rancher
/
terraform-aws-access
mirror of https://github.com/rancher/terraform-aws-access.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pass in vpc cidr to sg module, add new 'project' type, update descriptions 

Signed-off-by: matttrach <matttrach@gmail.com>
This commit is contained in:
matttrach 2023-09-27 18:55:02 -05:00
parent 542c2b7904
commit 459ba26477
No known key found for this signature in database
GPG Key ID: C00467FDE2D0231F
4 changed files with 66 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
main.tf
View File

@ -45,6 +45,7 @@ module "security_group" {
owner = local.owner owner = local.owner
type = local.security_group_type type = local.security_group_type
vpc_id = module.vpc.id vpc_id = module.vpc.id
vpc_cidr = module.vpc.cidr
} }
module "ssh_key" { module "ssh_key" {

21
modules/security_group/main.tf
View File

@ -69,7 +69,26 @@ resource "aws_security_group_rule" "internal_egress" {
cidr_blocks = [local.cidr] cidr_blocks = [local.cidr]
security_group_id = aws_security_group.new[0].id security_group_id = aws_security_group.new[0].id
} }
# this rule allows any ip in the cidr on any port to initiate connections to the server
resource "aws_security_group_rule" "project_ingress" {
count = (local.type.project_ingress ? 1 : 0)
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [local.vpc_cidr]
security_group_id = aws_security_group.new[0].id
}
# this rule allows the server to initiate connections to any ip in the cidr on any port
resource "aws_security_group_rule" "project_egress" {
count = (local.type.project_egress ? 1 : 0)
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [local.vpc_cidr]
security_group_id = aws_security_group.new[0].id
}
# this is necessary if you want to update or install anything from the internet # this is necessary if you want to update or install anything from the internet
# allows server to initiate connections to anywhere # allows server to initiate connections to anywhere
resource "aws_security_group_rule" "external_egress" { resource "aws_security_group_rule" "external_egress" {

36
modules/security_group/types.tf
View File

@ -7,6 +7,8 @@ locals {
specific_ip_egress = false specific_ip_egress = false
internal_ingress = false internal_ingress = false
internal_egress = false internal_egress = false
project_ingress = false
project_egress = false
public_ingress = false public_ingress = false
public_egress = false public_egress = false
} }
@ -19,6 +21,8 @@ locals {
specific_ip_egress = true specific_ip_egress = true
internal_ingress = false internal_ingress = false
internal_egress = false internal_egress = false
project_ingress = false
project_egress = false
public_ingress = false public_ingress = false
public_egress = false public_egress = false
} }
@ -31,19 +35,37 @@ locals {
specific_ip_egress = true specific_ip_egress = true
internal_ingress = true internal_ingress = true
internal_egress = true internal_egress = true
project_ingress = false
project_egress = false
public_ingress = false public_ingress = false
public_egress = false public_egress = false
} }
egress = { project = {
# allow all ingress and egress, but only from specified ip and cidr # allow all ingress and egress, but only from specified ip, cidr, and VPC cidr
# allow egress to public internet, this enables updates and package installs # this will require users to figure out how to update and install packages without public internet access
# the server will be able to initiate connections to anywhere # the server will only be able to egress to specified ip, or any server on a subnet within the VPC internal CIDR
# only specified ip and cidr can initiate connections to the server # specified ip can be outside the vpc, the cidr must be inside the vpc, and the vpc cidr must match the vpc
# specified ip can be outside the vpc, the cidr must be inside the vpc
specific_ip_ingress = true specific_ip_ingress = true
specific_ip_egress = true specific_ip_egress = true
internal_ingress = true internal_ingress = true
internal_egress = true internal_egress = true
project_ingress = true
project_egress = true
public_ingress = false
public_egress = false
}
egress = {
# allow all ingress and egress, but only from specified ip and vpc cidr
# allow egress to public internet, this enables updates and package installs
# the server will be able to initiate connections to anywhere
# only specified ip and vpc cidr can initiate connections to the server
# specified ip can be outside the vpc, the cidr must be inside the vpc, and the vpc cidr must match the vpc
specific_ip_ingress = true
specific_ip_egress = true
internal_ingress = true
internal_egress = true
project_ingress = true
project_egress = true
public_ingress = false public_ingress = false
public_egress = true public_egress = true
} }
@ -54,6 +76,8 @@ locals {
specific_ip_egress = true specific_ip_egress = true
internal_ingress = true internal_ingress = true
internal_egress = true internal_egress = true
project_ingress = true
project_egress = true
public_ingress = true public_ingress = true
public_egress = true public_egress = true
} }

8
modules/security_group/variables.tf
View File

@ -49,3 +49,11 @@ variable "vpc_id" {
EOT EOT
default = "" default = ""
} }
variable "vpc_cidr" {
type = string
description = <<-EOT
The CIDR of the VPC, used to allow ingress from the VPC to the servers in the security group.
Not necessary if the security group is being found.
EOT
default = ""
}