diff --git a/it-windows-base/CHANGELOG.md b/it-windows-base/CHANGELOG.md
index 4315820..e9e2e5e 100644
--- a/it-windows-base/CHANGELOG.md
+++ b/it-windows-base/CHANGELOG.md
@@ -5,6 +5,11 @@
* add EnCase source 148.129.71.121 to 4445/tcp (ticket INC000002587282)
* add Riverbed Transaction Agent (formerly appcapture) 172.24.100.107 to 27401/tcp
-# v1.2 -- 20210226
+# v1.2.0 -- 20210226
* add HPSA and HPOM
* ticket INC000002652291
+
+# v1.2.1 -- 20210528
+ * remove HPSA and HPOM
+ * ticket INC000002703111
+
diff --git a/it-windows-base/README.md b/it-windows-base/README.md
index 7c2097e..d4b7039 100644
--- a/it-windows-base/README.md
+++ b/it-windows-base/README.md
@@ -2,7 +2,7 @@
This describes how to use the aws-common-security-groups submodule for it-windows-base.
-Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP,
+Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP,
monit, munin, iperf, netperf, NetBackup and Opsware.
## Usage
@@ -22,46 +22,48 @@ module "it-windows-base" {
| Name | Version |
|------|---------|
-| terraform | >= 0.12 |
+| [terraform](#requirement\_terraform) | >= 0.12 |
## Providers
| Name | Version |
|------|---------|
-| aws | n/a |
+| [aws](#provider\_aws) | n/a |
## Modules
-No Modules.
+No modules.
## Resources
-| Name |
-|------|
-| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) |
-| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) |
-| [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) |
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| description | Security Group Description | `string` | `"Windows Common Base Security Group"` | no |
-| egress\_networks | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
-| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no |
-| enable\_self | Enable\|Disable self full access | `bool` | `false` | no |
-| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
-| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no |
-| name | Security Group Name | `string` | `"it-windows-base"` | no |
-| short\_description | Security Group Short Description | `string` | `"Windows"` | no |
-| tags | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
-| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
-| vpc\_full\_name | VPC Name | `string` | `""` | no |
-| vpc\_id | VPC ID Number | `string` | n/a | yes |
+| [description](#input\_description) | Security Group Description | `string` | `"Windows Common Base Security Group"` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| [name](#input\_name) | Security Group Name | `string` | `"it-windows-base"` | no |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Windows"` | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
-| this\_security\_group\_arn | Created security group ARN |
-| this\_security\_group\_id | Created security group ID |
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/it-windows-base/ports.tf b/it-windows-base/ports.tf
index 6b9aee2..ba25b3c 100644
--- a/it-windows-base/ports.tf
+++ b/it-windows-base/ports.tf
@@ -17,15 +17,15 @@
## this adds iperf3
locals {
- n_all = ["0.0.0.0/0"]
- n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
- n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"]
- n_backup = ["10.193.0.0/22"]
- n_ansible = ["172.24.12.239/32"]
- n_encase = ["148.129.121.72/32"]
- n_riverbed = ["172.24.100.107/32"]
- n_hpsa = ["172.24.100.141/32", "172.24.100.154/32", "172.24.100.165/32"]
- n_hpom = ["172.24.105.24/32"]
+ n_all = ["0.0.0.0/0"]
+ n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+ n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"]
+ n_backup = ["10.193.0.0/22"]
+ n_ansible = ["172.24.12.239/32"]
+ n_encase = ["148.129.121.72/32"]
+ n_riverbed = ["172.24.100.107/32"]
+ # n_hpsa = ["172.24.100.141/32", "172.24.100.154/32", "172.24.100.165/32"]
+ # n_hpom = ["172.24.105.24/32"]
source_groups = ["all", "external"]
name = var.name
ports = [
@@ -38,9 +38,9 @@ locals {
[4445, 4445, "tcp", "EnCase", local.n_encase, ["external"]],
[5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"]],
[27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]],
- [1002, 1002, "tcp", "HPSA", local.n_hpsa, ["external"]],
- [383, 383, "tcp", "HPOM", local.n_hpom, ["external"]],
- [383, 383, "udp", "HPOM", local.n_hpom, ["external"]],
+ # [1002, 1002, "tcp", "HPSA", local.n_hpsa, ["external"]],
+ # [383, 383, "tcp", "HPOM", local.n_hpom, ["external"]],
+ # [383, 383, "udp", "HPOM", local.n_hpom, ["external"]],
]
# these are ignored
@@ -57,3 +57,6 @@ locals {
s => [for p in local.p_map : p if contains(p["source_group"], s)]
}
}
+
+# INC000002703111
+# remove 383, 1002
diff --git a/it-windows-base/version.tf b/it-windows-base/version.tf
index 1ee6619..54b3493 100644
--- a/it-windows-base/version.tf
+++ b/it-windows-base/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.2.0"
+ _module_version = "1.2.1"
}
diff --git a/kafka/CHANGELOG.md b/kafka/CHANGELOG.md
new file mode 100644
index 0000000..877b488
--- /dev/null
+++ b/kafka/CHANGELOG.md
@@ -0,0 +1,2 @@
+# v1.0.0 -- 20210609
+ - create module
diff --git a/kafka/README.md b/kafka/README.md
new file mode 100644
index 0000000..96101ed
--- /dev/null
+++ b/kafka/README.md
@@ -0,0 +1,75 @@
+# About kafka
+
+This describes how to use the aws-common-security-groups submodule for kafka.
