Setup sg it linux base (#2)

* initial * add smtp port 25 * add tf_module_version * fix cidr range * fix comments
terraform-modules · Jun 3, 2020 · f9ca54b · f9ca54b
1 parent a843122
commit f9ca54b
Show file tree

Hide file tree

Showing 12 changed files with 349 additions and 0 deletions.
diff --git a/it-linux-base/.x/main.tf b/it-linux-base/.x/main.tf
@@ -0,0 +1,59 @@
+/**
+* # About
+* 
+* This describes how to use the aws-common-security-groups submodule for it-linux-base
+* 
+* # Usage
+* 
+* ```code
+* module "it-linux-base" {
+*   source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-common-security-groups.git//it-linux-base"
+* 
+*   # name = "m-it-linux-base"
+*   vpc_id = var.vpc_id
+*   # Name, CostAllocation, and Environment are pre-set
+*   # tags = { }
+* }
+* ```
+*/
+
+locals {
+  description = "Linux Common Base Ports"
+  short_description = "Linux"
+  name = var.name
+  ports = [
+    [ 1433, 1433, "tcp" ],
+    [ 5023, 5023, "tcp" ]
+  ]
+}
+
+resource "aws_security_group" "this_security_group" {
+  name = local.name
+  description = local.description
+  vpc_id = var.vpc_id
+
+  dynamic "ingress" {
+    for_each = local.ports
+    iterator = p
+    content {
+      description = local.description
+      from_port = p.value[0]
+      to_port   = p.value[1]
+      protocol  = p.value[2]
+      cidr_blocks = [ "0.0.0.0/0" ]
+    }
+  }
+
+  egress {
+    description = "ALL ${local.description}"
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+    cidr_blocks = [ "0.0.0.0/0" ]
+  }
+
+  tags = merge(
+    map("Name", local.name),
+    var.tags,
+  )
+}
diff --git a/it-linux-base/.x/output.tf b/it-linux-base/.x/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+  description = "Created security group ID"
+  value = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+  description = "Created security group ARN"
+  value = aws_security_group.this_security_group.arn
+}
diff --git a/it-linux-base/.x/variables.tf b/it-linux-base/.x/variables.tf
@@ -0,0 +1,19 @@
+variable "vpc_id" {
+  description = "VPC ID Number"
+  type = string
+}
+
+variable "name" {
+  description = "Security group Name"
+  type = string
+  default = "m-rds-mssql"
+}
+
+variable "tags" {
+  description = "Extra security group tags"
+  type    = map
+  default = { 
+    "CostAllocation" = "csvd:infrastructure"
+    "Environment" = "csvd-infrastructure"
+  }
+}
diff --git a/it-linux-base/.x/version.tf b/it-linux-base/.x/version.tf
@@ -0,0 +1,5 @@
+variable "_module_version" {
+  description = "Module version number"
+  type = string
+  default = "1.4"
+}
diff --git a/it-linux-base/.x/versions.tf b/it-linux-base/.x/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}
diff --git a/it-linux-base/CHANGELOG.md b/it-linux-base/CHANGELOG.md
@@ -0,0 +1,3 @@
+# v1.0 -- 20200603
+
+* create from running security group for use throughout
diff --git a/it-linux-base/main.tf b/it-linux-base/main.tf
@@ -0,0 +1,98 @@
+data "aws_vpc" "this_vpc" {
+  count = var.use_vpc_cidr ? 1 : 0
+  id    = var.vpc_id
+}
+
+data "aws_security_group" "ingress_security_groups" {
+  count = length(var.ingress_security_groups)
+  id    = element(var.ingress_security_groups, count.index)
+}
+
+data "aws_security_group" "egress_security_groups" {
+  count = length(var.egress_security_groups)
+  id    = element(var.egress_security_groups, count.index)
+}
+
+locals {
+  vpc_networks              = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
+  external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
+  ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
+  egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
+  self                      = var.enable_self ? [1] : []
+  short_description         = var.short_description == "" ? var.description : var.short_description
+}
+
+resource "aws_security_group" "this_security_group" {
+  name        = local.name
+  description = var.description
+  vpc_id      = var.vpc_id
+  #  vpc_id      = "${data.aws_vpc.selected.id}"
+
+  # ingresss external port list (list + vpc if enabaled)
+  dynamic "ingress" {
+    for_each = local.port_map["external"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+    }
+  }
+
+  # ingress security group ids (all)
+  dynamic "ingress" {
+    for_each = local.ingress_sg
+    iterator = sg
+    content {
+      description     = "${local.short_description}: ${local.ingress_sg_names[sg.value]}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      security_groups = [sg.value]
+    }
+  }
+
+  # ingress self (list with one or zero items)
+  dynamic "ingress" {
+    for_each = local.self
+    iterator = sg
+    content {
+      description = "${local.short_description}: from self"
+      from_port   = 0
+      to_port     = 0
+      protocol    = -1
+      self        = true
+    }
+  }
+
+  # egress all
+  egress {
+    description = "${local.short_description}: All"
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = local.egress_networks
+  }
+
+  # egress security group ids (all)
+  dynamic "egress" {
