Merge pull request #1 from solutionDrive/add-terraform-module

added existing module and updated the README.md so no internal stuff …
solutionDrive · Apr 25, 2019 · 218ca96 · 218ca96
2 parents 0d269a9 + b6fc1c3
commit 218ca96
Show file tree

Hide file tree

Showing 5 changed files with 404 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+/.idea
diff --git a/README.md b/README.md
@@ -1,2 +1,112 @@
 # terraform-security-group
-Terraform-Module for creating security-groups
+Terraform-Module for creating security-groups for terraform v0.11.x.
+In future releases of terraform a lot of this hopefully won't be necessary anymore.
+
+Till then, we hope this module can help others out there.
+Good Luck!
+
+### Input Parameters
+
+see variables.tf
+
+**__caution!!__**
+Due to terraform the following is absolutley important
+To be able to generate security_groups with a dynamic amount of ingress/egress rules some tripwires should be known
+1. each Port defined in one of the *_rules-variables will lead to a new rule for this port
+2. for each Port a protocol has to be defined, even if they are all the same
+3. in cidr_based rules, it is possible to define multiple cidr-blocks per rule. In this case the Delimiter for 2 rules is '~~~' 
+
+
+### Output Parameters
++ security_group_id: The ID of the created security-group
+
+### Example
+```hcl-terraform
+module "security_group_webserver" {
+ source = "git::ssh://[email protected]:solutionDrive/terraform-security-group.git"
+ # Basic stuff
+ profile = "Name of AWS Profile to use"
+ name = "name_of_your_security_group"
+ description = "desctiption of your security group"
+ vpc_id = "${var.vpc_id}"
+ 
+ # cidr-rules related stuff
+ cidr_ingress_rules = {
+ "ports" = "80~~~443~~~22"
+ "protocols" = "tcp~~~tcp~~~tcp"
+ "cidr_blocks" = "your.ip.address.here/32,your.second.ip.address/32~~~your.ip.address.here/32,your.second.ip.address/32~~~0.0.0.0/0"
+ "descriptions" = "your-description-here,somebody-elses-desciption~~~still-your-description-here,still-somebody-elses-desciption~~~the evil rest"
+ }
+ cidr_ingress_rules_count = 3 # This count has to equal the amount of Ports defined in <cidr_ingress_rules>
+ 
+ # security_group related stuff
+ security_group_ingress_rules = {
+ "ports" = "6379"
+ "protocols" = "tcp"
+ "source_security_groups" = "self"
+ "descriptions" = "That is me"
+ }
+ security_group_ingress_rules_count = 1 # This count has to equal the amount of Ports defined in <security_group_ingress_rules>
+ 
+ provider_region = "${var.default_region}"
+ account_id = "${var.oxid_dev_account_id}" # to be able to assume Roles from a specific account
+}
+```
+
+##### Example Output
+```bash
++ module.security_group_webserver.aws_security_group.security_group
+ description: "desctiption of your security group"
+ egress.#: "<computed>"
+ ingress.#: "<computed>"
+ name: "name_of_your_security_group"
+ owner_id: "<computed>"
+ tags.%: "1"
+ tags.Name: "name_of_your_security_group"
+ vpc_id: "${var.vpc_id}"
+
++ module.security_group_webserver.aws_security_group_rule.cidr_ingress_rule.0
+ cidr_blocks.#: "2"
+ cidr_blocks.0: "your.ip.address.here/32"
+ cidr_blocks.1: "your.second.ip.address/32"
+ from_port: "80"
+ protocol: "tcp"
+ security_group_id: "${aws_security_group.security_group.id}"
+ self: "false"
+ source_security_group_id: "<computed>"
+ to_port: "80"
+ type: "ingress"
+
++ module.security_group_webserver.aws_security_group_rule.cidr_ingress_rule.1
+ cidr_blocks.#: "2"
+ cidr_blocks.0: "your.ip.address.here/32"
+ cidr_blocks.1: "your.second.ip.address/32"
+ from_port: "443"
+ protocol: "tcp"
+ security_group_id: "${aws_security_group.security_group.id}"
+ self: "false"
+ source_security_group_id: "<computed>"
+ to_port: "443"
+ type: "ingress"
+
++ module.security_group_webserver.aws_security_group_rule.cidr_ingress_rule.2
+ cidr_blocks.#: "1"
+ cidr_blocks.0: "0.0.0.0/0"
+ from_port: "22"
+ protocol: "tcp"
+ security_group_id: "${aws_security_group.security_group.id}"
+ self: "false"
+ source_security_group_id: "<computed>"
+ to_port: "22"
+ type: "ingress"
+
++ module.security_group_webserver.aws_security_group_rule.sg_ingress_rule
+ from_port: "6379"
+ protocol: "tcp"
+ security_group_id: "${aws_security_group.security_group.id}"
+ self: "false"
+ source_security_group_id: "${element(split(\",\", var.security_group_ingress_rules[\"source_security_groups\"]), count.index) == \"self\" ? aws_security_group.security_group.id : element(split(\",\", var.security_group_ingress_rules[\"source_security_groups\"]), count.index)}"
+ to_port: "6379"
+ type: "ingress"
+
+```
diff --git a/main.tf b/main.tf
@@ -0,0 +1,147 @@
+provider "aws" {
+ alias = "module"
+ region = "${var.provider_region}"
+ profile = "${var.profile}"
+ assume_role {
+ role_arn = "${var.assume_role_arn}"
+ }
+}
+
+resource "aws_security_group" "security_group" {
+ provider = "aws.module"
+ name = "${var.name}"
+ description = "${var.description}"
+ vpc_id = "${var.vpc_id}"
+ tags = "${merge(var.custom_tags, map("Name", var.name))}"
+}
+
+##### IPv4 #####
+#
+# Iterates over all given ingress rules and uses some build-in terraform functionality to create all
+# Ingress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+
+resource "aws_security_group_rule" "cidr_ingress_rule" {
+ provider = "aws.module"
+ type = "ingress"
+
+ count = "${var.cidr_ipv4_ingress_rules_count}"
+ security_group_id = "${aws_security_group.security_group.id}"
+