+
+Default and auxilliary ports are included in this. This includes TCP only for the following ports:
+
+* 22 ssh
+* 443 https
+* 9000 http
+* 9001 http
+* 9092, 8083, 2181, 2188, 2189, 9999
+
+## Usage
+
+```hcl
+module "kafka" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//kafka"
+
+ vpc_id = var.vpc_id
+ ## optional
+ # name = "m-kafka"
+
+ ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+ # tags = { }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [description](#input\_description) | Security Group Description | `string` | `"Kafka Security Group"` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| [name](#input\_name) | Security Group Name | `string` | `"m-kafka"` | no |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Kafka"` | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/kafka/main.tf b/kafka/main.tf
new file mode 100644
index 0000000..1131039
--- /dev/null
+++ b/kafka/main.tf
@@ -0,0 +1,140 @@
+/*
+* # About kafka
+*
+* This describes how to use the aws-common-security-groups submodule for kafka.
+*
+* Default and auxilliary ports are included in this. This includes TCP only for the following ports:
+*
+* * 22 ssh
+* * 443 https
+* * 9000 http
+* * 9001 http
+* * 9092, 8083, 2181, 2188, 2189, 9999
+*
+* ## Usage
+*
+* ```hcl
+* module "kafka" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//kafka"
+*
+* vpc_id = var.vpc_id
+* ## optional
+* # name = "m-kafka"
+*
+* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+* # tags = { }
+* }
+* ```
+*/
+
+data "aws_vpc" "this_vpc" {
+ count = var.use_vpc_cidr ? 1 : 0
+ id = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+ count = length(var.ingress_security_groups)
+ id = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+ count = length(var.egress_security_groups)
+ id = element(var.egress_security_groups, count.index)
+}
+
+locals {
+ vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
+ external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
+ ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
+ egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
+ self = var.enable_self ? [1] : []
+ short_description = var.short_description == "" ? var.description : var.short_description
+}
+
+resource "aws_security_group" "this_security_group" {
+ name = local.name
+ description = var.description
+ vpc_id = var.vpc_id
+
+ # ingresss external port list (list + vpc if enabaled)
+ dynamic "ingress" {
+ for_each = local.port_map["external"]
+ iterator = p
+ content {
+ description = "${local.short_description}: ${p.value["description"]}"
+ from_port = p.value["from"]
+ to_port = p.value["to"]
+ protocol = p.value["proto"]
+ cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+ }
+ }
+
+ # ingresss vpc port list (ignores port{} network block)
+ dynamic "ingress" {
+ for_each = local.port_map["vpc"]
+ iterator = p
+ content {
+ description = "${local.short_description}: ${p.value["description"]}"
+ from_port = p.value["from"]
+ to_port = p.value["to"]
+ protocol = p.value["proto"]
+ cidr_blocks = [data.aws_vpc.this_vpc[0].cidr_block]
+ }
+ }
+
+ # ingress security group ids (all)
+ dynamic "ingress" {
+ for_each = local.ingress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg.value]
+ }
+ }
+
+ # ingress self (list with one or zero items)
+ dynamic "ingress" {
+ for_each = local.self
+ iterator = sg
+ content {
+ description = "${local.short_description}: from self"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ self = true
+ }
+ }
+
+ # egress all
+ egress {
+ description = "${local.short_description}: All"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = local.egress_networks
+ }
+
+ # egress security group ids (all)
+ dynamic "egress" {
+ for_each = local.egress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.egress_sg_names[sg]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg]
+ }
+ }
+
+ tags = merge(
+ map("Name", "sg-${local.name}"),
+ var.tags,
+ map("boc:created_by", "terraform"),
+ map("boc:tf_module_version", local._module_version),
+ map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+ )
+}
diff --git a/kafka/output.tf b/kafka/output.tf
new file mode 100644
index 0000000..fbdd35a
--- /dev/null
+++ b/kafka/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+ description = "Created security group ID"
+ value = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+ description = "Created security group ARN"
+ value = aws_security_group.this_security_group.arn
+}
diff --git a/kafka/ports.tf b/kafka/ports.tf
new file mode 100644
index 0000000..12b0c0a
--- /dev/null
+++ b/kafka/ports.tf
@@ -0,0 +1,41 @@
+# ports = list of list of
+# from_port
+# to_port
+# proto
+# description
+# cidr_block
+# list of: all, external (more added as needed)
+
+locals {