+    for_each = local.egress_sg
+    iterator = sg
+    content {
+      description     = "${local.short_description}: ${local.egress_sg_names[sg]}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      security_groups = [sg]
+    }
+  }
+
+  tags = merge(
+    var.tags,
+    map("boc:tf_module_version", var._module_version),
+    map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))),
+    map("Name", "sg-${local.name}"),
+  )
+}
diff --git a/it-linux-base/output.tf b/it-linux-base/output.tf
@@ -0,0 +1,9 @@
+output "this_security_group_id" {
+  description = "Created security group ID"
+  value       = aws_security_group.this_security_group.id
+}
+
+output "this_security_group_arn" {
+  description = "Created security group ARN"
+  value       = aws_security_group.this_security_group.arn
+}
diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf
@@ -0,0 +1,51 @@
+# ports = list of list of
+#   from_port
+#   to_port
+#   proto
+#   description
+#   cidr_block
+#   list of: all, external (more added as needed)
+
+locals {
+  n_all         = ["0.0.0.0/0"]
+  n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+  n_mgmt        = ["148.129.162.0/24", "148.129.95.0/24"]
+  source_groups = ["all", "external"]
+  name          = var.name
+  ports = [ 
+    [ -1, -1, "icmp", "ICMP", local.n_all, ["external"] ],
+    [ 22, 22, "tcp", "SSH", local.n_census, ["external"] ],
+    [ 25, 25, "tcp", "SMTP", local.n_all, ["external"] ],
+    [ 123, 123, "udp", "NTP", local.n_all, ["external"] ],
+    [ 161, 161, "udp", "SNMP", local.n_all, ["external"] ],
+    [ 443, 443, "tcp", "https", local.n_all, ["external"] ],
+    [ 4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"] ],
+    [ 5001, 5003, "tcp", "iperf", local.n_all, ["external"] ],
+    [ 5001, 5003, "udp", "iperf", local.n_all, ["external"] ],
+
+    [ 1556, 1556, "tcp", "Netbackup", local.n_all, ["external"] ],
+    [ 13724, 13724, "tcp", "Netbackup", local.n_all, ["external"] ],
+    [ 13782, 13782, "tcp", "Netbackup", local.n_all, ["external"] ],
+
+    [ 1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23" ], ["external"]],
+
+    [ 1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"] ],
+    [ 9080, 9080, "tcp", "", [local.n_census[2] ], ["external"]],
+    [ 10082, 10082, "tcp", "", local.n_all, ["external"] ],
+    [ 10102, 10102, "tcp", "", local.n_all, ["external"] ],
+  ]
+
+  # these are ignored
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
+
+  # these are ignored
+  ingress_sg = var.ingress_security_groups
+  egress_sg  = var.egress_security_groups
+
+  p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+  p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
+  port_map = { for s in local.source_groups :
+    s => [for p in local.p_map : p if contains(p["source_group"], s)]
+  }
+}
diff --git a/it-linux-base/variables.tf b/it-linux-base/variables.tf
@@ -0,0 +1,83 @@
+#---
+# change between different modules as needed
+#---
+variable "name" {
+  description = "Security Group Name"
+  type        = string
+  default     = "it-linux-base"
+}
+
+variable "description" {
+  description = "Security Group Description"
+  type        = string
+  default     = "Linux Common Base Security Group"
+}
+
+variable "short_description" {
+  description = "Security Group Short Description"
+  type        = string
+  default     = "Linux"
+}
+
+variable "enable_self" {
+  description = "Enable|Disable self full access"
+  type        = bool
+  default     = false
+}
+
+variable "use_vpc_cidr" {
+  description = "Enable|Disable use of VPC CIDR block in the ingress_networks"
+  type        = bool
+  default     = false
+}
+
+#---
+# others with defaults
+#---
+variable "vpc_id" {
+  description = "VPC ID Number"
+  type        = string
+}
+
+data "aws_vpc" "selected" {
+  id = "${var.vpc_id}"
+}
+
+variable "vpc_full_name" {
+  description = "VPC Name"
+  type        = string
+  default     = ""
+}
+
+variable "ingress_networks" {
+  description = "List of ingress networks for external access (not all ports)"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "egress_networks" {
+  description = "List of egress networks (all ports)"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "ingress_security_groups" {
+  description = "List of ingress security groups for all ports"
+  type        = list(string)
+  default     = []
+}
+
+variable "egress_security_groups" {
+  description = "List of egress security groups (all ports)"
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "Extra security group tags"
+  type        = map
+  default = {
+    "CostAllocation" = "csvd:infrastructure"
+    "Environment"    = "csvd-infrastructure"
+  }
+}
diff --git a/it-linux-base/version.tf b/it-linux-base/version.tf
@@ -0,0 +1,5 @@
+variable "_module_version" {
+  description = "Module version number"
+  type        = string
+  default     = "1.0"
+}
diff --git a/it-linux-base/versions.tf b/it-linux-base/versions.tf
@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}