+ from_port = "${element(split("~~~", var.cidr_ipv4_ingress_rules["ports"]), count.index)}"
+ to_port = "${element(split("~~~", var.cidr_ipv4_ingress_rules["ports"]), count.index)}"
+ protocol = "${element(split("~~~", var.cidr_ipv4_ingress_rules["protocols"]), count.index)}"
+
+ cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv4_ingress_rules["cidr_blocks"]), count.index))}"
+
+ description = "${element(split(",", element(split("~~~", var.cidr_ipv4_ingress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+#
+# Iterates over all given egress rules and uses some build-in terraform functionality to create all
+# Egress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "cidr_egress_rule" {
+ provider = "aws.module"
+ type = "egress"
+
+ count = "${var.cidr_ipv4_egress_rules_count}"
+ security_group_id = "${aws_security_group.security_group.id}"
+
+ from_port = "${element(split("~~~", var.cidr_ipv4_egress_rules["ports"]), count.index)}"
+ to_port = "${element(split("~~~", var.cidr_ipv4_egress_rules["ports"]), count.index)}"
+ protocol = "${element(split("~~~", var.cidr_ipv4_egress_rules["protocols"]), count.index)}"
+
+ cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv4_egress_rules["cidr_blocks"]), count.index))}"
+
+ description = "${element(split(",", element(split("~~~", var.cidr_ipv4_egress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+##### IPv6 #####
+#
+# Iterates over all given ipv6 ingress rules and uses some build-in terraform functionality to create all
+# Ingress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+
+resource "aws_security_group_rule" "cidr_ipv6_ingress_rule" {
+ provider = "aws.module"
+ type = "ingress"
+
+ count = "${var.cidr_ipv6_ingress_rules_count}"
+ security_group_id = "${aws_security_group.security_group.id}"
+
+ from_port = "${element(split("~~~", var.cidr_ipv6_ingress_rules["ports"]), count.index)}"
+ to_port = "${element(split("~~~", var.cidr_ipv6_ingress_rules["ports"]), count.index)}"
+ protocol = "${element(split("~~~", var.cidr_ipv6_ingress_rules["protocols"]), count.index)}"
+
+ ipv6_cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv6_ingress_rules["ipv6_cidr_blocks"]), count.index))}"
+
+ description = "${element(split(",", element(split("~~~", var.cidr_ipv6_ingress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+#
+# Iterates over all given ipv6 egress rules and uses some build-in terraform functionality to create all
+# Egress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "cidr_ipv6_egress_rule" {
+ provider = "aws.module"
+ type = "egress"
+
+ count = "${var.cidr_ipv6_egress_rules_count}"
+ security_group_id = "${aws_security_group.security_group.id}"
+
+ from_port = "${element(split("~~~", var.cidr_ipv6_egress_rules["ports"]), count.index)}"
+ to_port = "${element(split("~~~", var.cidr_ipv6_egress_rules["ports"]), count.index)}"
+ protocol = "${element(split("~~~", var.cidr_ipv6_egress_rules["protocols"]), count.index)}"
+
+ ipv6_cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv6_egress_rules["ipv6_cidr_blocks"]), count.index))}"
+
+ description = "${element(split(",", element(split("~~~", var.cidr_ipv6_egress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+##### SecurityGroups #####
+#
+# Iterates over all given ingress rules and uses some build-in terraform functionality to create all
+# Ingress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "sg_ingress_rule" {
+ provider = "aws.module"
+ type = "ingress"
+
+ count = "${var.security_group_ingress_rules_count}"
+ security_group_id = "${aws_security_group.security_group.id}"
+
+ from_port = "${element(split("~~~", var.security_group_ingress_rules["ports"]), count.index)}"
+ to_port = "${element(split("~~~", var.security_group_ingress_rules["ports"]), count.index)}"
+ protocol = "${element(split("~~~", var.security_group_ingress_rules["protocols"]), count.index)}"
+
+ source_security_group_id = "${element(split("~~~", var.security_group_ingress_rules["source_security_groups"]), count.index) == "self" ? aws_security_group.security_group.id : element(split("~~~", var.security_group_ingress_rules["source_security_groups"]), count.index)}"
+
+ description = "${element(split(",", element(split("~~~", var.security_group_ingress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+#
+# Iterates over all given egress rules and uses some build-in terraform functionality to create all
+# Egress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "sg_egress_rule" {
+ provider = "aws.module"
+ type = "egress"
+
+ count = "${var.security_group_egress_rules_count}"
+ security_group_id = "${aws_security_group.security_group.id}"
+
+ from_port = "${element(split("~~~", var.security_group_egress_rules["ports"]), count.index)}"
+ to_port = "${element(split("~~~", var.security_group_egress_rules["ports"]), count.index)}"
+ protocol = "${element(split("~~~", var.security_group_egress_rules["protocols"]), count.index)}"
+
+ source_security_group_id = "${element(split("~~~", var.security_group_egress_rules["source_security_groups"]), count.index) == "self" ? aws_security_group.security_group.id : element(split("~~~", var.security_group_egress_rules["source_security_groups"]), count.index)}"
+
+ description = "${element(split(",", element(split("~~~", var.security_group_egress_rules["descriptions"]), count.index)), count.index)}"
+}
diff --git a/output.tf b/output.tf
@@ -0,0 +1,4 @@
+output "security_group_id" {
+ value = "${aws_security_group.security_group.id}"
+}
+