From 8b4debc76233bdb642a7200c476172aede57af90 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Wed, 3 Jun 2020 15:16:09 -0400 Subject: [PATCH 1/5] initial --- it-linux-base/.x/main.tf | 59 +++++++++++++++++++++ it-linux-base/.x/output.tf | 9 ++++ it-linux-base/.x/variables.tf | 19 +++++++ it-linux-base/.x/version.tf | 5 ++ it-linux-base/.x/versions.tf | 4 ++ it-linux-base/CHANGELOG.md | 3 ++ it-linux-base/main.tf | 97 +++++++++++++++++++++++++++++++++++ it-linux-base/output.tf | 9 ++++ it-linux-base/ports.tf | 50 ++++++++++++++++++ it-linux-base/variables.tf | 83 ++++++++++++++++++++++++++++++ it-linux-base/version.tf | 5 ++ it-linux-base/versions.tf | 4 ++ 12 files changed, 347 insertions(+) create mode 100644 it-linux-base/.x/main.tf create mode 100644 it-linux-base/.x/output.tf create mode 100644 it-linux-base/.x/variables.tf create mode 100644 it-linux-base/.x/version.tf create mode 100644 it-linux-base/.x/versions.tf create mode 100644 it-linux-base/CHANGELOG.md create mode 100644 it-linux-base/main.tf create mode 100644 it-linux-base/output.tf create mode 100644 it-linux-base/ports.tf create mode 100644 it-linux-base/variables.tf create mode 100644 it-linux-base/version.tf create mode 100644 it-linux-base/versions.tf diff --git a/it-linux-base/.x/main.tf b/it-linux-base/.x/main.tf new file mode 100644 index 0000000..fd805bc --- /dev/null +++ b/it-linux-base/.x/main.tf @@ -0,0 +1,59 @@ +/** +* # About +* +* This describes how to use the aws-common-security-groups submodule for it-linux-base +* +* # Usage +* +* ```code +* module "it-linux-base" { +* source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-common-security-groups.git//it-linux-base" +* +* # name = "m-it-linux-base" +* vpc_id = var.vpc_id +* # Name, CostAllocation, and Environment are pre-set +* # tags = { } +* } +* ``` +*/ + +locals { + description = "Linux Common Base Ports" + short_description = "Linux" + name = var.name + ports = [ + [ 1433, 1433, "tcp" ], + [ 5023, 5023, "tcp" ] + ] +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = local.description + vpc_id = var.vpc_id + + dynamic "ingress" { + for_each = local.ports + iterator = p + content { + description = local.description + from_port = p.value[0] + to_port = p.value[1] + protocol = p.value[2] + cidr_blocks = [ "0.0.0.0/0" ] + } + } + + egress { + description = "ALL ${local.description}" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = [ "0.0.0.0/0" ] + } + + tags = merge( + map("Name", local.name), + var.tags, + ) +} diff --git a/it-linux-base/.x/output.tf b/it-linux-base/.x/output.tf new file mode 100644 index 0000000..f9c3840 --- /dev/null +++ b/it-linux-base/.x/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/it-linux-base/.x/variables.tf b/it-linux-base/.x/variables.tf new file mode 100644 index 0000000..f0d6a0e --- /dev/null +++ b/it-linux-base/.x/variables.tf @@ -0,0 +1,19 @@ +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +variable "name" { + description = "Security group Name" + type = string + default = "m-rds-mssql" +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/it-linux-base/.x/version.tf b/it-linux-base/.x/version.tf new file mode 100644 index 0000000..82a588a --- /dev/null +++ b/it-linux-base/.x/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.4" +} diff --git a/it-linux-base/.x/versions.tf b/it-linux-base/.x/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/it-linux-base/.x/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/it-linux-base/CHANGELOG.md b/it-linux-base/CHANGELOG.md new file mode 100644 index 0000000..221bf34 --- /dev/null +++ b/it-linux-base/CHANGELOG.md @@ -0,0 +1,3 @@ +# v1.0 -- 20200603 + +* create from running securit group for use throughout diff --git a/it-linux-base/main.tf b/it-linux-base/main.tf new file mode 100644 index 0000000..89d1bb5 --- /dev/null +++ b/it-linux-base/main.tf @@ -0,0 +1,97 @@ +data "aws_vpc" "this_vpc" { + count = var.use_vpc_cidr ? 