+ description = "module: Kafka common ports"
+ n_all = ["0.0.0.0/0"]
+ n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+ source_groups = ["all", "external", "vpc"]
+
+ name = var.name
+ ports = [
+ [22, 22, "tcp", "ssh", local.n_all, ["external"]],
+ [443, 443, "tcp", "https", local.n_all, ["external"]],
+ [2181, 2181, "tcp", "Zookeeper-client", local.n_all, ["vpc"]],
+ [2188, 2189, "tcp", "Zookeeper-follower", local.n_all, ["vpc"]],
+ [3188, 3188, "tcp", "Zookeeper-internode", local.n_all, ["vpc"]],
+ [8083, 8083, "tcp", "Kafka", local.n_all, ["vpc"]],
+ [9000, 9001, "tcp", "Kafka-UI", local.n_all, ["external"]],
+ [9092, 9093, "tcp", "Kafka-listener", local.n_all, ["external"]],
+ [9999, 9999, "tcp", "Kafka-JMX", local.n_all, ["vpc"]],
+ ]
+
+ # these are ignored
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
+ # these are ignored
+ ingress_sg = var.ingress_security_groups
+ egress_sg = var.egress_security_groups
+
+ p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+ p_map = [for p in local.ports : zipmap(local.p_fields, p)]
+ port_map = { for s in local.source_groups :
+ s => [for p in local.p_map : p if contains(p["source_group"], s)]
+ }
+}
diff --git a/kafka/variables.tf b/kafka/variables.tf
new file mode 100644
index 0000000..3e3cf73
--- /dev/null
+++ b/kafka/variables.tf
@@ -0,0 +1,79 @@
+#---
+# change between different modules as needed
+#---
+variable "name" {
+ description = "Security Group Name"
+ type = string
+ default = "m-kafka"
+}
+
+variable "description" {
+ description = "Security Group Description"
+ type = string
+ default = "Kafka Security Group"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+ default = "Kafka"
+}
+
+variable "enable_self" {
+ description = "Enable|Disable self full access"
+ type = bool
+ default = false
+}
+
+variable "use_vpc_cidr" {
+ description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+ type = bool
+ default = false
+}
+
+#---
+# others with defaults
+#---
+variable "vpc_id" {
+ description = "VPC ID Number"
+ type = string
+}
+
+variable "vpc_full_name" {
+ description = "VPC Name"
+ type = string
+ default = ""
+}
+
+variable "ingress_networks" {
+ description = "List of ingress networks for external access (not all ports)"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "egress_networks" {
+ description = "List of egress networks (all ports)"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "ingress_security_groups" {
+ description = "List of ingress security groups for all ports"
+ type = list(string)
+ default = []
+}
+
+variable "egress_security_groups" {
+ description = "List of egress security groups (all ports)"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "Extra security group tags"
+ type = map
+ default = {
+ "CostAllocation" = "csvd:infrastructure"
+ "Environment" = "csvd-infrastructure"
+ }
+}
diff --git a/kafka/version.tf b/kafka/version.tf
new file mode 100644
index 0000000..fa2705b
--- /dev/null
+++ b/kafka/version.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_version = "1.0.0"
+}
diff --git a/kafka/versions.tf b/kafka/versions.tf
new file mode 100644
index 0000000..ac97c6a
--- /dev/null
+++ b/kafka/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}
diff --git a/rds-maria/CHANGELOG.md b/rds-maria/CHANGELOG.md
new file mode 100644
index 0000000..d8a2e53
--- /dev/null
+++ b/rds-maria/CHANGELOG.md
@@ -0,0 +1,2 @@
+# v1.0.0 -- 20210528
+ - add module version, update tags
diff --git a/rds-maria/README.md b/rds-maria/README.md
new file mode 100644
index 0000000..5d98c50
--- /dev/null
+++ b/rds-maria/README.md
@@ -0,0 +1,69 @@
+# About rds-maria
+
+This describes how to use the aws-common-security-groups submodule for rds-maria.
+
+Default and auxilliary ports are included in this. They are opened to everything.
+
+## Usage
+
+```hcl
+module "maria" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria"
+
+ vpc_id = var.vpc_id
+ ## optional
+ # name = "m-maria-db"
+
+ ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+ # tags = { }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [description](#input\_description) | Security Group Description | `string` | `"MariaDB Security Group"` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| [name](#input\_name) | Security Group Name | `string` | `"m-maria-db"` | no |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MariaDB"` | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/rds-maria/main.tf b/rds-maria/main.tf
new file mode 100644
index 0000000..dc04635
--- /dev/null
+++ b/rds-maria/main.tf
@@ -0,0 +1,121 @@
+/*
+* # About rds-maria
+*
+* This describes how to use the aws-common-security-groups submodule for rds-maria.
+*
+* Default and auxilliary ports are included in this. They are opened to everything.
