it-windows-base/CHANGELOG.md create mode 100644 it-windows-base/README.md create mode 100644 it-windows-base/main.tf create mode 100644 it-windows-base/output.tf create mode 100644 it-windows-base/ports.tf create mode 100644 it-windows-base/variables.tf create mode 100644 it-windows-base/version.tf create mode 100644 it-windows-base/versions.tf diff --git a/it-windows-base/CHANGELOG.md b/it-windows-base/CHANGELOG.md new file mode 100644 index 0000000..c849699 --- /dev/null +++ b/it-windows-base/CHANGELOG.md @@ -0,0 +1,3 @@ +# v1.0 -- 20200731 + +* create from running security group it-windows-base for use throughout diff --git a/it-windows-base/README.md b/it-windows-base/README.md new file mode 100644 index 0000000..49228cc --- /dev/null +++ b/it-windows-base/README.md @@ -0,0 +1,57 @@ +# About it-windows-base + +This describes how to use the aws-common-security-groups submodule for it-windows-base. + +Commonly used ports and services are set up here, including ICMP, SSH, NTP, DNS, SNMP, +monit, munin, iperf, netperf, NetBackup and Opsware. + +## Usage + +```hcl +module "it-windows-base" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base" + + # name = "m-it-windows-base" + vpc_id = var.vpc_id + # Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"1.0.1"` | no | +| description | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | +| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| enable\_self | Enable\|Disable self full access | `bool` | `false` | no | +| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| name | Security Group Name | `string` | `"it-windows-base"` | no | +| short\_description | Security Group Short Description | `string` | `"Linux"` | no | +| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| vpc\_full\_name | VPC Name | `string` | `""` | no | +| vpc\_id | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| this\_security\_group\_arn | Created security group ARN | +| this\_security\_group\_id | Created security group ID | + diff --git a/it-windows-base/main.tf b/it-windows-base/main.tf new file mode 100644 index 0000000..c0a9b30 --- /dev/null +++ b/it-windows-base/main.tf @@ -0,0 +1,120 @@ +/** +* # About it-windows-base +* +* This describes how to use the aws-common-security-groups submodule for it-windows-base. +* +* Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP, +* monit, munin, iperf, netperf, NetBackup and Opsware. +* +* ## Usage +* +* ```hcl +* module "it-windows-base" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base" +* +* # name = "m-it-windows-base" +* vpc_id = var.vpc_id +* # Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + # vpc_id = "${data.aws_vpc.selected.id}" + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:tf_module_version", var._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/it-windows-base/output.tf b/it-windows-base/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/it-windows-base/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/it-windows-base/ports.tf b/it-windows-base/ports.tf new file mode 100644 index 0000000..26eee9b --- /dev/null +++ b/it-windows-base/ports.tf @@ -0,0 +1,48 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +## sg_id=sg-00fb5065 sg_name='it-windows-base' vpc_id=vpc-2ea5664b sg_description='Windows Common Base Security Group' +## direction=ingress pft=udp,161,161 range=0.0.0.0/0 +## direction=ingress pft=tcp,1556,1556 range=10.193.0.0/22 +## direction=ingress pft=tcp,5986,5986 range=172.24.12.239/32 +## direction=ingress pft=tcp,3389,3389 range=148.129.0.0/16,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 +## direction=ingress pft=icmp,-1,-1 range=0.0.0.0/0 +## direction=egress pft=all range=0.0.0.0/0 + +locals { + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] + n_backup = ["10.193.0.0/22"] + n_ansible = ["172.24.12.239/32"] + source_groups = ["all", "external"] + name = var.name + ports = [ + [ -1, -1, "icmp", "ICMP", local.n_all, ["external"] ], + [ 161, 161, "udp", "SNMP", local.n_all, ["external"] ], + [ 5201, 5203, "tcp", "iperf3", local.n_all, ["external"] ], + [ 5201, 5203, "udp", "iperf3", local.n_all, ["external"] ], + [ 1556, 1556, "tcp", "Netbackup", local.n_backup, ["external"] ], + [ 3389, 3389, "tcp", "RDP", local.n_census, ["external"] ], + [ 