add to refactor

terraform-modules · May 28, 2021 · dfb9a20 · dfb9a20
1 parent 6c6a7b8
commit dfb9a20
Show file tree

Hide file tree

Showing 9 changed files with 402 additions and 0 deletions.
diff --git a/common/README.md b/common/README.md
@@ -0,0 +1,52 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `"Linux Common Base Security Group"` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `"it-linux-base"` | no |
+| <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Linux"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | <pre>{<br>  "CostAllocation": "csvd:infrastructure",<br>  "Environment": "csvd-infrastructure"<br>}</pre> | no |
+| <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_this_security_group_arn"></a> [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| <a name="output_this_security_group_id"></a> [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/general/CHANGELOG.md b/general/CHANGELOG.md
@@ -0,0 +1,2 @@
+# v1.0.0 -- 20210429
+  * create new general submodule
diff --git a/general/README.md b/general/README.md
@@ -0,0 +1,69 @@
+# About it-windows-base
+
+This describes how to use the aws-common-security-groups submodule for it-windows-base.
+
+Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP,
+monit, munin, iperf, netperf, NetBackup and Opsware.
+
+## Usage
+
+```hcl
+module "it-windows-base" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base"
+
+  # name = "it-windows-base"
+  vpc_id = var.vpc_id
+  # Name, CostAllocation, and Environment are pre-set, but they can be overriden
+  # tags = { }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `"Windows Common Base Security Group"` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
+| <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
+| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `"it-windows-base"` | no |
+| <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Windows"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | <pre>{<br>  "CostAllocation": "csvd:infrastructure",<br>  "Environment": "csvd-infrastructure"<br>}</pre> | no |
+| <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_this_security_group_arn"></a> [this\_security\_group\_arn](#output\_this\_security\_group\_arn) | Created security group ARN |
+| <a name="output_this_security_group_id"></a> [this\_security\_group\_id](#output\_this\_security\_group\_id) | Created security group ID |
diff --git a/general/main.tf b/general/main.tf
@@ -0,0 +1,121 @@
+/**
+* # About it-windows-base
+*
+* This describes how to use the aws-common-security-groups submodule for it-windows-base. 
+*
+* Commonly used ports and services are set up here, including ICMP, AD, RDP, NTP, DNS, SNMP,
+* monit, munin, iperf, netperf, NetBackup and Opsware.
+*
+* ## Usage
+*
+* ```hcl
+* module "it-windows-base" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base"
+*
+*   # name = "it-windows-base"
+*   vpc_id = var.vpc_id
+*   # Name, CostAllocation, and Environment are pre-set, but they can be overriden
+*   # tags = { }
+* }
+* ```
+*/
+
+data "aws_vpc" "this_vpc" {
+  count = var.use_vpc_cidr ? 1 : 0
+  id    = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+  count = length(var.ingress_security_groups)
+  id    = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+  count = length(var.egress_security_groups)
+  id    = element(var.egress_security_groups, count.index)
+}
+
+locals {
+  vpc_networks              = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
+  external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
+  ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
+  egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
+  self                      = var.enable_self ? [1] : []
+  short_description         = var.short_description == "" ? var.description : var.short_description
+}
+
+resource "aws_security_group" "this_security_group" {
+  name        = local.name
+  description = var.description
+  vpc_id      = var.vpc_id
+  #  vpc_id      = "${data.aws_vpc.selected.id}"
+
+  # ingresss external port list (list + vpc if enabaled)
+  dynamic "ingress" {