1 : 0 + id = var.vpc_id +} + +data "aws_security_group" "ingress_security_groups" { + count = length(var.ingress_security_groups) + id = element(var.ingress_security_groups, count.index) +} + +data "aws_security_group" "egress_security_groups" { + count = length(var.egress_security_groups) + id = element(var.egress_security_groups, count.index) +} + +locals { + vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : [] + external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks)) + ingress_sg_names = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name) + egress_sg_names = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name) + self = var.enable_self ? [1] : [] + short_description = var.short_description == "" ? var.description : var.short_description +} + +resource "aws_security_group" "this_security_group" { + name = local.name + description = var.description + vpc_id = var.vpc_id + # vpc_id = "${data.aws_vpc.selected.id}" + + # ingresss external port list (list + vpc if enabaled) + dynamic "ingress" { + for_each = local.port_map["external"] + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"] + } + } + + # ingress security group ids (all) + dynamic "ingress" { + for_each = local.ingress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.ingress_sg_names[sg.value]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg.value] + } + } + + # ingress self (list with one or zero items) + dynamic "ingress" { + for_each = local.self + iterator = sg + content { + description = "${local.short_description}: from self" + from_port = 0 + to_port = 0 + protocol = -1 + self = true + } + } + + # egress all + egress { + description = "${local.short_description}: All" + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = local.egress_networks + } + + # egress security group ids (all) + dynamic "egress" { + for_each = local.egress_sg + iterator = sg + content { + description = "${local.short_description}: ${local.egress_sg_names[sg]}" + from_port = 0 + to_port = 0 + protocol = -1 + security_groups = [sg] + } + } + + tags = merge( + var.tags, + map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), + map("Name", "sg-${local.name}"), + ) +} diff --git a/it-linux-base/output.tf b/it-linux-base/output.tf new file mode 100644 index 0000000..fbdd35a --- /dev/null +++ b/it-linux-base/output.tf @@ -0,0 +1,9 @@ +output "this_security_group_id" { + description = "Created security group ID" + value = aws_security_group.this_security_group.id +} + +output "this_security_group_arn" { + description = "Created security group ARN" + value = aws_security_group.this_security_group.arn +} diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf new file mode 100644 index 0000000..c82c243 --- /dev/null +++ b/it-linux-base/ports.tf @@ -0,0 +1,50 @@ +# ports = list of list of +# from_port +# to_port +# proto +# description +# cidr_block +# list of: all, external (more added as needed) + +locals { + n_all = ["0.0.0.0/0"] + n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] + n_mgmt = ["148.129.16.0/24", "148.129.95.0/24"] + source_groups = ["all", "external"] + name = var.name + ports = [ + [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], + [22, 22, "tcp", "SSH", local.n_census, ["external"]], + [123, 123, "udp", "NTP", local.n_all, ["external"]], + [161, 161, "udp", "SNMP", local.n_all, ["external"]], + [443, 443, "tcp", "https", local.n_all, ["external"]], + [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]], + [5001, 5003, "tcp", "iperf", local.n_all, ["external"]], + [5001, 5003, "udp", "iperf", local.n_all, ["external"]], + + [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]], + [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]], + [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]], + + [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]], + + [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]], + [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]], + [10082, 