From bf8060b92f9231f754e8c74631cb6fa79d709193 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 27 May 2021 15:53:51 -0400 Subject: [PATCH 01/20] rds-mysql_security-group-module --- rds-mysql/CHANGELOG.md | 2 + rds-mysql/README.md | 69 +++++++++++++++++++++++ rds-mysql/main.tf | 121 +++++++++++++++++++++++++++++++++++++++++ rds-mysql/output.tf | 9 +++ rds-mysql/ports.tf | 33 +++++++++++ rds-mysql/variables.tf | 79 +++++++++++++++++++++++++++ rds-mysql/version.tf | 3 + rds-mysql/versions.tf | 4 ++ 8 files changed, 320 insertions(+) create mode 100644 rds-mysql/CHANGELOG.md create mode 100644 rds-mysql/README.md create mode 100644 rds-mysql/main.tf create mode 100644 rds-mysql/output.tf create mode 100644 rds-mysql/ports.tf create mode 100644 rds-mysql/variables.tf create mode 100644 rds-mysql/version.tf create mode 100644 rds-mysql/versions.tf diff --git a/rds-mysql/CHANGELOG.md b/rds-mysql/CHANGELOG.md new file mode 100644 index 0000000..bc7fc37 --- /dev/null +++ b/rds-mysql/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210421 + - add module version, update tags diff --git a/rds-mysql/README.md b/rds-mysql/README.md new file mode 100644 index 0000000..9cc7a1d --- /dev/null +++ b/rds-mysql/README.md @@ -0,0 +1,69 @@ +# About rds-postgres + +This describes how to use the aws-common-security-groups submodule for rds-postgres. + +Default and auxilliary ports are included in this. They are opened to everything. + +## Usage + +```hcl +module "postgres" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres" + + vpc_id = var.vpc_id + ## optional + # name = "m-postgres-db" + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"RDS PostgreSQL Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-postgres-db"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"PostgreSQL"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/rds-mysql/main.tf b/rds-mysql/main.tf new file mode 100644 index 0000000..df214b3 --- /dev/null +++ b/rds-mysql/main.tf @@ -0,0 +1,121 @@ +/** +* # About rds-mysql +* +* This describes how to use the aws-common-security-groups submodule for rds-mysql. +* +* Default and auxilliary ports are included in this. They are opened to everything. +* +* ## Usage +* +* ```hcl +* module "mysql" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql" +* +* vpc_id = var.vpc_id +* ## optional +* # name = "m-mysql-db" +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/rds-mysql/output.tf b/rds-mysql/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/rds-mysql/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/rds-mysql/ports.tf b/rds-mysql/ports.tf new file mode 100644 index 0000000..b7e21a7 --- /dev/null +++ b/rds-mysql/ports.tf @@ -0,0 +1,33 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + description = "module: PostgreSQL common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external"] + + name = var.name + ports = [ + [3356, 3356, "tcp", "mysql-db", local.n_census, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/rds-mysql/variables.tf b/rds-mysql/variables.tf new file mode 100644 index 0000000..f9b8a68 --- /dev/null +++ b/rds-mysql/variables.tf @@ -0,0 +1,79 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "m-mysql-db" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "MySQL Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "MySQL" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/rds-mysql/version.tf b/rds-mysql/version.tf new file mode 100644 index 0000000..fa2705b --- /dev/null +++ b/rds-mysql/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.0.0" +} diff --git a/rds-mysql/versions.tf b/rds-mysql/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/rds-mysql/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 5fb9253f66a69d4e78b20fab31facd7c1dfb9b61 Mon Sep 17 00:00:00 2001 From: Roy D Ashley Jr Date: Thu, 27 May 2021 15:55:59 -0400 Subject: [PATCH 02/20] Update CHANGELOG.md --- rds-mysql/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds-mysql/CHANGELOG.md b/rds-mysql/CHANGELOG.md index bc7fc37..bed4f16 100644 --- a/rds-mysql/CHANGELOG.md +++ b/rds-mysql/CHANGELOG.md @@ -1,2 +1,2 @@ -# v1.0.0 -- 20210421 +# v1.0.0 -- 20210527 - add module version, update tags From 48ea19d389c2c94d6a73c2d721aa10f3c4afc2ac Mon Sep 17 00:00:00 2001 From: Roy D Ashley Jr Date: Thu, 27 May 2021 16:00:20 -0400 Subject: [PATCH 03/20] Update README.md --- rds-mysql/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rds-mysql/README.md b/rds-mysql/README.md index 9cc7a1d..80b54bd 100644 --- a/rds-mysql/README.md +++ b/rds-mysql/README.md @@ -1,18 +1,18 @@ -# About rds-postgres +# About rds-mysql -This describes how to use the aws-common-security-groups submodule for rds-postgres. +This describes how to use the aws-common-security-groups submodule for rds-mysql. Default and auxilliary ports are included in this. They are opened to everything. ## Usage ```hcl -module "postgres" { - source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-postgres" +module "mysql" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-mysql" vpc_id = var.vpc_id ## optional - # name = "m-postgres-db" + # name = "m-mysql-db" ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } @@ -48,14 +48,14 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"RDS PostgreSQL Security Group"` | no | +| [description](#input\_description) | Security Group Description | `string` | `"RDS MySQL Security Group"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | | [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [name](#input\_name) | Security Group Name | `string` | `"m-postgres-db"` | no | -| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"PostgreSQL"` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-mysql-db"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MySQL"` | no | | [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | From 2c0a14064a884fc773ff81cbffd10f749d2e9366 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 07:47:40 -0400 Subject: [PATCH 04/20] change port to default 3306 --- rds-mysql/README.md | 2 +- rds-mysql/main.tf | 2 +- rds-mysql/ports.tf | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rds-mysql/README.md b/rds-mysql/README.md index 80b54bd..4439a8d 100644 --- a/rds-mysql/README.md +++ b/rds-mysql/README.md @@ -48,7 +48,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"RDS MySQL Security Group"` | no | +| [description](#input\_description) | Security Group Description | `string` | `"MySQL Security Group"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | diff --git a/rds-mysql/main.tf b/rds-mysql/main.tf index df214b3..6204dc4 100644 --- a/rds-mysql/main.tf +++ b/rds-mysql/main.tf @@ -1,4 +1,4 @@ -/** +/* * # About rds-mysql * * This describes how to use the aws-common-security-groups submodule for rds-mysql. diff --git a/rds-mysql/ports.tf b/rds-mysql/ports.tf index b7e21a7..7fc84c3 100644 --- a/rds-mysql/ports.tf +++ b/rds-mysql/ports.tf @@ -7,14 +7,14 @@ # list of: all, external (more added as needed) locals { - description = "module: PostgreSQL common ports" + description = "module: MySQL common ports" n_all = ["0.0.0.0/0"] n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] source_groups = ["all", "external"] name = var.name ports = [ - [3356, 3356, "tcp", "mysql-db", local.n_census, ["external"]], + [3306, 3306, "tcp", "mysql-db", local.n_census, ["external"]], ] # these are ignored From 90cc30527346ba7bfb67eec4475d1df22c533a02 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 10:27:24 -0400 Subject: [PATCH 05/20] add rds-maria --- rds-maria/CHANGELOG.md | 2 + rds-maria/README.md | 69 +++++++++++++++++++++++ rds-maria/main.tf | 121 +++++++++++++++++++++++++++++++++++++++++ rds-maria/output.tf | 9 +++ rds-maria/ports.tf | 33 +++++++++++ rds-maria/variables.tf | 79 +++++++++++++++++++++++++++ rds-maria/version.tf | 3 + rds-maria/versions.tf | 4 ++ 8 files changed, 320 insertions(+) create mode 100644 rds-maria/CHANGELOG.md create mode 100644 rds-maria/README.md create mode 100644 rds-maria/main.tf create mode 100644 rds-maria/output.tf create mode 100644 rds-maria/ports.tf create mode 100644 rds-maria/variables.tf create mode 100644 rds-maria/version.tf create mode 100644 rds-maria/versions.tf diff --git a/rds-maria/CHANGELOG.md b/rds-maria/CHANGELOG.md new file mode 100644 index 0000000..d8a2e53 --- /dev/null +++ b/rds-maria/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210528 + - add module version, update tags diff --git a/rds-maria/README.md b/rds-maria/README.md new file mode 100644 index 0000000..5d98c50 --- /dev/null +++ b/rds-maria/README.md @@ -0,0 +1,69 @@ +# About rds-maria + +This describes how to use the aws-common-security-groups submodule for rds-maria. + +Default and auxilliary ports are included in this. They are opened to everything. + +## Usage + +```hcl +module "maria" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria" + + vpc_id = var.vpc_id + ## optional + # name = "m-maria-db" + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"MariaDB Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-maria-db"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MariaDB"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/rds-maria/main.tf b/rds-maria/main.tf new file mode 100644 index 0000000..dc04635 --- /dev/null +++ b/rds-maria/main.tf @@ -0,0 +1,121 @@ +/* +* # About rds-maria +* +* This describes how to use the aws-common-security-groups submodule for rds-maria. +* +* Default and auxilliary ports are included in this. They are opened to everything. +* +* ## Usage +* +* ```hcl +* module "maria" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//rds-maria" +* +* vpc_id = var.vpc_id +* ## optional +* # name = "m-maria-db" +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/rds-maria/output.tf b/rds-maria/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/rds-maria/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/rds-maria/ports.tf b/rds-maria/ports.tf new file mode 100644 index 0000000..f722a8c --- /dev/null +++ b/rds-maria/ports.tf @@ -0,0 +1,33 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + description = "module: MariaDB common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external"] + + name = var.name + ports = [ + [3306, 3306, "tcp", "maria-db", local.n_census, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/rds-maria/variables.tf b/rds-maria/variables.tf new file mode 100644 index 0000000..b91227c --- /dev/null +++ b/rds-maria/variables.tf @@ -0,0 +1,79 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "m-maria-db" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "MariaDB Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "MariaDB" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/rds-maria/version.tf b/rds-maria/version.tf new file mode 100644 index 0000000..fa2705b --- /dev/null +++ b/rds-maria/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.0.0" +} diff --git a/rds-maria/versions.tf b/rds-maria/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/rds-maria/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From c0d046b64cdc4a4c1bc76b2f485f1cfce9ed4dd4 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 28 May 2021 15:00:54 -0400 Subject: [PATCH 06/20] remove hpsa, hpom: INC000002703111 --- it-windows-base/CHANGELOG.md | 7 +++++- it-windows-base/README.md | 48 +++++++++++++++++++----------------- it-windows-base/ports.tf | 27 +++++++++++--------- it-windows-base/version.tf | 2 +- 4 files changed, 47 insertions(+), 37 deletions(-) diff --git a/it-windows-base/CHANGELOG.md b/it-windows-base/CHANGELOG.md index 4315820..e9e2e5e 100644 --- a/it-windows-base/CHANGELOG.md +++ b/it-windows-base/CHANGELOG.md @@ -5,6 +5,11 @@ * add EnCase source 148.129.71.121 to 4445/tcp (ticket INC000002587282) * add Riverbed Transaction Agent (formerly appcapture) 172.24.100.107 to 27401/tcp -# v1.2 -- 20210226 +# v1.2.0 -- 20210226 * add HPSA and HPOM * ticket INC000002652291 + +# v1.2.1 -- 20210528 + * remove HPSA and HPOM + * ticket INC000002703111 + diff --git a/it-windows-base/README.md b/it-windows-base/README.md index 7c2097e..d4b7039 100644 --- a/it-windows-base/README.md +++ b/it-windows-base/README.md @@ -2,7 +2,7 @@ This describes how to use the aws-common-security-groups submodule for it-windows-base. -Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP, +Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP, monit, munin, iperf, netperf, NetBackup and Opsware. ## Usage @@ -22,46 +22,48 @@ module "it-windows-base" { | Name | Version | |------|---------| -| terraform | >= 0.12 | +| [terraform](#requirement\_terraform) | >= 0.12 | ## Providers | Name | Version | |------|---------| -| aws | n/a | +| [aws](#provider\_aws) | n/a | ## Modules -No Modules. +No modules. ## Resources -| Name | -|------| -| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | -| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | -| [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| description | Security Group Description | `string` | `"Windows Common Base Security Group"` | no | -| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| egress\_security\_groups | List of egress security groups (all ports) | `list(string)` | `[]` | no | -| enable\_self | Enable\|Disable self full access | `bool` | `false` | no | -| ingress\_networks | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| ingress\_security\_groups | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| name | Security Group Name | `string` | `"it-windows-base"` | no | -| short\_description | Security Group Short Description | `string` | `"Windows"` | no | -| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | -| use\_vpc\_cidr | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | -| vpc\_full\_name | VPC Name | `string` | `""` | no | -| vpc\_id | VPC ID Number | `string` | n/a | yes | +| [description](#input\_description) | Security Group Description | `string` | `"Windows Common Base Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"it-windows-base"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Windows"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| this\_security\_group\_arn | Created security group ARN | -| this\_security\_group\_id | Created security group ID | +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/it-windows-base/ports.tf b/it-windows-base/ports.tf index 6b9aee2..ba25b3c 100644 --- a/it-windows-base/ports.tf +++ b/it-windows-base/ports.tf @@ -17,15 +17,15 @@ ## this adds iperf3 locals { - n_all = ["0.0.0.0/0"] - n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] - n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] - n_backup = ["10.193.0.0/22"] - n_ansible = ["172.24.12.239/32"] - n_encase = ["148.129.121.72/32"] - n_riverbed = ["172.24.100.107/32"] - n_hpsa = ["172.24.100.141/32", "172.24.100.154/32", "172.24.100.165/32"] - n_hpom = ["172.24.105.24/32"] + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] + n_backup = ["10.193.0.0/22"] + n_ansible = ["172.24.12.239/32"] + n_encase = ["148.129.121.72/32"] + n_riverbed = ["172.24.100.107/32"] + # n_hpsa = ["172.24.100.141/32", "172.24.100.154/32", "172.24.100.165/32"] + # n_hpom = ["172.24.105.24/32"] source_groups = ["all", "external"] name = var.name ports = [ @@ -38,9 +38,9 @@ locals { [4445, 4445, "tcp", "EnCase", local.n_encase, ["external"]], [5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"]], [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]], - [1002, 1002, "tcp", "HPSA", local.n_hpsa, ["external"]], - [383, 383, "tcp", "HPOM", local.n_hpom, ["external"]], - [383, 383, "udp", "HPOM", local.n_hpom, ["external"]], + # [1002, 1002, "tcp", "HPSA", local.n_hpsa, ["external"]], + # [383, 383, "tcp", "HPOM", local.n_hpom, ["external"]], + # [383, 383, "udp", "HPOM", local.n_hpom, ["external"]], ] # these are ignored @@ -57,3 +57,6 @@ locals { s => [for p in local.p_map : p if contains(p["source_group"], s)] } } + +# INC000002703111 +# remove 383, 1002 diff --git a/it-windows-base/version.tf b/it-windows-base/version.tf index 1ee6619..54b3493 100644 --- a/it-windows-base/version.tf +++ b/it-windows-base/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.2.0" + _module_version = "1.2.1" } From e57149c300a201de86527d5933bda824f54ac77d Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 4 Jun 2021 08:07:14 -0400 Subject: [PATCH 07/20] add web --- web/CHANGELOG.md | 2 + web/README.md | 75 ++++++++++++++++++++++++++++ web/main.tf | 127 +++++++++++++++++++++++++++++++++++++++++++++++ web/output.tf | 9 ++++ web/ports.tf | 36 ++++++++++++++ web/variables.tf | 79 +++++++++++++++++++++++++++++ web/version.tf | 3 ++ web/versions.tf | 4 ++ 8 files changed, 335 insertions(+) create mode 100644 web/CHANGELOG.md create mode 100644 web/README.md create mode 100644 web/main.tf create mode 100644 web/output.tf create mode 100644 web/ports.tf create mode 100644 web/variables.tf create mode 100644 web/version.tf create mode 100644 web/versions.tf diff --git a/web/CHANGELOG.md b/web/CHANGELOG.md new file mode 100644 index 0000000..778029c --- /dev/null +++ b/web/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210604 + - add module version, update tags diff --git a/web/README.md b/web/README.md new file mode 100644 index 0000000..321167b --- /dev/null +++ b/web/README.md @@ -0,0 +1,75 @@ +# About web + +This describes how to use the aws-common-security-groups submodule for web. + +Default and auxilliary ports are included in this. They are opened from everything. This +includes TCP only for the following ports: + +* 80 http +* 443 https +* 8080 http, Tomcat +* 8443 https, Tomcat + +## Usage + +```hcl +module "web" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web" + + vpc_id = var.vpc_id + ## optional + # name = "m-web" + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/web/main.tf b/web/main.tf new file mode 100644 index 0000000..532325a --- /dev/null +++ b/web/main.tf @@ -0,0 +1,127 @@ +/* +* # About web +* +* This describes how to use the aws-common-security-groups submodule for web. +* +* Default and auxilliary ports are included in this. They are opened from everything. This +* includes TCP only for the following ports: +* +* * 80 http +* * 443 https +* * 8080 http, Tomcat +* * 8443 https, Tomcat +* +* ## Usage +* +* ```hcl +* module "web" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//web" +* +* vpc_id = var.vpc_id +* ## optional +* # name = "m-web" +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/web/output.tf b/web/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/web/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/web/ports.tf b/web/ports.tf new file mode 100644 index 0000000..0b7daa4 --- /dev/null +++ b/web/ports.tf @@ -0,0 +1,36 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + description = "module: Web common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external"] + + name = var.name + ports = [ + [80, 80, "tcp", "http", local.n_census, ["external"]], + [443, 443, "tcp", "https", local.n_census, ["external"]], + [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]], + [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/web/variables.tf b/web/variables.tf new file mode 100644 index 0000000..541fb29 --- /dev/null +++ b/web/variables.tf @@ -0,0 +1,79 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "m-web" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Web Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Web" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/web/version.tf b/web/version.tf new file mode 100644 index 0000000..fa2705b --- /dev/null +++ b/web/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.0.0" +} diff --git a/web/versions.tf b/web/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/web/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 07e2ebb5b36bf816900cdd99f36551b6592ef68d Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 9 Jun 2021 13:06:39 -0400 Subject: [PATCH 08/20] add kafka --- kafka/CHANGELOG.md | 2 + kafka/README.md | 75 ++++++++++++++++++++++++ kafka/main.tf | 140 +++++++++++++++++++++++++++++++++++++++++++++ kafka/output.tf | 9 +++ kafka/ports.tf | 41 +++++++++++++ kafka/variables.tf | 79 +++++++++++++++++++++++++ kafka/version.tf | 3 + kafka/versions.tf | 4 ++ 8 files changed, 353 insertions(+) create mode 100644 kafka/CHANGELOG.md create mode 100644 kafka/README.md create mode 100644 kafka/main.tf create mode 100644 kafka/output.tf create mode 100644 kafka/ports.tf create mode 100644 kafka/variables.tf create mode 100644 kafka/version.tf create mode 100644 kafka/versions.tf diff --git a/kafka/CHANGELOG.md b/kafka/CHANGELOG.md new file mode 100644 index 0000000..877b488 --- /dev/null +++ b/kafka/CHANGELOG.md @@ -0,0 +1,2 @@ +# v1.0.0 -- 20210609 + - create module diff --git a/kafka/README.md b/kafka/README.md new file mode 100644 index 0000000..6dfd892 --- /dev/null +++ b/kafka/README.md @@ -0,0 +1,75 @@ +# About kafka + +This describes how to use the aws-common-security-groups submodule for kafka. + +Default and auxilliary ports are included in this. This includes TCP only for the following ports: + +* 22 ssh +* 443 https +* 9000 http +* 9001 http +* 9092, 8083, 2181, 2188, 2189, 9999 + +## Usage + +```hcl +module "kafka" { + source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//kafka" + + vpc_id = var.vpc_id + ## optional + # name = "m-kafka" + + ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden + # tags = { } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | +| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/kafka/main.tf b/kafka/main.tf new file mode 100644 index 0000000..1131039 --- /dev/null +++ b/kafka/main.tf @@ -0,0 +1,140 @@ +/* +* # About kafka +* +* This describes how to use the aws-common-security-groups submodule for kafka. +* +* Default and auxilliary ports are included in this. This includes TCP only for the following ports: +* +* * 22 ssh +* * 443 https +* * 9000 http +* * 9001 http +* * 9092, 8083, 2181, 2188, 2189, 9999 +* +* ## Usage +* +* ```hcl +* module "kafka" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//kafka" +* +* vpc_id = var.vpc_id +* ## optional +* # name = "m-kafka" +* +* ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden +* # tags = { } +* } +* ``` +*/ + +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingresss vpc port list (ignores port{} network block) + dynamic "ingress" { + for_each = local.port_map["vpc"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = [data.aws_vpc.this_vpc[0].cidr_block] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + map("Name", "sg-${local.name}"), + var.tags, + map("boc:created_by", "terraform"), + map("boc:tf_module_version", local._module_version), + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + ) +} diff --git a/kafka/output.tf