+    for_each = local.port_map["external"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+    }
+  }
+
+  # ingress security group ids (all)
+  dynamic "ingress" {
+    for_each = local.ingress_sg
+    iterator = sg
+    content {
+      description     = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      security_groups = [sg.value]
+    }
+  }
+
+  # ingress self (list with one or zero items)
+  dynamic "ingress" {
+    for_each = local.self
+    iterator = sg
+    content {
+      description = "${local.short_description}: from self"
+      from_port   = 0
+      to_port     = 0
+      protocol    = -1
+      self        = true
+    }
+  }
+
+  # egress all
+  egress {
+    description = "${local.short_description}: All"
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = local.egress_networks
+  }
+
+  # egress security group ids (all)
+  dynamic "egress" {
+    for_each = local.egress_sg
+    iterator = sg
+    content {
+      description     = "${local.short_description}: ${local.egress_sg_names[sg]}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      security_groups = [sg]
+    }
+  }
+
+  tags = merge(
+    map("Name", "sg-${local.name}"),
+    var.tags,
+    map("boc:created_by", "terraform"),
+    map("boc:tf_module_version", local._module_version),
+    map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+  )
+}
diff --git a/general/output.tf b/general/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+  description = "Created security group ID"
+  value       = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+  description = "Created security group ARN"
+  value       = aws_security_group.this_security_group.arn
+}
diff --git a/general/ports.tf b/general/ports.tf
@@ -0,0 +1,59 @@
+# ports = list of list of
+#   from_port
+#   to_port
+#   proto
+#   description
+#   cidr_block
+#   list of: all, external (more added as needed)
+
+## % python modify-security-groups.py list sg-00fb5065
+##  sg_id=sg-00fb5065 sg_name='it-windows-base' vpc_id=vpc-2ea5664b sg_description='Windows Common Base Security Group'
+## direction=ingress pft=udp,161,161 range=0.0.0.0/0
+## direction=ingress pft=tcp,1556,1556 range=10.193.0.0/22
+## direction=ingress pft=tcp,5986,5986 range=172.24.12.239/32
+## direction=ingress pft=tcp,3389,3389 range=148.129.0.0/16,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
+## direction=ingress pft=icmp,-1,-1 range=0.0.0.0/0
+## direction=egress pft=all range=0.0.0.0/0
+
+## this adds iperf3
+locals {
+  n_all         = ["0.0.0.0/0"]
+  n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+  n_mgmt        = ["148.129.162.0/24", "148.129.95.0/24"]
+  n_backup      = ["10.193.0.0/22"]
+  n_ansible     = ["172.24.12.239/32"]
+  n_encase      = ["148.129.121.72/32"]
+  n_riverbed    = ["172.24.100.107/32"]
+  n_hpsa        = ["172.24.100.141/32", "172.24.100.154/32", "172.24.100.165/32"]
+  n_hpom        = ["172.24.105.24/32"]
+  source_groups = ["all", "external"]
+  name          = var.name
+  ports = [
+    [-1, -1, "icmp", "ICMP", local.n_all, ["external"]],
+    [161, 161, "udp", "SNMP", local.n_all, ["external"]],
+    [5201, 5201, "tcp", "iperf3", local.n_all, ["external"]],
+    [5201, 5201, "udp", "iperf3", local.n_all, ["external"]],
+    [1556, 1556, "tcp", "Netbackup", local.n_backup, ["external"]],
+    [3389, 3389, "tcp", "RDP", local.n_census, ["external"]],
+    [4445, 4445, "tcp", "EnCase", local.n_encase, ["external"]],
+    [5986, 5986, "tcp", "WinRM-https", local.n_ansible, ["external"]],
+    [27401, 27401, "tcp", "TransactionAgent", local.n_riverbed, ["external"]],
+    [1002, 1002, "tcp", "HPSA", local.n_hpsa, ["external"]],
+    [383, 383, "tcp", "HPOM", local.n_hpom, ["external"]],
+    [383, 383, "udp", "HPOM", local.n_hpom, ["external"]],
+  ]
+
+  # these are ignored
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
+
+  # these are ignored
+  ingress_sg = var.ingress_security_groups
+  egress_sg  = var.egress_security_groups
+
+  p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+  p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { for s in local.source_groups :
+    s => [for p in local.p_map : p if contains(p["source_group"], s)]
+  }
+}