diff --git a/security-groups/README.md b/security-groups/README.md
index e7b78c1..61751e6 100644
--- a/security-groups/README.md
+++ b/security-groups/README.md
@@ -74,3 +74,85 @@ module "base-security-groups" {
| Name | Description |
|------|-------------|
| [security\_groups](#output\_security\_groups) | Security Group map(object{name, id, arn}) |
+
+
+# About aws-vpc-setup :: security-groups
+
+This sets up the default base security groups needed in each VPC from the `aws-common-security-groups` module
+and associated submodules.
+* it-linux-base
+* it-windows-base
+* ois-scanner
+
+# Usage
+
+```hcl
+module "base-security-groups" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//security-groups"
+ vpc_id = "vpc-1234568"
+ vpc_full_name = "vpc2-dice-dev"
+ vpc_environment = "dev"
+ tags = {}
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 3.66.0 |
+| [ldap](#requirement\_ldap) | >= 0.5.4 |
+| [local](#requirement\_local) | >= 1.0.0 |
+| [null](#requirement\_null) | >= 3.0 |
+| [random](#requirement\_random) | >= 3.0 |
+| [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 3.66.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [sg-linux-base](#module\_sg-linux-base) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base | tf-upgrade |
+| [sg-ois-scanner](#module\_sg-ois-scanner) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//ois-scanner | tf-upgrade |
+| [sg-windows-base](#module\_sg-windows-base) | git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks | `list(string)` | `[]` | no |
+| [enable\_manage\_default\_sg](#input\_enable\_manage\_default\_sg) | Flag to manage default security group if present. Set to false for shared VPCs | `bool` | `true` | no |
+| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access | `list(string)` | `[]` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [security\_groups](#output\_security\_groups) | Security Group map(object{name, id, arn}) |
+
\ No newline at end of file
diff --git a/security-groups/main.tf b/security-groups/main.tf
index 49958b5..47f3bee 100644
--- a/security-groups/main.tf
+++ b/security-groups/main.tf
@@ -52,11 +52,14 @@ resource "aws_default_security_group" "default" {
# base security groups in each vpc
#---
module "sg-linux-base" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base?ref=tf-upgrade"
- vpc_id = var.vpc_id
- vpc_full_name = var.vpc_full_name
- use_vpc_cidr = false
- enable_self = false
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-linux-base?ref=tf-upgrade"
+ vpc_id = var.vpc_id
+ vpc_full_name = var.vpc_full_name
+ use_vpc_cidr = false
+ enable_self = false
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
tags = merge(
local.base_tags,
var.tags,
@@ -65,11 +68,14 @@ module "sg-linux-base" {
}
module "sg-windows-base" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base?ref=tf-upgrade"
- vpc_id = var.vpc_id
- vpc_full_name = var.vpc_full_name
- use_vpc_cidr = false
- enable_self = false
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//it-windows-base?ref=tf-upgrade"
+ vpc_id = var.vpc_id
+ vpc_full_name = var.vpc_full_name
+ use_vpc_cidr = false
+ enable_self = false
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
tags = merge(
local.base_tags,
var.tags,
@@ -78,11 +84,14 @@ module "sg-windows-base" {
}
module "sg-ois-scanner" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//ois-scanner?ref=tf-upgrade"
- vpc_id = var.vpc_id
- vpc_full_name = var.vpc_full_name
- use_vpc_cidr = false
- enable_self = false
+ source = "git@github.e.it.census.gov:terraform-modules/aws-common-security-groups.git//ois-scanner?ref=tf-upgrade"
+ vpc_id = var.vpc_id
+ vpc_full_name = var.vpc_full_name
+ use_vpc_cidr = false
+ enable_self = false
+ ingress_networks = var.ingress_networks
+ egress_networks = var.egress_networks
+
tags = merge(
local.base_tags,
var.tags,
diff --git a/security-groups/variables.tf b/security-groups/variables.tf
index dc94ce5..7e90f6a 100644
--- a/security-groups/variables.tf
+++ b/security-groups/variables.tf
@@ -3,3 +3,15 @@ variable "enable_manage_default_sg" {
type = bool
default = true
}
+
+variable "ingress_networks" {
+ description = "List of ingress networks for external access"
+ type = list(string)
+ default = []
+}
+
+variable "egress_networks" {
+ description = "List of egress networks"
+ type = list(string)
+ default = []
+}