add ingress, egress networks

security-groups/README.md

@@ -74,3 +74,85 @@ module "base-security-groups" {
 | Name | Description |
 |------|-------------|
 | <a name="output_security_groups"></a> [security\_groups](#output\_security\_groups) | Security Group map(object{name, id, arn}) |
+
+<!-- BEGIN_TF_DOCS -->
+# About aws-vpc-setup :: security-groups
+
+This sets up the default base security groups needed in each VPC from the `aws-common-security-groups` module
+and associated submodules.
+* it-linux-base
+* it-windows-base
+* ois-scanner
+
+# Usage
+
+```hcl
+module "base-security-groups" {
+  source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups"
+  vpc_id          = "vpc-1234568"
+  vpc_full_name   = "vpc2-dice-dev"
+  vpc_environment = "dev"
+  tags            = {}
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_sg-linux-base"></a> [sg-linux-base](#module\_sg-linux-base) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base | tf-upgrade |
+| <a name="module_sg-ois-scanner"></a> [sg-ois-scanner](#module\_sg-ois-scanner) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//ois-scanner | tf-upgrade |
+| <a name="module_sg-windows-base"></a> [sg-windows-base](#module\_sg-windows-base) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks | `list(string)` | `[]` | no |
+| <a name="input_enable_manage_default_sg"></a> [enable\_manage\_default\_sg](#input\_enable\_manage\_default\_sg) | Flag to manage default security group if present. Set to false for shared VPCs | `bool` | `true` | no |
+| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access | `list(string)` | `[]` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_security_groups"></a> [security\_groups](#output\_security\_groups) | Security Group map(object{name, id, arn}) |
+<!-- END_TF_DOCS -->

security-groups/main.tf

@@ -52,11 +52,14 @@ resource "aws_default_security_group" "default" {
 # base security groups in each vpc
 #---
 module "sg-linux-base" {
-  source        = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base?ref=tf-upgrade"
-  vpc_id        = var.vpc_id
-  vpc_full_name = var.vpc_full_name
-  use_vpc_cidr  = false
-  enable_self   = false
+  source           = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base?ref=tf-upgrade"
+  vpc_id           = var.vpc_id
+  vpc_full_name    = var.vpc_full_name
+  use_vpc_cidr     = false
+  enable_self      = false
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
+
   tags = merge(
     local.base_tags,
     var.tags,
@@ -65,11 +68,14 @@ module "sg-linux-base" {
 }
 
 module "sg-windows-base" {
-  source        = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base?ref=tf-upgrade"
-  vpc_id        = var.vpc_id
-  vpc_full_name = var.vpc_full_name
-  use_vpc_cidr  = false
-  enable_self   = false
+  source           = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base?ref=tf-upgrade"
+  vpc_id           = var.vpc_id
+  vpc_full_name    = var.vpc_full_name
+  use_vpc_cidr     = false
+  enable_self      = false
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
+
   tags = merge(
     local.base_tags,
     var.tags,
@@ -78,11 +84,14 @@ module "sg-windows-base" {
 }
 
 module "sg-ois-scanner" {
-  source        = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//ois-scanner?ref=tf-upgrade"
-  vpc_id        = var.vpc_id
-  vpc_full_name = var.vpc_full_name
-  use_vpc_cidr  = false
-  enable_self   = false
+  source           = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//ois-scanner?ref=tf-upgrade"
+  vpc_id           = var.vpc_id
+  vpc_full_name    = var.vpc_full_name
+  use_vpc_cidr     = false
+  enable_self      = false
+  ingress_networks = var.ingress_networks
+  egress_networks  = var.egress_networks
+
   tags = merge(
     local.base_tags,
     var.tags,

security-groups/variables.tf

@@ -3,3 +3,15 @@ variable "enable_manage_default_sg" {
   type        = bool
   default     = true
 }
+
+variable "ingress_networks" {
+  description = "List of ingress networks for external access"
+  type        = list(string)
+  default     = []
+}
+
+variable "egress_networks" {
+  description = "List of egress networks"
+  type        = list(string)
+  default     = []
+}