Skip to content

Commit

Permalink
added engress rule work flow
Browse files Browse the repository at this point in the history
  • Loading branch information
harmanjyotkaur committed May 6, 2021
1 parent c113c5f commit ced170a
Show file tree
Hide file tree
Showing 6 changed files with 166 additions and 9 deletions.
4 changes: 2 additions & 2 deletions _example/new_security_group/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ module "security_group" {
allowed_ip = ["172.16.0.0/16", "10.0.0.0/16"]
allowed_ipv6 = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]
allowed_ports = [22, 27017]
security_groups = ["sg-069df50598c864f0e"]
prefix_list_ids = ["pl-6da54004"]
security_groups = ["sg-xxxxxxxx"]
prefix_list_ids = ["pl-xxxxxxxx"]
}

4 changes: 0 additions & 4 deletions _example/new_security_group/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,3 @@ output "vpc_cidr_block_ipv6" {
value = module.vpc.ipv6_cidr_block
description = "VPC IPV4 CIDR Block."
}

output "enable_source_sec_group_rules" {
value = module.security_group.enable_source_sec_group_rules
}
40 changes: 40 additions & 0 deletions _example/new_security_group_with_egress/example.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
provider "aws" {
region = "eu-west-1"
}

module "vpc" {
source = "clouddrove/vpc/aws"
version = "0.14.0"
name = "vpc"
environment = "test"
label_order = ["name", "environment"]
cidr_block = "10.0.0.0/16"
}

module "security_group" {
source = "../../"

name = "security-group"
environment = "test"
label_order = ["name", "environment"]

enable_security_group = true
vpc_id = module.vpc.vpc_id
protocol = "tcp"
description = "Instance default security group (only egress access is allowed)."
allowed_ip = ["172.16.0.0/16", "10.0.0.0/16"]
allowed_ipv6 = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]
allowed_ports = [22, 27017]
security_groups = ["sg-xxxxxxxxx"]
prefix_list_ids = ["pl-6da54004"]

egress_rule = true
egress_allowed_ip = ["172.16.0.0/16", "10.0.0.0/16"]
egress_allowed_ports = [22, 27017]
egress_protocol = "tcp"
egress_allowed_ipv6 = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]
egress_prefix_list_ids = ["pl-xxxxxxxxx"]
egress_security_groups = ["sg-xxxxxxxxx"]

}

19 changes: 19 additions & 0 deletions _example/new_security_group_with_egress/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "tags" {
value = module.security_group.tags
description = "A mapping of tags to assign to the resource."
}

output "security_group_ids" {
value = module.security_group.security_group_ids
description = "A mapping of security group ids."
}
output "vpc_cidr_block" {
value = module.vpc.vpc_cidr_block
description = "VPC IPV4 CIDR Block."
}

output "vpc_cidr_block_ipv6" {
value = module.vpc.ipv6_cidr_block
description = "VPC IPV4 CIDR Block."
}

62 changes: 60 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ module "labels" {

locals {
sg_existing = var.is_external == true
egress_rule = var.egress_rule == true
id = local.sg_existing ? join("", data.aws_security_group.existing.*.id) : join("", aws_security_group.default.*.id)
security_group_count = var.enable_security_group == true ? 1 : 0
enable_cidr_rules = length(var.allowed_ip) > 0
Expand All @@ -30,6 +31,16 @@ locals {
ports_source_sec_group_product = setproduct(compact(var.allowed_ports), length(var.security_groups) > 0 ? var.security_groups : [""])
ports_source_prefix_product = setproduct(compact(var.allowed_ports), length(var.prefix_list_ids) > 0 ? var.prefix_list_ids : [""])
prefix_list = var.prefix_list_ids

#egress local parameters
enable_source_sec_group_rules_eg = length(var.egress_security_groups) == 0 ? false : true
enable_source_prefix_list_ids_eg = length(var.egress_prefix_list_ids) == 0 ? false : true
enable_cidr_rules_ipv6_eg = length(var.egress_allowed_ipv6) > 0

ports_source_sec_group_product_eg = setproduct(compact(var.egress_allowed_ports), length(var.egress_security_groups) > 0 ? var.egress_security_groups : [""])
ports_source_prefix_product_eg = setproduct(compact(var.egress_allowed_ports), length(var.egress_prefix_list_ids) > 0 ? var.egress_prefix_list_ids : [""])
prefix_list_eg = var.egress_prefix_list_ids

