pass in vpc cidr to sg module, add new 'project' type, update descriptions

Signed-off-by: matttrach <matttrach@gmail.com>
2023-09-27 18:55:02 -05:00 · 2023-09-27 18:55:02 -05:00 · 459ba26477
parent 542c2b7904
commit 459ba26477
4 changed files with 66 additions and 14 deletions
--- a/main.tf
+++ b/main.tf
@ -38,13 +38,14 @@ module "subnet" {
 }

 module "security_group" {
-  source = "./modules/security_group"
-  name   = local.security_group_name
-  ip     = (local.security_group_ip == "" ? data.http.get_my_ip[0].response_body : local.security_group_ip)
-  cidr   = module.subnet.cidr
-  owner  = local.owner
-  type   = local.security_group_type
-  vpc_id = module.vpc.id
+  source   = "./modules/security_group"
+  name     = local.security_group_name
+  ip       = (local.security_group_ip == "" ? data.http.get_my_ip[0].response_body : local.security_group_ip)
+  cidr     = module.subnet.cidr
+  owner    = local.owner
+  type     = local.security_group_type
+  vpc_id   = module.vpc.id
+  vpc_cidr = module.vpc.cidr
 }

 module "ssh_key" {
--- a/modules/security_group/main.tf
+++ b/modules/security_group/main.tf
@ -69,7 +69,26 @@ resource "aws_security_group_rule" "internal_egress" {
  cidr_blocks       = [local.cidr]
  security_group_id = aws_security_group.new[0].id
 }
-
+# this rule allows any ip in the cidr on any port to initiate connections to the server
+resource "aws_security_group_rule" "project_ingress" {
+  count             = (local.type.project_ingress ? 1 : 0)
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr]
+  security_group_id = aws_security_group.new[0].id
+}
+# this rule allows the server to initiate connections to any ip in the cidr on any port
+resource "aws_security_group_rule" "project_egress" {
+  count             = (local.type.project_egress ? 1 : 0)
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [local.vpc_cidr]
+  security_group_id = aws_security_group.new[0].id
+}
 # this is necessary if you want to update or install anything from the internet
 # allows server to initiate connections to anywhere
 resource "aws_security_group_rule" "external_egress" {
--- a/modules/security_group/types.tf
+++ b/modules/security_group/types.tf
@ -7,6 +7,8 @@ locals {
      specific_ip_egress  = false
      internal_ingress    = false
      internal_egress     = false
+      project_ingress     = false
+      project_egress      = false
      public_ingress      = false
      public_egress       = false
    }
@ -19,6 +21,8 @@ locals {
      specific_ip_egress  = true
      internal_ingress    = false
      internal_egress     = false
+      project_ingress     = false
+      project_egress      = false
      public_ingress      = false
      public_egress       = false
    }
@ -31,19 +35,37 @@ locals {
      specific_ip_egress  = true
      internal_ingress    = true
      internal_egress     = true
+      project_ingress     = false
+      project_egress      = false
      public_ingress      = false
      public_egress       = false
    }
-    egress = {
-      # allow all ingress and egress, but only from specified ip and cidr
-      # allow egress to public internet, this enables updates and package installs
-      # the server will be able to initiate connections to anywhere
-      # only specified ip and cidr can initiate connections to the server
-      # specified ip can be outside the vpc, the cidr must be inside the vpc
+    project = {
+      # allow all ingress and egress, but only from specified ip, cidr, and VPC cidr
+      # this will require users to figure out how to update and install packages without public internet access
+      # the server will only be able to egress to specified ip, or any server on a subnet within the VPC internal CIDR
+      # specified ip can be outside the vpc, the cidr must be inside the vpc, and the vpc cidr must match the vpc
      specific_ip_ingress = true
      specific_ip_egress  = true
      internal_ingress    = true
      internal_egress     = true
+      project_ingress     = true
+      project_egress      = true
+      public_ingress      = false
+      public_egress       = false
+    }
+    egress = {
+      # allow all ingress and egress, but only from specified ip and vpc cidr
+      # allow egress to public internet, this enables updates and package installs
+      # the server will be able to initiate connections to anywhere
+      # only specified ip and vpc cidr can initiate connections to the server
+      # specified ip can be outside the vpc, the cidr must be inside the vpc, and the vpc cidr must match the vpc
+      specific_ip_ingress = true
+      specific_ip_egress  = true
+      internal_ingress    = true
+      internal_egress     = true
+      project_ingress     = true
+      project_egress      = true
      public_ingress      = false
      public_egress       = true
    }
@ -54,6 +76,8 @@ locals {
      specific_ip_egress  = true
      internal_ingress    = true
      internal_egress     = true
+      project_ingress     = true
+      project_egress      = true
      public_ingress      = true
      public_egress       = true
    }
--- a/modules/security_group/variables.tf
+++ b/modules/security_group/variables.tf
@ -48,4 +48,12 @@ variable "vpc_id" {
    Not necessary if the security group is being found.
  EOT
  default     = ""
+}
+variable "vpc_cidr" {
+  type        = string
+  description = <<-EOT
+    The CIDR of the VPC, used to allow ingress from the VPC to the servers in the security group.
+    Not necessary if the security group is being found.
+  EOT
+  default     = ""
 }