v2.2.2: make ingress_self* work

CHANGELOG.md

@@ -12,6 +12,15 @@
   - custom
     - create custom submodule, requires port list passed
 
+* v2.2.1 -- 20211022
+  - custom
+    - add ingress_self_* option
+
+* v2.2.2 -- 20211025
+  - custom
+    - make ingress_self stuff work
+    - fix missing default egress
+
 # OLDER
 
 ## web

common/README.md

@@ -30,11 +30,15 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |

common/ports.tf

@@ -1,37 +1,64 @@
-# ports = list of list of
-#   from_port
-#   to_port
-#   proto
-#   description
-#   cidr_block
-#   list of: all, external (more added as needed)
-
-# example only.  Use your own values as appropraite
-
 locals {
-  n_all         = ["0.0.0.0/0"]
-  n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
-  source_groups = ["all", "external"]
+  ports = []
 
-  ports = [
-    [80, 80, "tcp", "http", local.n_census, ["external"]],
-    [443, 443, "tcp", "https", local.n_census, ["external"]],
-    [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
-    [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
-  ]
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
 
-  #  ingress_networks = var.ingress_networks
-  ingress_networks = []
-  #  egress_networks  = var.egress_networks
-  egress_networks = local.n_all
-
-  # these are ignored
   ingress_sg = var.ingress_security_groups
   egress_sg  = var.egress_security_groups
 
-  p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
-  p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
-  port_map = { for s in local.source_groups :
-    s => [for p in local.p_map : p if contains(p["source_group"], s)]
+  # ports
+  p_fields = ["from", "to", "proto", "description", "cidr"]
+  p_list1  = length(local.ports) > 0 ? [for p in local.ports : zipmap(local.p_fields, p)] : []
+  p_list2  = length(var.ingress_port_list) > 0 ? [for p in var.ingress_port_list : zipmap(local.p_fields, p)] : []
+  p_list3  = length(var.ingress_port_map) > 0 ? var.ingress_port_map : []
+
+  port_map = {
+    "external"      = []
+    "module_ports"  = local.p_list1
+    "ingress_ports" = local.p_list2
+    "ingress_map"   = local.p_list3
+  }
+
+  # self ports
+  p_self_fields = ["from", "to", "proto", "description"]
+  sp_list1      = length(var.ingress_self_port_list) > 0 ? [for p in var.ingress_self_port_list : zipmap(local.p_self_fields, p)] : []
+  sp_list2      = length(var.ingress_self_port_map) > 0 ? var.ingress_self_port_map : []
+  sp_list3      = length(var.ingress_self_port_list) == 0 && length(var.ingress_self_port_map) == 0 ? local._defaults["self_port_list"] : []
+
+  self_port_map = {
+    "ingress_ports" = local.sp_list1
+    "ingress_map"   = local.sp_list2
+    "default"       = local.sp_list3
   }
 }
+
+# locals {
+#   n_all         = ["0.0.0.0/0"]
+#   n_census      = ["148.129.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8"]
+#   source_groups = ["all", "external"]
+# 
+#   ports = [
+#     [80, 80, "tcp", "http", local.n_census, ["external"]],
+#     [443, 443, "tcp", "https", local.n_census, ["external"]],
+#     [8080, 8080, "tcp", "Tomcat-http", local.n_census, ["external"]],
+#     [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
+#   ]
+# 
+#   #  ingress_networks = var.ingress_networks
+#   ingress_networks = []
+#   #  egress_networks  = var.egress_networks
+#   egress_networks = local.n_all
+# 
+#   # these are ignored
+#   ingress_sg = var.ingress_security_groups
+#   egress_sg  = var.egress_security_groups
+# 
+#   p_fields = ["from", "to", "proto", "description", "cidr", "source_group"]
+#   p_map    = [for p in local.ports : zipmap(local.p_fields, p)]
+#   port_map = { for s in local.source_groups :
+#     s => [for p in local.p_map : p if contains(p["source_group"], s)]
+#   }
+# }
+# 
+# 

common/resources.tf

@@ -3,14 +3,17 @@ locals {
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
   ingress_sg_names          = zipmap(var.ingress_security_groups, data.aws_security_group.ingress_security_groups[*].name)
   egress_sg_names           = zipmap(var.egress_security_groups, data.aws_security_group.egress_security_groups[*].name)
-  self                      = var.enable_self ? [1] : []
+  #  self                      = var.enable_self ? local.self_ports : []
 }
 
 resource "aws_security_group" "this_security_group" {
   name        = local.name
   description = var.description
   vpc_id      = var.vpc_id
 
+  #---
+  # ingress
+  #---
   # ingresss external port list (list + vpc if enabaled)
   dynamic "ingress" {
     for_each = local.port_map["external"]
@@ -20,7 +23,46 @@ resource "aws_security_group" "this_security_group" {
       from_port   = p.value["from"]
       to_port     = p.value["to"]
       protocol    = p.value["proto"]
-      cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress module-defined ports
+  dynamic "ingress" {
+    for_each = local.port_map["module_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress_ports
+  dynamic "ingress" {
+    for_each = local.port_map["ingress_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
+    }
+  }
+
+  # ingress map
+  dynamic "ingress" {
+    for_each = local.port_map["ingress_ports"]
+    iterator = p
+    content {
+      description = "${local.short_description}: ${p.value["description"]}"
+      from_port   = p.value["from"]
+      to_port     = p.value["to"]
+      protocol    = p.value["proto"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? distinct(flatten(compact(concat(local.external_ingress_networks, var.ingress_networks)))) : distinct(flatten(compact(concat(p.value["cidr"], var.ingress_networks))))
     }
   }
 