b/kafka/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/kafka/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/kafka/ports.tf b/kafka/ports.tf new file mode 100644 index 0000000..19e4b92 --- /dev/null +++ b/kafka/ports.tf @@ -0,0 +1,41 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + description = "module: Kafka common ports" + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + source_groups = ["all", "external", "vpc"] + + name = var.name + ports = [ + [22, 22, "tcp", "ssh", local.n_all, ["external"]], + [443, 443, "tcp", "https", local.n_all, ["external"]], + [2181, 2181, "tcp", "Zookeeper-client", local.n_all, ["vpc"]], + [2188, 2189, "tcp", "Zookeeper-follower", local.n_all, ["vpc"]], + [3188, 3188, "tcp", "Zookeeper-internode", local.n_all, ["vpc"]], + [8083, 8083, "tcp", "Kafka", local.n_all, ["vpc"]], + [9000, 9001, "tcp", "Kafka-UI", local.n_all, ["external"]], + [9092, 9093, "tcp", "Kafka-listener", local.n_all, ["external"]], + [9999, 9999, "tcp", "Kafka", local.n_all, ["vpc"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignored + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/kafka/variables.tf b/kafka/variables.tf new file mode 100644 index 0000000..541fb29 --- /dev/null +++ b/kafka/variables.tf @@ -0,0 +1,79 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "m-web" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Web Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Web" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/kafka/version.tf b/kafka/version.tf new file mode 100644 index 0000000..fa2705b --- /dev/null +++ b/kafka/version.tf @@ -0,0 +1,3 @@ +locals { + _module_version = "1.0.0" +} diff --git a/kafka/versions.tf b/kafka/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/kafka/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 13c7574a1f158f33113fb309b1741c0a297693ac Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 9 Jun 2021 13:19:15 -0400 Subject: [PATCH 09/20] fix labels --- kafka/README.md | 6 +++--- kafka/variables.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/kafka/README.md b/kafka/README.md index 6dfd892..96101ed 100644 --- a/kafka/README.md +++ b/kafka/README.md @@ -54,14 +54,14 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no | +| [description](#input\_description) | Security Group Description | `string` | `"Kafka Security Group"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | | [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | -| [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no | -| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no | +| [name](#input\_name) | Security Group Name | `string` | `"m-kafka"` | no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Kafka"` | no | | [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | diff --git a/kafka/variables.tf b/kafka/variables.tf index 541fb29..3e3cf73 100644 --- a/kafka/variables.tf +++ b/kafka/variables.tf @@ -4,19 +4,19 @@ variable "name" { description = "Security Group Name" type = string - default = "m-web" + default = "m-kafka" } variable "description" { description = "Security Group Description" type = string - default = "Web Security Group" + default = "Kafka Security Group" } variable "short_description" { description = "Security Group Short Description" type = string - default = "Web" + default = "Kafka" } variable "enable_self" { From 19274afe12542977872b27d287e87d300ec24b5e Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 9 Jun 2021 13:21:06 -0400 Subject: [PATCH 10/20] fix labels --- kafka/ports.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kafka/ports.tf b/kafka/ports.tf index 19e4b92..12b0c0a 100644 --- a/kafka/ports.tf +++ b/kafka/ports.tf @@ -22,7 +22,7 @@ locals { [8083, 8083, "tcp", "Kafka", local.n_all, ["vpc"]], [9000, 9001, "tcp", "Kafka-UI", local.n_all, ["external"]], [9092, 9093, "tcp", "Kafka-listener", local.n_all, ["external"]], - [9999, 9999, "tcp", "Kafka", local.n_all, ["vpc"]], + [9999, 9999, "tcp", "Kafka-JMX", local.n_all, ["vpc"]], ] # these are ignored From 3e8894a4d761a8cdb36cb08c3fba5d67ea2746b8 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 21 Jun 2021 14:44:31 -0400 Subject: [PATCH 11/20] v1.3.1: add 2483 tcp 2484 tcp+ssl --- rds-oracle/CHANGELOG.md | 4 +++- rds-oracle/README.md | 29 ++++++++++++++--------------- rds-oracle/main.tf | 9 ++++++--- rds-oracle/ports.tf | 15 +++++++++++++++ rds-oracle/version.tf | 6 ++---- 5 files changed, 40 insertions(+), 23 deletions(-) diff --git a/rds-oracle/CHANGELOG.md b/rds-oracle/CHANGELOG.md index 239a373..167edf8 100644 --- a/rds-oracle/CHANGELOG.md +++ b/rds-oracle/CHANGELOG.md @@ -1,3 +1,5 @@ # v1.3 -- 20200604 + - add module version, update tags -* add module version, update tags +# v1.3.1 -- 20210621 + - add ports 2483 and 2484 (tcp, tcp+ssl) diff --git a/rds-oracle/README.md b/rds-oracle/README.md index 9f48f1f..68a4079 100644 --- a/rds-oracle/README.md +++ b/rds-oracle/README.md @@ -19,39 +19,38 @@ module "rds-oracle" { | Name | Version | |------|---------| -| terraform | >= 0.12 | +| [terraform](#requirement\_terraform) | >= 0.12 | ## Providers | Name | Version | |------|---------| -| aws | n/a | +| [aws](#provider\_aws) | n/a | ## Modules -No Modules. +No modules. ## Resources -| Name | -|------| -| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | +| Name | Type | +|------|------| +| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"1.3"` | no | -| egress\_networks | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| name | Security group Name | `string` | `"m-oracle-db"` | no | -| networks | List of ingress networks (applies to all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | -| tags | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | -| vpc\_full\_name | VPC Name | `string` | `""` | no | -| vpc\_id | VPC ID Number | `string` | n/a | yes | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [name](#input\_name) | Security group Name | `string` | `"m-oracle-db"` | no | +| [networks](#input\_networks) | List of ingress networks (applies to all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| this\_security\_group\_arn | Created security group ARN | -| this\_security\_group\_id | Created security group ID | +| [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN | +| [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID | diff --git a/rds-oracle/main.tf b/rds-oracle/main.tf index 60be493..f3fd981 100644 --- a/rds-oracle/main.tf +++ b/rds-oracle/main.tf @@ -44,9 +44,12 @@ resource "aws_security_group" "this_security_group" { } tags = merge( - map("Name", "sg-${local.name}"), var.tags, - map("boc:tf_module_version", var._module_version), - map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + tomap({ + "Name" = "sg-${local.name}" + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + "boc:vpc:info" = join(" ", compact(list(var.vpc_id, var.vpc_full_name))) + }) ) } diff --git a/rds-oracle/ports.tf b/rds-oracle/ports.tf index 80c0160..87e8dca 100644 --- a/rds-oracle/ports.tf +++ b/rds-oracle/ports.tf @@ -4,6 +4,7 @@ locals { ports = [ [1521, 1521, "tcp", "oracle-db", []], [1570, 1571, "tcp", "oracle-db", []], + [2483, 2484, "tcp", "oracle-db", []], [3872, 3872, "tcp", "inbound-oracle-OEM", ["172.24.101.9/32", "172.24.101.10/32", "172.24.32.251/32"]], [7799, 7799, "tcp", "oracle-OEM", []], ] @@ -12,3 +13,17 @@ locals { ports_fields = ["from", "to", "proto", "description", "cidr"] ports_map = [for p in local.ports : zipmap(local.ports_fields, p)] } + +# references +# https://docs.oracle.com/cd/B19306_01/install.102/b25293/app_port.htm +# https://docs.oracle.com/cd/B12037_01/network.101/b10776/protocoladd.htm +# +# Recommended Port Numbers +# Table 4-2, "Recommended Port Numbers" lists the recommends the port numbers. +# +# Table 4-2 Recommended Port Numbers +# +# Port Description +# 1521 Default listening port for client connections to the listener. In future releases, this port number may change to the officially registered port number of 2483 for TCP/IP and 2484 for TCP/IP with SSL. +# 1521 Default and officially registered listening port for client connections to Oracle Connection Manager +# 1830 Default and officially registered listening port for administrative commands to Oracle Connection Manager diff --git a/rds-oracle/version.tf b/rds-oracle/version.tf index 38fadfd..e4a1130 100644 --- a/rds-oracle/version.tf +++ b/rds-oracle/version.tf @@ -1,5 +1,3 @@ -variable "_module_version" { - description = "Module version number" - type = string - default = "1.3" +locals { + _module_version = "1.3.1" } From 58d454169ff670555b07c5393fbb67bd4e85fd81 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 21 Jun 2021 15:02:27 -0400 Subject: [PATCH 12/20] add description --- rds-oracle/CHANGELOG.md | 7 +++++-- rds-oracle/README.md | 5 +++++ rds-oracle/main.tf | 4 ++++ rds-oracle/ports.tf | 2 +- rds-oracle/variables.tf | 6 ++++++ rds-oracle/version.tf | 2 +- 6 files changed, 22 insertions(+), 4 deletions(-) diff --git a/rds-oracle/CHANGELOG.md b/rds-oracle/CHANGELOG.md index 167edf8..65bc294 100644 --- a/rds-oracle/CHANGELOG.md +++ b/rds-oracle/CHANGELOG.md @@ -1,5 +1,8 @@ -# v1.3 -- 20200604 +* v1.3 -- 20200604 - add module version, update tags -# v1.3.1 -- 20210621 +* v1.3.1 -- 20210621 - add ports 2483 and 2484 (tcp, tcp+ssl) + +* v1.3.2 -- 20210621 + - add variable description diff --git a/rds-oracle/README.md b/rds-oracle/README.md index 68a4079..166ad83 100644 --- a/rds-oracle/README.md +++ b/rds-oracle/README.md @@ -10,6 +10,10 @@ module "rds-oracle" { # name = "m-rds-oracle" vpc_id = var.vpc_id + + ## optional + # description = "my other description" # not recommended to change this + # Name, CostAllocation, and Environment are pre-set # tags = { } } @@ -41,6 +45,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [description](#input\_description) | Security group description | `string` | `"module: Oracle common ports"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [name](#input\_name) | Security group Name | `string` | `"m-oracle-db"` | no | | [networks](#input\_networks) | List of ingress networks (applies to all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | diff --git a/rds-oracle/main.tf b/rds-oracle/main.tf index f3fd981..39944cb 100644 --- a/rds-oracle/main.tf +++ b/rds-oracle/main.tf @@ -11,6 +11,10 @@ * * # name = "m-rds-oracle" * vpc_id = var.vpc_id +* +* ## optional +* # description = "my other description" # not recommended to change this +* * # Name, CostAllocation, and Environment are pre-set * # tags = { } * } diff --git a/rds-oracle/ports.tf b/rds-oracle/ports.tf index 87e8dca..3d5428a 100644 --- a/rds-oracle/ports.tf +++ b/rds-oracle/ports.tf @@ -1,5 +1,5 @@ locals { - description = "module: Oracle common ports" + description = var.description name = var.name ports = [ [1521, 1521, "tcp", "oracle-db", []], diff --git a/rds-oracle/variables.tf b/rds-oracle/variables.tf index 5824124..2f63f01 100644 --- a/rds-oracle/variables.tf +++ b/rds-oracle/variables.tf @@ -16,6 +16,12 @@ variable "name" { default = "m-oracle-db" } +variable "description" { + description = "Security group description" + type = string + default = "module: Oracle common ports" +} + variable "networks" { description = "List of ingress networks (applies to all ports)" type = list(string) diff --git a/rds-oracle/version.tf b/rds-oracle/version.tf index e4a1130..5ec2ece 100644 --- a/rds-oracle/version.tf +++ b/rds-oracle/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.3.1" + _module_version = "1.3.2" } From ee9279905439bf3a66fe355e933dd1cb5688252c Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 21 Jun 2021 15:06:00 -0400 Subject: [PATCH 13/20] add short_description --- rds-oracle/README.md | 3 ++- rds-oracle/main.tf | 11 ++++++----- rds-oracle/variables.tf | 9 ++++++++- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/rds-oracle/README.md b/rds-oracle/README.md index 166ad83..fa356e6 100644 --- a/rds-oracle/README.md +++ b/rds-oracle/README.md @@ -45,10 +45,11 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [description](#input\_description) | Security group description | `string` | `"module: Oracle common ports"` | no | +| [description](#input\_description) | Security Group Description | `string` | `"module: Oracle common ports"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [name](#input\_name) | Security group Name | `string` | `"m-oracle-db"` | no | | [networks](#input\_networks) | List of ingress networks (applies to all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Oracle"` | no | | [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | diff --git a/rds-oracle/main.tf b/rds-oracle/main.tf index 39944cb..cb80bf5 100644 --- a/rds-oracle/main.tf +++ b/rds-oracle/main.tf @@ -22,16 +22,17 @@ */ resource "aws_security_group" "this_security_group" { - name = local.name - description = local.description - vpc_id = var.vpc_id + name = local.name + description = local.description + short_description = var.short_description == "" ? var.description : var.short_description + vpc_id = var.vpc_id # portlist dynamic "ingress" { for_each = local.ports_map iterator = p content { - description = "${local.description}: ${p.value["description"]}" + description = "${local.short_description}: ${p.value["description"]}" from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] @@ -40,7 +41,7 @@ resource "aws_security_group" "this_security_group" { } egress { - description = "${local.description}: All" + description = "${local.short_description}: All" from_port = 0 to_port = 0 protocol = -1 diff --git a/rds-oracle/variables.tf b/rds-oracle/variables.tf index 2f63f01..d17440a 100644 --- a/rds-oracle/variables.tf +++ b/rds-oracle/variables.tf @@ -17,11 +17,17 @@ variable "name" { } variable "description" { - description = "Security group description" + description = "Security Group Description" type = string default = "module: Oracle common ports" } +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Oracle" +} + variable "networks" { description = "List of ingress networks (applies to all ports)" type = list(string) @@ -42,3 +48,4 @@ variable "tags" { "Environment" = "csvd-infrastructure" } } + From cd59c122a31a5bea17fc7febac0b419021940c95 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 21 Jun 2021 15:15:03 -0400 Subject: [PATCH 14/20] add short_description --- rds-oracle/main.tf | 7 +++---- rds-oracle/ports.tf | 5 +++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rds-oracle/main.tf b/rds-oracle/main.tf index cb80bf5..72893ec 100644 --- a/rds-oracle/main.tf +++ b/rds-oracle/main.tf @@ -22,10 +22,9 @@ */ resource "aws_security_group" "this_security_group" { - name = local.name - description = local.description - short_description = var.short_description == "" ? var.description : var.short_description - vpc_id = var.vpc_id + name = local.name + description = local.description + vpc_id = var.vpc_id # portlist dynamic "ingress" { diff --git a/rds-oracle/ports.tf b/rds-oracle/ports.tf index 3d5428a..5da2cda 100644 --- a/rds-oracle/ports.tf +++ b/rds-oracle/ports.tf @@ -1,6 +1,7 @@ locals { - description = var.description - name = var.name + description = var.description + short_description = var.short_description == "" ? var.description : var.short_description + name = var.name ports = [ [1521, 1521, "tcp", "oracle-db", []], [1570, 1571, "tcp", "oracle-db", []], From 13646efa15697fab3d12274b6a124d6d5910b8e0 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 21 Jun 2021 16:25:13 -0400 Subject: [PATCH 15/20] change 5482 to 5432 --- rds-postgres/ports.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds-postgres/ports.tf b/rds-postgres/ports.tf index ba92c81..5737c50 100644 --- a/rds-postgres/ports.tf +++ b/rds-postgres/ports.tf @@ -14,7 +14,7 @@ locals { name = var.name ports = [ - [5482, 5482, "tcp", "postgres-db", local.n_census, ["external"]], + [5432, 5432, "tcp", "postgres-db", local.n_census, ["external"]], ] # these are ignored From 9c6fefb6456be66790e0b7beb513176eae0d24c0 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 15 Sep 2021 14:17:22 -0400 Subject: [PATCH 16/20] v1.1.0: enable ingress and egress networks variables --- web/CHANGELOG.md | 3 +++ web/README.md | 6 ++++-- web/main.tf | 6 ++++-- web/ports.tf | 1 - web/variables.tf | 8 ++++---- web/version.tf | 2 +- 6 files changed, 16 insertions(+), 10 deletions(-) diff --git a/web/CHANGELOG.md b/web/CHANGELOG.md index 778029c..587650a 100644 --- a/web/CHANGELOG.md +++ b/web/CHANGELOG.md @@ -1,2 +1,5 @@ # v1.0.0 -- 20210604 - add module version, update tags + +# v1.1.0 -- 20210915 + - enable use of ingress_networks and egress_networks for pre-defined port list diff --git a/web/README.md b/web/README.md index 321167b..14206dd 100644 --- a/web/README.md +++ b/web/README.md @@ -19,6 +19,8 @@ module "web" { vpc_id = var.vpc_id ## optional # name = "m-web" + # ingress_networks = [ "1.2.3.0/24" ] + # egress_networks = [ "1.2.3.0/24" ] ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } @@ -55,10 +57,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no | -| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | -| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | | [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no | | [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no | diff --git a/web/main.tf b/web/main.tf index 532325a..71507b0 100644 --- a/web/main.tf +++ b/web/main.tf @@ -20,6 +20,8 @@ * vpc_id = var.vpc_id * ## optional * # name = "m-web" +* # ingress_networks = [ "1.2.3.0/24" ] +* # egress_networks = [ "1.2.3.0/24" ] * * ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden * # tags = { } @@ -65,7 +67,7 @@ resource "aws_security_group" "this_security_group" { from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] - cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compress(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compress(concat(p.value["cidr"], var.ingress_networks))) } } @@ -101,7 +103,7 @@ resource "aws_security_group" "this_security_group" { from_port = 0 to_port = 0 protocol = -1 - cidr_blocks = local.egress_networks + cidr_blocks = flatten(compress(concat(local.egress_networks, var.egress_networks))) } # egress security group ids (all) diff --git a/web/ports.tf b/web/ports.tf index 0b7daa4..ab8a40e 100644 --- a/web/ports.tf +++ b/web/ports.tf @@ -20,7 +20,6 @@ locals { [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]], ] - # these are ignored ingress_networks = var.ingress_networks egress_networks = var.egress_networks diff --git a/web/variables.tf b/web/variables.tf index 541fb29..e80bb6b 100644 --- a/web/variables.tf +++ b/web/variables.tf @@ -46,15 +46,15 @@ variable "vpc_full_name" { } variable "ingress_networks" { - description = "List of ingress networks for external access (not all ports)" + description = "List of ingress networks for access (with all pre-defined ingress ports)" type = list(string) - default = ["0.0.0.0/0"] + default = [] } variable "egress_networks" { - description = "List of egress networks (all ports)" + description = "List of egress networks (with all pre-defined egress ports)" type = list(string) - default = ["0.0.0.0/0"] + default = [] } variable "ingress_security_groups" { diff --git a/web/version.tf b/web/version.tf index fa2705b..9c489cd 100644 --- a/web/version.tf +++ b/web/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.0.0" + _module_version = "1.1.0" } From c80b86f14cf248a366161595c1079649de476218 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 15 Sep 2021 14:28:38 -0400 Subject: [PATCH 17/20] fix --- web/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/main.tf b/web/main.tf index 71507b0..899f7ec 100644 --- a/web/main.tf +++ b/web/main.tf @@ -67,7 +67,7 @@ resource "aws_security_group" "this_security_group" { from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] - cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compress(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compress(concat(p.value["cidr"], var.ingress_networks))) + cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compress(concat(p.value["cidr"], var.ingress_networks))) } } @@ -103,7 +103,7 @@ resource "aws_security_group" "this_security_group" { from_port = 0 to_port = 0 protocol = -1 - cidr_blocks = flatten(compress(concat(local.egress_networks, var.egress_networks))) + cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks))) } # egress security group ids (all) From 06bc7d1e18d7ab7afd05fd6db7c2a8b11ae66a1b Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 15 Sep 2021 14:30:11 -0400 Subject: [PATCH 18/20] fix --- web/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/main.tf b/web/main.tf index 899f7ec..e1edc45 100644 --- a/web/main.tf +++ b/web/main.tf @@ -67,7 +67,7 @@ resource "aws_security_group" "this_security_group" { from_port = p.value["from"] to_port = p.value["to"] protocol = p.value["proto"] - cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compress(concat(p.value["cidr"], var.ingress_networks))) + cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks))) } } From ad7f43a72e7241b578c26c39a808a9db6dc9e0ba Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 29 Sep 2021 16:30:38 -0400 Subject: [PATCH 19/20] v1.1.1: fix egress network default --- web/CHANGELOG.md | 3 +++ web/ports.tf | 6 ++++-- web/version.tf | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/web/CHANGELOG.md b/web/CHANGELOG.md index 587650a..d87e949 100644 --- a/web/CHANGELOG.md +++ b/web/CHANGELOG.md @@ -3,3 +3,6 @@ # v1.1.0 -- 20210915 - enable use of ingress_networks and egress_networks for pre-defined port list + +# v1.1.1 -- 20210929 + - fix default egress to be 0/0 diff --git a/web/ports.tf b/web/ports.tf index ab8a40e..38aea85 100644 --- a/web/ports.tf +++ b/web/ports.tf @@ -20,8 +20,10 @@ locals { [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]], ] - ingress_networks = var.ingress_networks - egress_networks = var.egress_networks + # ingress_networks = var.ingress_networks + ingress_networks = [] + # egress_networks = var.egress_networks + egress_networks = local.n_all # these are ignored ingress_sg = var.ingress_security_groups diff --git a/web/version.tf b/web/version.tf index 9c489cd..a6a90ee 100644 --- a/web/version.tf +++ b/web/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.1.0" + _module_version = "1.1.1" } From a7e9510d1ced5a5ef71a786f236a14a8a136847e Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 29 Sep 2021 16:31:50 -0400 Subject: [PATCH 20/20] fix for web submodule only --- web/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/CHANGELOG.md b/web/CHANGELOG.md index d87e949..3523043 100644 --- a/web/CHANGELOG.md +++ b/web/CHANGELOG.md @@ -5,4 +5,4 @@ - enable use of ingress_networks and egress_networks for pre-defined port list # v1.1.1 -- 20210929 - - fix default egress to be 0/0 + - fix default egress to be 0/0 for web submodule