NEW: new security group module

2023-11-23 16:58:41 +08:00 · 2023-11-23 16:58:41 +08:00 · fc88634341
commit fc88634341
parent e6a826fc4c
4 changed files with 94 additions and 0 deletions
--- a/modules/compute/security_group/README.md
+++ b/modules/compute/security_group/README.md
@ -0,0 +1,54 @@
+# security-groups-gen2
+This module create security groups from a map
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| tags | tags | List | n/a | yes |
+| vpc-id | VPC id | string | n/a | yes |
+| security-groups | See example below | map | n/a | yes |
+
+### security-groups input
+Below is a sample security-groups map this module ingests 
+
+```
+module "bea-bast-sg" {
+  source = "../../modules/compute/security_groups"
+
+  security-groups = [
+    {
+      name        = "RackspaceAdmin2"
+      description = "Allow rdp/ssh access from Rackspace"
+      ingress = {
+        r1  = "icmp,-1,-1,0.0.0.0/0,ICMP ping"
+        r2  = "-1,-1,-1,1.2.3.4/32,Foo access"
+      }
+      egress = {
+        r1 = "-1,-1,-1,0.0.0.0/0,Default egress rule"
+      }
+    },
+    {
+      name        = "RackspaceAdmin"
+      description = "Allow rdp/ssh access from Rackspace"
+      ingress = {
+        r1 = "tcp,443,443,${aws_ec2_managed_prefix_list.rsip_range.id},Bar ip ranges"
+        r2 = "tcp,22,22,2.3.4.5/32,Joe Blow"
+      }
+      egress = {
+        r1 = "-1,-1,-1,0.0.0.0/0,Default egress rule"
+      }
+    }
+  ]
+
+  tags   = local.default-tags
+  vpc-id = "vpc-xxx"
+}
+```
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| sg-id-name | A map of SG id and their names |
+
--- a/modules/compute/security_group/main.tf
+++ b/modules/compute/security_group/main.tf
@ -0,0 +1,32 @@
+data aws_default_tags this {}
+
+resource "aws_security_group" "sg" {
+  name        = var.name
+  description = var.description
+  vpc_id      = var.vpc-id
+  tags = { Name = var.name }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ingress-rules" {
+  for_each                     = var.ingress
+  security_group_id            = aws_security_group.sg.id
+  ip_protocol                  = split(",", each.value)[0]
+  from_port                    = split(",", each.value)[1]
+  to_port                      = split(",", each.value)[2]
+  cidr_ipv4                    = substr(split(",", each.value)[3], 2, 1) != "-" ? split(",", each.value)[3] : null
+  referenced_security_group_id = substr(split(",", each.value)[3], 0, 2) == "sg" ? split(",", each.value)[3] : null
+  prefix_list_id               = substr(split(",", each.value)[3], 0, 2) == "pl" ? split(",", each.value)[3] : null
+  description                  = split(",", each.value)[4]
+}
+
+resource "aws_vpc_security_group_egress_rule" "egress-rules" {
+  for_each                     = var.egress
+  security_group_id            = aws_security_group.sg.id
+  ip_protocol                  = split(",", each.value)[0]
+  from_port                    = split(",", each.value)[1]
+  to_port                      = split(",", each.value)[2]
+  cidr_ipv4                    = substr(split(",", each.value)[3], 2, 1) != "-" ? split(",", each.value)[3] : null
+  referenced_security_group_id = substr(split(",", each.value)[3], 0, 2) == "sg" ? split(",", each.value)[3] : null
+  prefix_list_id               = substr(split(",", each.value)[3], 0, 2) == "pl" ? split(",", each.value)[3] : null
+  description                  = split(",", each.value)[4]
+}
--- a/modules/compute/security_group/outputs.tf
+++ b/modules/compute/security_group/outputs.tf
@ -0,0 +1,3 @@
+output id {
+  value = aws_security_group.sg.id
+}
--- a/modules/compute/security_group/variables.tf
+++ b/modules/compute/security_group/variables.tf
@ -0,0 +1,5 @@
+variable name {}
+variable description {}
+variable vpc-id {}
+variable ingress {}
+variable egress {}