+*
+* ## Usage
+*
+* ```hcl
+* module "maria" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria"
+*
+* vpc_id = var.vpc_id
+* ## optional
+* # name = "m-maria-db"
+*
+* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+* # tags = { }
+* }
+* ```
+*/
+
+data "aws_vpc" "this_vpc" {
+ count = var.use_vpc_cidr ? 1 : 0
+ id = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+ count = length(var.ingress_security_groups)
+ id = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+ count = length(var.egress_security_groups)
+ id = element(var.egress_security_groups, count.index)
+}
+
+locals {
+ vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
+ external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
+ ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
+ egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
+ self = var.enable_self ? [1] : []
+ short_description = var.short_description == "" ? var.description : var.short_description
+}
+
+resource "aws_security_group" "this_security_group" {
+ name = local.name
+ description = var.description
+ vpc_id = var.vpc_id
+
+ # ingresss external port list (list + vpc if enabaled)
+ dynamic "ingress" {
+ for_each = local.port_map["external"]
+ iterator = p
+ content {
+ description = "${local.short_description}: ${p.value["description"]}"
+ from_port = p.value["from"]
+ to_port = p.value["to"]
+ protocol = p.value["proto"]
+ cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+ }
+ }
+
+ # ingress security group ids (all)
+ dynamic "ingress" {
+ for_each = local.ingress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg.value]
+ }
+ }
+
+ # ingress self (list with one or zero items)
+ dynamic "ingress" {
+ for_each = local.self
+ iterator = sg
+ content {
+ description = "${local.short_description}: from self"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ self = true
+ }
+ }
+
+ # egress all
+ egress {
+ description = "${local.short_description}: All"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = local.egress_networks
+ }
+
+ # egress security group ids (all)
+ dynamic "egress" {
+ for_each = local.egress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.egress_sg_names[sg]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg]
+ }
+ }
+
+ tags = merge(
+ map("Name", "sg-${local.name}"),
+ var.tags,
+ map("boc:created_by", "terraform"),
+ map("boc:tf_module_version", local._module_version),
+ map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+ )
+}
diff --git a/rds-maria/output.tf b/rds-maria/output.tf
new file mode 100644
index 0000000..fbdd35a
--- /dev/null
+++ b/rds-maria/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+ description = "Created security group ID"
+ value = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+ description = "Created security group ARN"
+ value = aws_security_group.this_security_group.arn
+}
diff --git a/rds-maria/ports.tf b/rds-maria/ports.tf
new file mode 100644
index 0000000..f722a8c
--- /dev/null
+++ b/rds-maria/ports.tf
@@ -0,0 +1,33 @@
+# ports = list of list of
+# from_port
+# to_port
+# proto
+# description
+# cidr_block
+# list of: all, external (more added as needed)
+
+locals {
+ description = "module: MariaDB common ports"
+ n_all = ["0.0.0.0/0"]
+ n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+ source_groups = ["all", "external"]
+
+ name = var.name
+ ports = [
+ [3306, 3306, "tcp", "maria-db", local.n_census, ["external"]],
+ ]
+
+ # these are ignored
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
+ # these are ignored
+ ingress_sg = var.ingress_security_groups
+ egress_sg = var.egress_security_groups
+
+ p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+ p_map = [for p in local.ports : zipmap(local.p_fields, p)]
+ port_map = { for s in local.source_groups :
+ s => [for p in local.p_map : p if contains(p["source_group"], s)]
+ }
+}
diff --git a/rds-maria/variables.tf b/rds-maria/variables.tf
new file mode 100644
index 0000000..b91227c
--- /dev/null
+++ b/rds-maria/variables.tf
@@ -0,0 +1,79 @@
+#---
+# change between different modules as needed
+#---
+variable "name" {
+ description = "Security Group Name"
+ type = string
+ default = "m-maria-db"
+}
+
+variable "description" {
+ description = "Security Group Description"
+ type = string
+ default = "MariaDB Security Group"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+ default = "MariaDB"
+}
+
+variable "enable_self" {
+ description = "Enable|Disable self full access"
+ type = bool
+ default = false
+}
+
+variable "use_vpc_cidr" {
+ description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+ type = bool
+ default = false
+}
+
+#---
+# others with defaults
+#---
+variable "vpc_id" {
+ description = "VPC ID Number"
+ type = string
+}
+
+variable "vpc_full_name" {
+ description = "VPC Name"
+ type = string
+ default = ""
+}
+
+variable "ingress_networks" {
+ description = "List of ingress networks for external access (not all ports)"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "egress_networks" {
+ description = "List of egress networks (all ports)"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "ingress_security_groups" {
+ description = "List of ingress security groups for all ports"
+ type = list(string)
+ default = []
+}
+
+variable "egress_security_groups" {
+ description = "List of egress security groups (all ports)"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "Extra security group tags"
+ type = map
+ default = {
+ "CostAllocation" = "csvd:infrastructure"
+ "Environment" = "csvd-infrastructure"
+ }
+}
diff --git a/rds-maria/version.tf b/rds-maria/version.tf
new file mode 100644
index 0000000..fa2705b
--- /dev/null
+++ b/rds-maria/version.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_version = "1.0.0"
+}
diff --git a/rds-maria/versions.tf b/rds-maria/versions.tf
new file mode 100644
index 0000000..ac97c6a
--- /dev/null
+++ b/rds-maria/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}
diff --git a/rds-mysql/CHANGELOG.md b/rds-mysql/CHANGELOG.md
new file mode 100644
index 0000000..bed4f16
--- /dev/null
+++ b/rds-mysql/CHANGELOG.md
@@ -0,0 +1,2 @@
+# v1.0.0 -- 20210527
+ - add module version, update tags
diff --git a/rds-mysql/README.md b/rds-mysql/README.md
new file mode 100644
index 0000000..4439a8d
--- /dev/null
+++ b/rds-mysql/README.md
@@ -0,0 +1,69 @@
+# About rds-mysql
+
+This describes how to use the aws-common-security-groups submodule for rds-mysql.
+
+Default and auxilliary ports are included in this. They are opened to everything.
