diff --git a/modules/compute/security_group/README.md b/modules/compute/security_group/README.md new file mode 100644 index 0000000..1889141 --- /dev/null +++ b/modules/compute/security_group/README.md @@ -0,0 +1,54 @@ +# security-groups-gen2 +This module create security groups from a map + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:-----:| +| tags | tags | List | n/a | yes | +| vpc-id | VPC id | string | n/a | yes | +| security-groups | See example below | map | n/a | yes | + +### security-groups input +Below is a sample security-groups map this module ingests + +``` +module "bea-bast-sg" { + source = "../../modules/compute/security_groups" + + security-groups = [ + { + name = "RackspaceAdmin2" + description = "Allow rdp/ssh access from Rackspace" + ingress = { + r1 = "icmp,-1,-1,0.0.0.0/0,ICMP ping" + r2 = "-1,-1,-1,1.2.3.4/32,Foo access" + } + egress = { + r1 = "-1,-1,-1,0.0.0.0/0,Default egress rule" + } + }, + { + name = "RackspaceAdmin" + description = "Allow rdp/ssh access from Rackspace" + ingress = { + r1 = "tcp,443,443,${aws_ec2_managed_prefix_list.rsip_range.id},Bar ip ranges" + r2 = "tcp,22,22,2.3.4.5/32,Joe Blow" + } + egress = { + r1 = "-1,-1,-1,0.0.0.0/0,Default egress rule" + } + } + ] + + tags = local.default-tags + vpc-id = "vpc-xxx" +} +``` + +## Outputs + +| Name | Description | +|------|-------------| +| sg-id-name | A map of SG id and their names | + diff --git a/modules/compute/security_group/main.tf b/modules/compute/security_group/main.tf new file mode 100644 index 0000000..136c277 --- /dev/null +++ b/modules/compute/security_group/main.tf @@ -0,0 +1,32 @@ +data aws_default_tags this {} + +resource "aws_security_group" "sg" { + name = var.name + description = var.description + vpc_id = var.vpc-id + tags = { Name = var.name } +} + +resource "aws_vpc_security_group_ingress_rule" "ingress-rules" { + for_each = var.ingress + security_group_id = aws_security_group.sg.id + ip_protocol = split(",", each.value)[0] + from_port = split(",", each.value)[1] + to_port = split(",", each.value)[2] + cidr_ipv4 = substr(split(",", each.value)[3], 2, 1) != "-" ? split(",", each.value)[3] : null + referenced_security_group_id = substr(split(",", each.value)[3], 0, 2) == "sg" ? split(",", each.value)[3] : null + prefix_list_id = substr(split(",", each.value)[3], 0, 2) == "pl" ? split(",", each.value)[3] : null + description = split(",", each.value)[4] +} + +resource "aws_vpc_security_group_egress_rule" "egress-rules" { + for_each = var.egress + security_group_id = aws_security_group.sg.id + ip_protocol = split(",", each.value)[0] + from_port = split(",", each.value)[1] + to_port = split(",", each.value)[2] + cidr_ipv4 = substr(split(",", each.value)[3], 2, 1) != "-" ? split(",", each.value)[3] : null + referenced_security_group_id = substr(split(",", each.value)[3], 0, 2) == "sg" ? split(",", each.value)[3] : null + prefix_list_id = substr(split(",", each.value)[3], 0, 2) == "pl" ? split(",", each.value)[3] : null + description = split(",", each.value)[4] +} diff --git a/modules/compute/security_group/outputs.tf b/modules/compute/security_group/outputs.tf new file mode 100644 index 0000000..5a963bf --- /dev/null +++ b/modules/compute/security_group/outputs.tf @@ -0,0 +1,3 @@ +output id { + value = aws_security_group.sg.id +} \ No newline at end of file diff --git a/modules/compute/security_group/variables.tf b/modules/compute/security_group/variables.tf new file mode 100644 index 0000000..4fb72d0 --- /dev/null +++ b/modules/compute/security_group/variables.tf @@ -0,0 +1,5 @@ +variable name {} +variable description {} +variable vpc-id {} +variable ingress {} +variable egress {} \ No newline at end of file