10082, "tcp", "", local.n_all, ["external"]], + [10102, 10102, "tcp", "", local.n_all, ["external"]], + ] + + # these are ignored + ingress_networks = var.ingress_networks + egress_networks = var.egress_networks + + # these are ignred + ingress_sg = var.ingress_security_groups + egress_sg = var.egress_security_groups + + p_fields = ["from", "to", "proto", "description", "cidr", "source_group"] + p_map = [for p in local.ports : zipmap(local.p_fields, p)] + port_map = { for s in local.source_groups : + s => [for p in local.p_map : p if contains(p["source_group"], s)] + } +} diff --git a/it-linux-base/variables.tf b/it-linux-base/variables.tf new file mode 100644 index 0000000..8235220 --- /dev/null +++ b/it-linux-base/variables.tf @@ -0,0 +1,83 @@ +#--- +# change between different modules as needed +#--- +variable "name" { + description = "Security Group Name" + type = string + default = "it-linux-base" +} + +variable "description" { + description = "Security Group Description" + type = string + default = "Linux Common Base Security Group" +} + +variable "short_description" { + description = "Security Group Short Description" + type = string + default = "Linux" +} + +variable "enable_self" { + description = "Enable|Disable self full access" + type = bool + default = false +} + +variable "use_vpc_cidr" { + description = "Enable|Disable use of VPC CIDR block in the ingress_networks" + type = bool + default = false +} + +#--- +# others with defaults +#--- +variable "vpc_id" { + description = "VPC ID Number" + type = string +} + +data "aws_vpc" "selected" { + id = "${var.vpc_id}" +} + +variable "vpc_full_name" { + description = "VPC Name" + type = string + default = "" +} + +variable "ingress_networks" { + description = "List of ingress networks for external access (not all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_networks" { + description = "List of egress networks (all ports)" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_security_groups" { + description = "List of ingress security groups for all ports" + type = list(string) + default = [] +} + +variable "egress_security_groups" { + description = "List of egress security groups (all ports)" + type = list(string) + default = [] +} + +variable "tags" { + description = "Extra security group tags" + type = map + default = { + "CostAllocation" = "csvd:infrastructure" + "Environment" = "csvd-infrastructure" + } +} diff --git a/it-linux-base/version.tf b/it-linux-base/version.tf new file mode 100644 index 0000000..84fd21a --- /dev/null +++ b/it-linux-base/version.tf @@ -0,0 +1,5 @@ +variable "_module_version" { + description = "Module version number" + type = string + default = "1.0" +} diff --git a/it-linux-base/versions.tf b/it-linux-base/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/it-linux-base/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} From 9757fd3192dfe0e4434d5cbee88fe79bcfe00238 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Wed, 3 Jun 2020 16:47:56 -0400 Subject: [PATCH 2/5] add smtp port 25 --- it-linux-base/ports.tf | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf index c82c243..0886937 100644 --- a/it-linux-base/ports.tf +++ b/it-linux-base/ports.tf @@ -12,26 +12,27 @@ locals { n_mgmt = ["148.129.16.0/24", "148.129.95.0/24"] source_groups = ["all", "external"] name = var.name - ports = [ - [-1, -1, "icmp", "ICMP", local.n_all, ["external"]], - [22, 22, "tcp", "SSH", local.n_census, ["external"]], - [123, 123, "udp", "NTP", local.n_all, ["external"]], - [161, 161, "udp", "SNMP", local.n_all, ["external"]], - [443, 443, "tcp", "https", local.n_all, ["external"]], - [4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"]], - [5001, 