+
+## Usage
+
+```hcl
+module "mysql" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql"
+
+ vpc_id = var.vpc_id
+ ## optional
+ # name = "m-mysql-db"
+
+ ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+ # tags = { }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [description](#input\_description) | Security Group Description | `string` | `"MySQL Security Group"` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| [name](#input\_name) | Security Group Name | `string` | `"m-mysql-db"` | no |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MySQL"` | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/rds-mysql/main.tf b/rds-mysql/main.tf
new file mode 100644
index 0000000..6204dc4
--- /dev/null
+++ b/rds-mysql/main.tf
@@ -0,0 +1,121 @@
+/*
+* # About rds-mysql
+*
+* This describes how to use the aws-common-security-groups submodule for rds-mysql.
+*
+* Default and auxilliary ports are included in this. They are opened to everything.
+*
+* ## Usage
+*
+* ```hcl
+* module "mysql" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql"
+*
+* vpc_id = var.vpc_id
+* ## optional
+* # name = "m-mysql-db"
+*
+* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+* # tags = { }
+* }
+* ```
+*/
+
+data "aws_vpc" "this_vpc" {
+ count = var.use_vpc_cidr ? 1 : 0
+ id = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+ count = length(var.ingress_security_groups)
+ id = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+ count = length(var.egress_security_groups)
+ id = element(var.egress_security_groups, count.index)
+}
+
+locals {
+ vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
+ external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
+ ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
+ egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
+ self = var.enable_self ? [1] : []
+ short_description = var.short_description == "" ? var.description : var.short_description
+}
+
+resource "aws_security_group" "this_security_group" {
+ name = local.name
+ description = var.description
+ vpc_id = var.vpc_id
+
+ # ingresss external port list (list + vpc if enabaled)
+ dynamic "ingress" {
+ for_each = local.port_map["external"]
+ iterator = p
+ content {
+ description = "${local.short_description}: ${p.value["description"]}"
+ from_port = p.value["from"]
+ to_port = p.value["to"]
+ protocol = p.value["proto"]
+ cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+ }
+ }
+
+ # ingress security group ids (all)
+ dynamic "ingress" {
+ for_each = local.ingress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg.value]
+ }
+ }
+
+ # ingress self (list with one or zero items)
+ dynamic "ingress" {
+ for_each = local.self
+ iterator = sg
+ content {
+ description = "${local.short_description}: from self"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ self = true
+ }
+ }
+
+ # egress all
+ egress {
+ description = "${local.short_description}: All"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = local.egress_networks
+ }
+
+ # egress security group ids (all)
+ dynamic "egress" {
+ for_each = local.egress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.egress_sg_names[sg]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg]
+ }
+ }
+
+ tags = merge(
+ map("Name", "sg-${local.name}"),
+ var.tags,
+ map("boc:created_by", "terraform"),
+ map("boc:tf_module_version", local._module_version),
+ map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+ )
+}
diff --git a/rds-mysql/output.tf b/rds-mysql/output.tf
new file mode 100644
index 0000000..fbdd35a
--- /dev/null
+++ b/rds-mysql/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+ description = "Created security group ID"
+ value = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+ description = "Created security group ARN"
+ value = aws_security_group.this_security_group.arn
+}
diff --git a/rds-mysql/ports.tf b/rds-mysql/ports.tf
new file mode 100644
index 0000000..7fc84c3
--- /dev/null
+++ b/rds-mysql/ports.tf
@@ -0,0 +1,33 @@
+# ports = list of list of
+# from_port
+# to_port
+# proto
+# description
+# cidr_block
+# list of: all, external (more added as needed)
+
+locals {
+ description = "module: MySQL common ports"
+ n_all = ["0.0.0.0/0"]
+ n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+ source_groups = ["all", "external"]
+
+ name = var.name
+ ports = [
+ [3306, 3306, "tcp", "mysql-db", local.n_census, ["external"]],
+ ]
+
+ # these are ignored
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
+ # these are ignored
+ ingress_sg = var.ingress_security_groups
+ egress_sg = var.egress_security_groups
+
+ p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+ p_map = [for p in local.ports : zipmap(local.p_fields, p)]
+ port_map = { for s in local.source_groups :
+ s => [for p in local.p_map : p if contains(p["source_group"], s)]
+ }
+}
diff --git a/rds-mysql/variables.tf b/rds-mysql/variables.tf
new file mode 100644
index 0000000..f9b8a68
--- /dev/null
+++ b/rds-mysql/variables.tf
@@ -0,0 +1,79 @@
+#---
+# change between different modules as needed
+#---
+variable "name" {
+ description = "Security Group Name"
+ type = string
+ default = "m-mysql-db"
+}
+
+variable "description" {
+ description = "Security Group Description"
+ type = string
+ default = "MySQL Security Group"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+ default = "MySQL"
+}
+
+variable "enable_self" {
+ description = "Enable|Disable self full access"
+ type = bool
+ default = false
+}
+
+variable "use_vpc_cidr" {
+ description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+ type = bool
+ default = false
+}
+
+#---
+# others with defaults
+#---
+variable "vpc_id" {
+ description = "VPC ID Number"
+ type = string
+}
+
+variable "vpc_full_name" {
+ description = "VPC Name"
+ type = string
+ default = ""
+}
+
+variable "ingress_networks" {