@@ -37,26 +79,58 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
-  # ingress self (list with one or zero items)
+  #---
+  # ingress self
+  #---
+  # ingress self port list
+  dynamic "ingress" {
+    for_each = var.enable_self ? local.self_port_map["ingress_ports"] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
+      self        = true
+    }
+  }
+
+  # ingress self port map
+  dynamic "ingress" {
+    for_each = var.enable_self ? local.self_port_map["ingress_map"] : []
+    iterator = sg
+    content {
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
+      self        = true
+    }
+  }
+
+  # ingress self port default
   dynamic "ingress" {
-    for_each = local.self
+    for_each = var.enable_self ? local.self_port_map["default"] : []
     iterator = sg
     content {
-      description = "${local.short_description}: from self"
-      from_port   = 0
-      to_port     = 0
-      protocol    = -1
+      description = "${local.short_description}: self ${sg.value["description"]}"
+      from_port   = sg.value["from"]
+      to_port     = sg.value["to"]
+      protocol    = sg.value["proto"]
       self        = true
     }
   }
 
+  #---
+  # egress 
+  #---
   # egress all
   egress {
     description = "${local.short_description}: All"
     from_port   = 0
     to_port     = 0
     protocol    = -1
-    cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
+    cidr_blocks = distinct(flatten(compact(concat(local.egress_networks, var.egress_networks))))
   }
 
   # egress security group ids (all)

common/variables.common.tf

@@ -17,9 +17,9 @@ variable "ingress_networks" {
 }
 
 variable "egress_networks" {
-  description = "List of egress networks (with all pre-defined egress ports)"
+  description = "List of egress networks (with all pre-defined egress ports) (default: any)"
   type        = list(string)
-  default     = []
+  default     = ["0.0.0.0/0"]
 }
 
 variable "ingress_security_groups" {

common/variables.port_list.tf

@@ -0,0 +1,35 @@
+variable "ingress_port_list" {
+  description = "Ingress port list of 5-tuple: from, to, proto, description, and cidr(list)"
+  #  type        = list(tuple([number, number, any, string, list]))
+  default = [[]]
+}
+
+variable "ingress_port_map" {
+  description = "Ingress port list of objects: from, to, proto, description and cidr(list)"
+  type = list(object({
+    from        = number
+    to          = number
+    proto       = any
+    description = string
+    cidr        = list(string)
+  }))
+  default = []
+}
+
+variable "ingress_self_port_list" {
+  description = "Ingress port list of 4-tuple: from, to, proto, description"
+  #  type        = list(tuple([number, number, any, string]))
+  default = [[]]
+}
+
+variable "ingress_self_port_map" {
+  description = "Ingress self access port list of objects: from, to, proto, description"
+  type = list(object({
+    from        = number
+    to          = number
+    proto       = any
+    description = string
+  }))
+  default = []
+}
+

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.2.0"
+  _module_version = "2.2.2"
 }

custom/README.md

@@ -4,7 +4,10 @@ This describes how to use the aws-common-security-groups submodule for  custom.
 for the common security groups to a set of ports of your own doing.
 
 You will need to provide a `ingress_port_list` list of the details, or a `ingress_port_map` which allows for a cleaner structure.
-This creates an egress rule permitting all outbound access.
+This creates an egress rule permitting all outbound access.  If you provide both, it will combine the lists.
+
+You may also provide `ingress_self_port_list` and/or `ingress_self_port_map`, which contains the same fields
+as the `ingress_port_list` excluding the final `cidr` field.  Again, if both are provided, they will be combined.
 
 # Usage
 ## Port list
@@ -94,13 +97,15 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `""` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
-| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
+| <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | <pre>[<br>  []<br>]</pre> | no |
 | <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
+| <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | <pre>[<br>  []<br>]</pre> | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name (required) | `string` | n/a | yes |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |

custom/defaults.tf

@@ -3,5 +3,6 @@ locals {
     name              = "{{ name }}"
     description       = "Security group for application"
     short_description = "SG"
+    self_port_list    = [{ from = 0, to = 0, proto = -1, description = "all" }]
   }
 }

custom/main.tf

@@ -5,7 +5,10 @@
 * for the common security groups to a set of ports of your own doing.
 *
 * You will need to provide a `ingress_port_list` list of the details, or a `ingress_port_map` which allows for a cleaner structure.
-* This creates an egress rule permitting all outbound access.
+* This creates an egress rule permitting all outbound access.  If you provide both, it will combine the lists.
+*
+* You may also provide `ingress_self_port_list` and/or `ingress_self_port_map`, which contains the same fields
+* as the `ingress_port_list` excluding the final `cidr` field.  Again, if both are provided, they will be combined.
 *
 * # Usage
 * ## Port list