5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"] ], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/it-windows-base/variables.tf b/it-windows-base/variables.tf new file mode 100644 index 0000000..0e4f382 --- /dev/null +++ b/it-windows-base/variables.tf @@ -0,0 +1,83 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "it-windows-base" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Windows Common Base Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Windows" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +data "aws_vpc" "selected" { + id = "${var.vpc_id}" +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/it-windows-base/version.tf b/it-windows-base/version.tf new file mode 100644 index 0000000..84fd21a --- /dev/null +++ b/it-windows-base/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.0" +} diff --git a/it-windows-base/versions.tf b/it-windows-base/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/it-windows-base/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 707aadffc772b79162d9e5fce2a95bfa9ccae0a2 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 31 Jul 2020 12:02:21 -0400 Subject: [PATCH 08/12] add pre-commit --- .pre-commit-config.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..19b5625 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,17 @@ +repos: +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.31.0 + hooks: +# - id: terraform_validate + - id: terraform_fmt + - id: terraform_docs_replace + args: ['table'] + exclude: common/.* + exclude: version.tf + +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.1.0 + hooks: + - id: check-symlinks + - id: detect-aws-credentials + - id: detect-private-key From e110bdf21653d2d190486736641ba3deb3ca11c4 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 31 Jul 2020 12:06:18 -0400 Subject: [PATCH 09/12] add comments --- it-windows-base/README.md | 9 ++++----- it-windows-base/ports.tf | 20 +++++++++++--------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/it-windows-base/README.md b/it-windows-base/README.md index 49228cc..efdb9d6 100644 --- a/it-windows-base/README.md +++ b/it-windows-base/README.md @@ -2,7 +2,7 @@ This describes how to use the aws-common-security-groups submodule for it-windows-base. -Commonly used ports and services are set up here, including ICMP, SSH, NTP, DNS, SNMP, +Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP, monit, munin, iperf, netperf, NetBackup and Opsware. ## Usage @@ -34,15 +34,15 @@ module "it-windows-base" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"1.0.1"` | no | -| description | Security Group Description | `string` | `"Linux Common Base Security Group"` | no | +| \_module\_version | Module version number | `string` | `"1.0"` | no | +| description | Security Group Description | `string` | `"Windows Common Base Security Group"` | no | | egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | | enable\_self | Enable\|Disable self full access | `bool` | `false` | no | | ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | | name | Security Group Name | `string` | `"it-windows-base"` | no | -| short\_description | Security Group Short Description | `string` | `"Linux"` | no | +| short\_description | Security Group Short Description | `string` | `"Windows"` | no | | tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | vpc\_full\_name | VPC Name | `string` | `""` | no | @@ -54,4 +54,3 @@ module "it-windows-base" { |------|-------------| | this\_security\_group\_arn | Created security group ARN | | this\_security\_group\_id | Created security group ID | - diff --git a/it-windows-base/ports.tf b/it-windows-base/ports.tf index 26eee9b..c1340b0 100644 --- a/it-windows-base/ports.tf +++ b/it-windows-base/ports.tf @@ -6,6 +6,7 @@ # cidr_block # list of: all, external (more added as needed) +## % python modify-security-groups.py list sg-00fb5065 ## sg_id=sg-00fb5065 sg_name='it-windows-base' vpc_id=vpc-2ea5664b sg_description='Windows Common Base Security Group' ## direction=ingress pft=udp,161,161 range=0.0.0.0/0 ## direction=ingress pft=tcp,1556,1556 range=10.193.0.0/22 @@ -14,6 +15,7 @@ ## direction=ingress pft=icmp,-1,-1 range=0.0.0.0/0 ## direction=egress pft=all range=0.0.0.0/0 +## this adds iperf3 locals { n_all = ["0.0.0.0/0"] n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] @@ -22,17 +24,17 @@ locals { n_ansible = ["172.24.12.239/32"] source_groups = ["all", "external"] name = var.name - ports = [ - [ -1, -1, "icmp", "ICMP", local.n_all, ["external"] ], - [ 161, 161, "udp", "SNMP", local.n_all, ["external"] ], - [ 5201, 5203, "tcp", "iperf3", local.n_all, ["external"] ], - [ 5201, 5203, "udp", "iperf3", local.n_all, ["external"] ], - [ 1556, 1556, "tcp", "Netbackup", local.n_backup, ["external"] ], - [ 3389, 3389, "tcp", "RDP", local.n_census, ["external"] ], - [ 5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"] ], + ports = [ + [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], + [161, 161, "udp", "SNMP", local.n_all, ["external"]], + [5201, 5203, "tcp", "iperf3", local.n_all, ["external"]], + [5201, 5203, "udp", "iperf3", local.n_all, ["external"]], + [1556, 1556, "tcp", "Netbackup", local.n_backup, ["external"]], + [3389, 3389, "tcp", "RDP", local.n_census, ["external"]], + [5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"]], ] - # these are ignored + # these are ignored ingress_networks = var.ingress_networks egress_networks = var.egress_networks From e9da12624db27bf9d62a57cef772ec1396fae9fe Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 31 Jul 2020 12:10:00 -0400 Subject: [PATCH 10/12] update comments --- it-windows-base/README.md | 2 +- it-windows-base/main.tf | 2 +- ois-scanner/README.md | 59 +++++++++++++++------------------------ ois-scanner/versions.tf | 1 - 4 files changed, 24 insertions(+), 40 deletions(-) diff --git a/it-windows-base/README.md b/it-windows-base/README.md index efdb9d6..c315a44 100644 --- a/it-windows-base/README.md +++ b/it-windows-base/README.md @@ -11,7 +11,7 @@ monit, munin, iperf, netperf, NetBackup and Opsware. module "it-windows-base" { source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base" - # name = "m-it-windows-base" + # name = "it-windows-base" vpc_id = var.vpc_id # Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } diff --git a/it-windows-base/main.tf b/it-windows-base/main.tf index c0a9b30..ee37c88 100644 --- a/it-windows-base/main.tf +++ b/it-windows-base/main.tf @@ -12,7 +12,7 @@ * module "it-windows-base" { * source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base" * -* # name = "m-it-windows-base" +* # name = "it-windows-base" * vpc_id = var.vpc_id * # Name, CostAllocation, and Environment are pre-set, but they can be overriden * # tags = { } diff --git a/ois-scanner/README.md b/ois-scanner/README.md index 6e2ea16..cacc584 100644 --- a/ois-scanner/README.md +++ b/ois-scanner/README.md @@ -1,8 +1,8 @@ # About -This describes how to use the aws-common-security-groups submodule for ois-scanner. This sets up -a module for a security group in the respective VPC. When construting a new VPC, we want to include -this module. This should be in each VPC we have, in production. We probably need a similar one +This describes how to use the aws-common-security-groups submodule for ois-scanner. This sets up +a module for a security group in the respective VPC. When construting a new VPC, we want to include +this module. This should be in each VPC we have, in production. We probably need a similar one for the CAT environment, but we'll tackle that when we get to it. # Usage @@ -18,45 +18,30 @@ module "ois-scanner" { } ``` -## Required Inputs +## Requirements -The following input variables are required: +| Name | Version | +|------|---------| +| terraform | >= 0.12 | -### vpc\_id +## Providers -Description: VPC ID Number +| Name | Version | +|------|---------| +| aws | n/a | -Type: `string` +## Inputs -## Optional Inputs - -The following input variables are optional (have default values): - -### name - -Description: Security group Name - -Type: `string` - -Default: `"ois-scanner"` - -### tags - -Description: Extra security group tags - -Type: `map` - -Default: `` +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"1.16"` | no | +| name | Security group Name | `string` | `"ois-scanner"` | no | +| tags | Extra security group tags | `map(string)` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| vpc\_id | VPC ID Number | `any` | n/a | yes | ## Outputs -The following outputs are exported: - -### this\_security\_group\_arn - -Description: Created security group ARN - -### this\_security\_group\_id - -Description: Created security group ID - +| Name | Description | +|------|-------------| +| this\_security\_group\_arn | Created security group ARN | +| this\_security\_group\_id | Created security group ID | diff --git a/ois-scanner/versions.tf b/ois-scanner/versions.tf index ac97c6a..d9b6f79 100644 --- a/ois-scanner/versions.tf +++ b/ois-scanner/versions.tf @@ -1,4 +1,3 @@ - terraform { required_version = ">= 0.12" } From a7534163b951ade957eefecf7bc2c6a7e2140b0a Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 31 Jul 2020 12:27:50 -0400 Subject: [PATCH 11/12] v1.17: add variables from it-windows-base --- ois-scanner/CHANGELOG.md | 4 +++ ois-scanner/README.md | 17 ++++++--- ois-scanner/variables.tf | 76 ++++++++++++++++++++++++++++++++++++---- ois-scanner/version.tf | 2 +- 4 files changed, 88 insertions(+), 11 deletions(-) diff --git a/ois-scanner/CHANGELOG.md b/ois-scanner/CHANGELOG.md index 250eb5c..08af3d7 100644 --- a/ois-scanner/CHANGELOG.md +++ b/ois-scanner/CHANGELOG.md @@ -1,3 +1,7 @@ # v1.16 -- 20200604 * add version number, update tags + +# v1.17 -- 20200731 + +* add variables from [it-windows-base](../it-windows-base) diff --git a/ois-scanner/README.md b/ois-scanner/README.md index cacc584..e52c791 100644 --- a/ois-scanner/README.md +++ b/ois-scanner/README.md @@ -34,10 +34,19 @@ module "ois-scanner" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"1.16"` | no | -| name | Security group Name | `string` | `"ois-scanner"` | no | -| tags | Extra security group tags | `map(string)` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | -| vpc\_id | VPC ID Number | `any` | n/a | yes | +| \_module\_version | Module version number | `string` | `"1.17"` | no | +| description | Security Group Description | `string` | `"OIS Scanner Security Group"` | no | +| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| enable\_self | Enable\|Disable self full access | `bool` | `false` | no | +| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| name | Security Group Name | `string` | `"ois-scanner"` | no | +| short\_description | Security Group Short Description | `string` | `"OIS"` | no | +| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| vpc\_full\_name | VPC Name | `string` | `""` | no | +| vpc\_id | VPC ID Number | `string` | n/a | yes | ## Outputs diff --git a/ois-scanner/variables.tf b/ois-scanner/variables.tf index 423b238..341ddc3 100644 --- a/ois-scanner/variables.tf +++ b/ois-scanner/variables.tf @@ -1,19 +1,83 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "ois-scanner" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "OIS Scanner Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "OIS" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- variable "vpc_id" { description = "VPC ID Number" + type = string } -variable "name" { - description = "Security group Name" - default = "ois-scanner" +data "aws_vpc" "selected" { + id = "${var.vpc_id}" +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] } variable "tags" { description = "Extra security group tags" - - type = map(string) + type = map default = { "CostAllocation" = "csvd:infrastructure" "Environment" = "csvd-infrastructure" } } - diff --git a/ois-scanner/version.tf b/ois-scanner/version.tf index bb082f5..bd9d562 100644 --- a/ois-scanner/version.tf +++ b/ois-scanner/version.tf @@ -1,5 +1,5 @@ variable "_module_version" { description = "Module version number" type = string - default = "1.16" + default = "1.17" } From f5f228655401c618d46727773a61a7040ecf59b6 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 31 Jul 2020 13:24:23 -0400 Subject: [PATCH 12/12] change iperf3 to just 5201 --- it-windows-base/ports.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/it-windows-base/ports.tf b/it-windows-base/ports.tf index c1340b0..b148f73 100644 --- a/it-windows-base/ports.tf +++ b/it-windows-base/ports.tf @@ -27,8 +27,8 @@ locals { ports = [ [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], [161, 161, "udp", "SNMP", local.n_all, ["external"]], - [5201, 5203, "tcp", "iperf3", local.n_all, ["external"]], - [5201, 5203, "udp", "iperf3", local.n_all, ["external"]], + [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]], + [5201, 5201, "udp", "iperf3", local.n_all, ["external"]], [1556, 1556, "tcp", "Netbackup", local.n_backup, ["external"]], [3389, 3389, "tcp", "RDP", local.n_census, ["external"]], [5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"]],