+ description = "List of ingress networks for external access (not all ports)"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "egress_networks" {
+ description = "List of egress networks (all ports)"
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "ingress_security_groups" {
+ description = "List of ingress security groups for all ports"
+ type = list(string)
+ default = []
+}
+
+variable "egress_security_groups" {
+ description = "List of egress security groups (all ports)"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "Extra security group tags"
+ type = map
+ default = {
+ "CostAllocation" = "csvd:infrastructure"
+ "Environment" = "csvd-infrastructure"
+ }
+}
diff --git a/rds-mysql/version.tf b/rds-mysql/version.tf
new file mode 100644
index 0000000..fa2705b
--- /dev/null
+++ b/rds-mysql/version.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_version = "1.0.0"
+}
diff --git a/rds-mysql/versions.tf b/rds-mysql/versions.tf
new file mode 100644
index 0000000..ac97c6a
--- /dev/null
+++ b/rds-mysql/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}
diff --git a/rds-oracle/CHANGELOG.md b/rds-oracle/CHANGELOG.md
index 239a373..65bc294 100644
--- a/rds-oracle/CHANGELOG.md
+++ b/rds-oracle/CHANGELOG.md
@@ -1,3 +1,8 @@
-# v1.3 -- 20200604
+* v1.3 -- 20200604
+ - add module version, update tags
-* add module version, update tags
+* v1.3.1 -- 20210621
+ - add ports 2483 and 2484 (tcp, tcp+ssl)
+
+* v1.3.2 -- 20210621
+ - add variable description
diff --git a/rds-oracle/README.md b/rds-oracle/README.md
index 9f48f1f..fa356e6 100644
--- a/rds-oracle/README.md
+++ b/rds-oracle/README.md
@@ -10,6 +10,10 @@ module "rds-oracle" {
# name = "m-rds-oracle"
vpc_id = var.vpc_id
+
+ ## optional
+ # description = "my other description" # not recommended to change this
+
# Name, CostAllocation, and Environment are pre-set
# tags = { }
}
@@ -19,39 +23,40 @@ module "rds-oracle" {
| Name | Version |
|------|---------|
-| terraform | >= 0.12 |
+| [terraform](#requirement\_terraform) | >= 0.12 |
## Providers
| Name | Version |
|------|---------|
-| aws | n/a |
+| [aws](#provider\_aws) | n/a |
## Modules
-No Modules.
+No modules.
## Resources
-| Name |
-|------|
-| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) |
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| \_module\_version | Module version number | `string` | `"1.3"` | no |
-| egress\_networks | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
-| name | Security group Name | `string` | `"m-oracle-db"` | no |
-| networks | List of ingress networks (applies to all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
-| tags | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
-| vpc\_full\_name | VPC Name | `string` | `""` | no |
-| vpc\_id | VPC ID Number | `string` | n/a | yes |
+| [description](#input\_description) | Security Group Description | `string` | `"module: Oracle common ports"` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [name](#input\_name) | Security group Name | `string` | `"m-oracle-db"` | no |
+| [networks](#input\_networks) | List of ingress networks (applies to all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Oracle"` | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
-| this\_security\_group\_arn | Created security group ARN |
-| this\_security\_group\_id | Created security group ID |
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/rds-oracle/main.tf b/rds-oracle/main.tf
index 60be493..72893ec 100644
--- a/rds-oracle/main.tf
+++ b/rds-oracle/main.tf
@@ -11,6 +11,10 @@
*
* # name = "m-rds-oracle"
* vpc_id = var.vpc_id
+*
+* ## optional
+* # description = "my other description" # not recommended to change this
+*
* # Name, CostAllocation, and Environment are pre-set
* # tags = { }
* }
@@ -27,7 +31,7 @@ resource "aws_security_group" "this_security_group" {
for_each = local.ports_map
iterator = p
content {
- description = "${local.description}: ${p.value["description"]}"
+ description = "${local.short_description}: ${p.value["description"]}"
from_port = p.value["from"]
to_port = p.value["to"]
protocol = p.value["proto"]
@@ -36,7 +40,7 @@ resource "aws_security_group" "this_security_group" {
}
egress {
- description = "${local.description}: All"
+ description = "${local.short_description}: All"
from_port = 0
to_port = 0
protocol = -1
@@ -44,9 +48,12 @@ resource "aws_security_group" "this_security_group" {
}
tags = merge(
- map("Name", "sg-${local.name}"),
var.tags,
- map("boc:tf_module_version", var._module_version),
- map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+ tomap({
+ "Name" = "sg-${local.name}"
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ "boc:vpc:info" = join(" ", compact(list(var.vpc_id, var.vpc_full_name)))
+ })
)
}
diff --git a/rds-oracle/ports.tf b/rds-oracle/ports.tf
index 80c0160..5da2cda 100644
--- a/rds-oracle/ports.tf
+++ b/rds-oracle/ports.tf
@@ -1,9 +1,11 @@
locals {
- description = "module: Oracle common ports"
- name = var.name
+ description = var.description
+ short_description = var.short_description == "" ? var.description : var.short_description
+ name = var.name
ports = [
[1521, 1521, "tcp", "oracle-db", []],
[1570, 1571, "tcp", "oracle-db", []],
+ [2483, 2484, "tcp", "oracle-db", []],
[3872, 3872, "tcp", "inbound-oracle-OEM", ["172.24.101.9/32", "172.24.101.10/32", "172.24.32.251/32"]],
[7799, 7799, "tcp", "oracle-OEM", []],
]
@@ -12,3 +14,17 @@ locals {
ports_fields = ["from", "to", "proto", "description", "cidr"]
ports_map = [for p in local.ports : zipmap(local.ports_fields, p)]
}
+
+# references
+# https://docs.oracle.com/cd/B19306_01/install.102/b25293/app_port.htm
+# https://docs.oracle.com/cd/B12037_01/network.101/b10776/protocoladd.htm
+#
+# Recommended Port Numbers
+# Table 4-2, "Recommended Port Numbers" lists the recommends the port numbers.