5003, "tcp", "iperf", local.n_all, ["external"]], - [5001, 5003, "udp", "iperf", local.n_all, ["external"]], + ports = [ + [ -1, -1, "icmp", "ICMP", local.n_all, ["external"] ], + [ 22, 22, "tcp", "SSH", local.n_census, ["external"] ], + [ 25, 25, "tcp", "SMTP", local.n_all, ["external"] ], + [ 123, 123, "udp", "NTP", local.n_all, ["external"] ], + [ 161, 161, "udp", "SNMP", local.n_all, ["external"] ], + [ 443, 443, "tcp", "https", local.n_all, ["external"] ], + [ 4949, 4949, "tcp", "Munin", local.n_mgmt, ["external"] ], + [ 5001, 5003, "tcp", "iperf", local.n_all, ["external"] ], + [ 5001, 5003, "udp", "iperf", local.n_all, ["external"] ], - [1556, 1556, "tcp", "Netbackup", local.n_all, ["external"]], - [13724, 13724, "tcp", "Netbackup", local.n_all, ["external"]], - [13782, 13782, "tcp", "Netbackup", local.n_all, ["external"]], + [ 1556, 1556, "tcp", "Netbackup", local.n_all, ["external"] ], + [ 13724, 13724, "tcp", "Netbackup", local.n_all, ["external"] ], + [ 13782, 13782, "tcp", "Netbackup", local.n_all, ["external"] ], - [1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23"], ["external"]], + [ 1830, 1830, "tcp", "Oracle-OEM", ["10.193.8.0/23" ], ["external"]], - [1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"]], - [9080, 9080, "tcp", "", [local.n_census[2]], ["external"]], - [10082, 10082, "tcp", "", local.n_all, ["external"]], - [10102, 10102, "tcp", "", local.n_all, ["external"]], + [ 1002, 1002, "tcp", "OPSware-Control", local.n_all, ["external"] ], + [ 9080, 9080, "tcp", "", [local.n_census[2] ], ["external"]], + [ 10082, 10082, "tcp", "", local.n_all, ["external"] ], + [ 10102, 10102, "tcp", "", local.n_all, ["external"] ], ] # these are ignored From ce7da685a22b5bbe3a2ccd089c48b042de01c5b7 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Wed, 3 Jun 2020 17:24:28 -0400 Subject: [PATCH 3/5] add tf_module_version --- it-linux-base/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/it-linux-base/main.tf b/it-linux-base/main.tf index 89d1bb5..cadecc8 100644 --- a/it-linux-base/main.tf +++ b/it-linux-base/main.tf @@ -91,6 +91,7 @@ resource "aws_security_group" "this_security_group" { tags = merge( var.tags, + map("boc:tf_module_version", var._module_version), map("boc:vpc:info", join(" ", compact(list(var.vpc_id, var.vpc_full_name)))), map("Name", "sg-${local.name}"), ) From ab8364136085a2dcd9d5986a1d458b99f59e5a02 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Wed, 3 Jun 2020 17:31:53 -0400 Subject: [PATCH 4/5] fix cidr range --- it-linux-base/ports.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf index 0886937..2c3a0f7 100644 --- a/it-linux-base/ports.tf +++ b/it-linux-base/ports.tf @@ -9,7 +9,7 @@ locals { n_all = ["0.0.0.0/0"] n_census = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"] - n_mgmt = ["148.129.16.0/24", "148.129.95.0/24"] + n_mgmt = ["148.129.162.0/24", "148.129.95.0/24"] source_groups = ["all", "external"] name = var.name ports = [ From 7e72d07e0161d9e25b2a107035491dcf1f6b0d81 Mon Sep 17 00:00:00 2001 From: Don Badrak Date: Wed, 3 Jun 2020 17:37:25 -0400 Subject: [PATCH 5/5] fix comments --- it-linux-base/CHANGELOG.md | 2 +- it-linux-base/ports.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/it-linux-base/CHANGELOG.md b/it-linux-base/CHANGELOG.md index 221bf34..e8a2db0 100644 --- a/it-linux-base/CHANGELOG.md +++ b/it-linux-base/CHANGELOG.md @@ -1,3 +1,3 @@ # v1.0 -- 20200603 -* create from running securit group for use throughout +* create from running security group for use throughout diff --git a/it-linux-base/ports.tf b/it-linux-base/ports.tf index 2c3a0f7..995332d 100644 --- a/it-linux-base/ports.tf +++ b/it-linux-base/ports.tf @@ -39,7 +39,7 @@ locals { ingress_networks = var.ingress_networks egress_networks = var.egress_networks - # these are ignred + # these are ignored ingress_sg = var.ingress_security_groups egress_sg = var.egress_security_groups