+#
+# Table 4-2 Recommended Port Numbers
+#
+# Port Description
+# 1521 Default listening port for client connections to the listener. In future releases, this port number may change to the officially registered port number of 2483 for TCP/IP and 2484 for TCP/IP with SSL.
+# 1521 Default and officially registered listening port for client connections to Oracle Connection Manager
+# 1830 Default and officially registered listening port for administrative commands to Oracle Connection Manager
diff --git a/rds-oracle/variables.tf b/rds-oracle/variables.tf
index 5824124..d17440a 100644
--- a/rds-oracle/variables.tf
+++ b/rds-oracle/variables.tf
@@ -16,6 +16,18 @@ variable "name" {
default = "m-oracle-db"
}
+variable "description" {
+ description = "Security Group Description"
+ type = string
+ default = "module: Oracle common ports"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+ default = "Oracle"
+}
+
variable "networks" {
description = "List of ingress networks (applies to all ports)"
type = list(string)
@@ -36,3 +48,4 @@ variable "tags" {
"Environment" = "csvd-infrastructure"
}
}
+
diff --git a/rds-oracle/version.tf b/rds-oracle/version.tf
index 38fadfd..5ec2ece 100644
--- a/rds-oracle/version.tf
+++ b/rds-oracle/version.tf
@@ -1,5 +1,3 @@
-variable "_module_version" {
- description = "Module version number"
- type = string
- default = "1.3"
+locals {
+ _module_version = "1.3.2"
}
diff --git a/rds-postgres/ports.tf b/rds-postgres/ports.tf
index ba92c81..5737c50 100644
--- a/rds-postgres/ports.tf
+++ b/rds-postgres/ports.tf
@@ -14,7 +14,7 @@ locals {
name = var.name
ports = [
- [5482, 5482, "tcp", "postgres-db", local.n_census, ["external"]],
+ [5432, 5432, "tcp", "postgres-db", local.n_census, ["external"]],
]
# these are ignored
diff --git a/web/CHANGELOG.md b/web/CHANGELOG.md
new file mode 100644
index 0000000..3523043
--- /dev/null
+++ b/web/CHANGELOG.md
@@ -0,0 +1,8 @@
+# v1.0.0 -- 20210604
+ - add module version, update tags
+
+# v1.1.0 -- 20210915
+ - enable use of ingress_networks and egress_networks for pre-defined port list
+
+# v1.1.1 -- 20210929
+ - fix default egress to be 0/0 for web submodule
diff --git a/web/README.md b/web/README.md
new file mode 100644
index 0000000..14206dd
--- /dev/null
+++ b/web/README.md
@@ -0,0 +1,77 @@
+# About web
+
+This describes how to use the aws-common-security-groups submodule for web.
+
+Default and auxilliary ports are included in this. They are opened from everything. This
+includes TCP only for the following ports:
+
+* 80 http
+* 443 https
+* 8080 http, Tomcat
+* 8443 https, Tomcat
+
+## Usage
+
+```hcl
+module "web" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web"
+
+ vpc_id = var.vpc_id
+ ## optional
+ # name = "m-web"
+ # ingress_networks = [ "1.2.3.0/24" ]
+ # egress_networks = [ "1.2.3.0/24" ]
+
+ ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+ # tags = { }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no |
+| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no |
+| [tags](#input\_tags) | Extra security group tags | `map` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "csvd-infrastructure"
} | no |
+| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/web/main.tf b/web/main.tf
new file mode 100644
index 0000000..e1edc45
--- /dev/null
+++ b/web/main.tf
@@ -0,0 +1,129 @@
+/*
+* # About web
+*
+* This describes how to use the aws-common-security-groups submodule for web.
+*
+* Default and auxilliary ports are included in this. They are opened from everything. This
+* includes TCP only for the following ports:
+*
+* * 80 http
+* * 443 https
+* * 8080 http, Tomcat
+* * 8443 https, Tomcat
+*
+* ## Usage
+*
+* ```hcl
+* module "web" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web"
+*
+* vpc_id = var.vpc_id
+* ## optional
+* # name = "m-web"
+* # ingress_networks = [ "1.2.3.0/24" ]
+* # egress_networks = [ "1.2.3.0/24" ]
+*
+* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
+* # tags = { }
+* }
+* ```
+*/
+
+data "aws_vpc" "this_vpc" {
+ count = var.use_vpc_cidr ? 1 : 0
+ id = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+ count = length(var.ingress_security_groups)
+ id = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+ count = length(var.egress_security_groups)
+ id = element(var.egress_security_groups, count.index)
+}
+
+locals {
+ vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
+ external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
+ ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
+ egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
+ self = var.enable_self ? [1] : []
+ short_description = var.short_description == "" ? var.description : var.short_description
+}
+
+resource "aws_security_group" "this_security_group" {
+ name = local.name
+ description = var.description
+ vpc_id = var.vpc_id
+
+ # ingresss external port list (list + vpc if enabaled)
+ dynamic "ingress" {
+ for_each = local.port_map["external"]
+ iterator = p
+ content {
+ description = "${local.short_description}: ${p.value["description"]}"
+ from_port = p.value["from"]
+ to_port = p.value["to"]
+ protocol = p.value["proto"]
+ cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
+ }
+ }
+
+ # ingress security group ids (all)
+ dynamic "ingress" {
+ for_each = local.ingress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg.value]
+ }
+ }
+
+ # ingress self (list with one or zero items)
+ dynamic "ingress" {
+ for_each = local.self
+ iterator = sg
+ content {
+ description = "${local.short_description}: from self"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ self = true
+ }
+ }
+
+ # egress all
+ egress {
+ description = "${local.short_description}: All"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
+ }
+
+ # egress security group ids (all)
+ dynamic "egress" {
+ for_each = local.egress_sg
+ iterator = sg
+ content {
+ description = "${local.short_description}: ${local.egress_sg_names[sg]}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ security_groups = [sg]
+ }
+ }
+
+ tags = merge(
+ map("Name", "sg-${local.name}"),
+ var.tags,
+ map("boc:created_by", "terraform"),
+ map("boc:tf_module_version", local._module_version),
+ map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+ )
+}
diff --git a/web/output.tf b/web/output.tf
new file mode 100644
index 0000000..fbdd35a
--- /dev/null
+++ b/web/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+ description = "Created security group ID"
+ value = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+ description = "Created security group ARN"
+ value = aws_security_group.this_security_group.arn
+}
diff --git a/web/ports.tf b/web/ports.tf
new file mode 100644
index 0000000..38aea85
--- /dev/null
+++ b/web/ports.tf
@@ -0,0 +1,37 @@
+# ports = list of list of
+# from_port
+# to_port
+# proto
+# description
+# cidr_block
+# list of: all, external (more added as needed)
+
+locals {
+ description = "module: Web common ports"
+ n_all = ["0.0.0.0/0"]
+ n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+ source_groups = ["all", "external"]
+
+ name = var.name
+ ports = [
+ [80, 80, "tcp", "http", local.n_census, ["external"]],
+ [443, 443, "tcp", "https", local.n_census, ["external"]],
+ [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
+ [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
+ ]
+
+ # ingress_networks = var.ingress_networks
+ ingress_networks = []
+ # egress_networks = var.egress_networks
+ egress_networks = local.n_all
+
+ # these are ignored
+ ingress_sg = var.ingress_security_groups
+ egress_sg = var.egress_security_groups
+
+ p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+ p_map = [for p in local.ports : zipmap(local.p_fields, p)]
+ port_map = { for s in local.source_groups :
+ s => [for p in local.p_map : p if contains(p["source_group"], s)]
+ }
+}
diff --git a/web/variables.tf b/web/variables.tf
new file mode 100644
index 0000000..e80bb6b
--- /dev/null
+++ b/web/variables.tf
@@ -0,0 +1,79 @@
+#---
+# change between different modules as needed
+#---
+variable "name" {
+ description = "Security Group Name"
+ type = string
+ default = "m-web"
+}
+
+variable "description" {
+ description = "Security Group Description"
+ type = string
+ default = "Web Security Group"
+}
+
+variable "short_description" {
+ description = "Security Group Short Description"
+ type = string
+ default = "Web"
+}
+
+variable "enable_self" {
+ description = "Enable|Disable self full access"
+ type = bool
+ default = false
+}
+
+variable "use_vpc_cidr" {
+ description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+ type = bool
+ default = false
+}
+
+#---
+# others with defaults
+#---
+variable "vpc_id" {
+ description = "VPC ID Number"
+ type = string
+}
+
+variable "vpc_full_name" {
+ description = "VPC Name"
+ type = string
+ default = ""
+}
+
+variable "ingress_networks" {
+ description = "List of ingress networks for access (with all pre-defined ingress ports)"
+ type = list(string)
+ default = []
+}
+
+variable "egress_networks" {
+ description = "List of egress networks (with all pre-defined egress ports)"
+ type = list(string)
+ default = []
+}
+
+variable "ingress_security_groups" {
+ description = "List of ingress security groups for all ports"
+ type = list(string)
+ default = []
+}
+
+variable "egress_security_groups" {
+ description = "List of egress security groups (all ports)"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "Extra security group tags"
+ type = map
+ default = {
+ "CostAllocation" = "csvd:infrastructure"
+ "Environment" = "csvd-infrastructure"
+ }
+}
diff --git a/web/version.tf b/web/version.tf
new file mode 100644
index 0000000..a6a90ee
--- /dev/null
+++ b/web/version.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_version = "1.1.1"
+}
diff --git a/web/versions.tf b/web/versions.tf
new file mode 100644
index 0000000..ac97c6a
--- /dev/null
+++ b/web/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+ required_version = ">= 0.12"
+}