}

#Module : SECURITY GROUP
Expand Down Expand Up @@ -57,7 +68,7 @@ data "aws_security_group" "existing" {
#Description : Provides a security group rule resource. Represents a single egress
# group rule, which can be added to external Security Groups.
resource "aws_security_group_rule" "egress" {
count = (var.enable_security_group == true && local.sg_existing == false) ? 1 : 0
count = (var.enable_security_group == true && local.sg_existing == false && local.egress_rule == false) ? 1 : 0

type = "egress"
from_port = 0
Expand All @@ -67,7 +78,7 @@ resource "aws_security_group_rule" "egress" {
security_group_id = local.id
}
resource "aws_security_group_rule" "egress_ipv6" {
count = (var.enable_security_group == true && local.sg_existing == false) && local.enable_cidr_rules_ipv6 == true ? 1 : 0
count = (var.enable_security_group == true && local.sg_existing == false) && local.egress_rule == false && local.enable_cidr_rules_ipv6 == true ? 1 : 0

type = "egress"
from_port = 0
Expand Down Expand Up @@ -122,3 +133,50 @@ resource "aws_security_group_rule" "ingress_prefix" {
prefix_list_ids = [element(element(local.ports_source_prefix_product, count.index), 1)]
security_group_id = local.id
}

#egress rules configuration

resource "aws_security_group_rule" "egress_ipv4_rule" {
count = local.egress_rule == true ? 1 : 0

type = "egress"
from_port = element(var.egress_allowed_ports, count.index)
to_port = element(var.egress_allowed_ports, count.index)
protocol = var.egress_protocol
cidr_blocks = var.egress_allowed_ip
security_group_id = local.id
}

resource "aws_security_group_rule" "egress_ipv6_rule" {
count = local.egress_rule == true && local.enable_cidr_rules_ipv6_eg == true ? 1 : 0

type = "egress"
from_port = element(var.egress_allowed_ports, count.index)
to_port = element(var.egress_allowed_ports, count.index)
protocol = var.egress_protocol
ipv6_cidr_blocks = var.egress_allowed_ipv6
security_group_id = local.id
prefix_list_ids = var.prefix_list
}

resource "aws_security_group_rule" "egress_sg_rule" {
count = local.egress_rule == true && local.enable_source_sec_group_rules_eg == true ? length(local.ports_source_sec_group_product_eg) : 0

type = "egress"
from_port = element(element(local.ports_source_sec_group_product_eg, count.index), 0)
to_port = element(element(local.ports_source_sec_group_product_eg, count.index), 0)
protocol = var.egress_protocol
source_security_group_id = element(element(local.ports_source_sec_group_product_eg, count.index), 1)
security_group_id = local.id
}

resource "aws_security_group_rule" "egress_prefix_rule" {
count = local.egress_rule == true && local.enable_source_prefix_list_ids_eg == true ? length(local.ports_source_prefix_product) : 0

type = "egress"
from_port = element(element(local.ports_source_prefix_product_eg, count.index), 0)
to_port = element(element(local.ports_source_prefix_product_eg, count.index), 0)
protocol = var.egress_protocol
prefix_list_ids = [element(element(local.ports_source_prefix_product_eg, count.index), 1)]
security_group_id = local.id
}
46 changes: 45 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -115,5 +115,49 @@ variable "prefix_list_ids" {
type = list(string)
default = []
description = "Provide allow source Prefix id of resources"
}

##########################33
# egress Rules parameters

variable "egress_rule" {
type = bool
default = false
description = "Enable to create egress rule"
}

variable "egress_allowed_ports" {
type = list(any)
default = []
description = "List of allowed ingress ports"
}

}
variable "egress_allowed_ip" {
type = list(any)
default = []
description = "List of allowed ip."
}

variable "egress_protocol" {
type = string
default = "tcp"
description = "The protocol. If not icmp, tcp, udp, or all use the."
}

variable "egress_security_groups" {
type = list(string)
default = []
description = "List of Security Group IDs allowed to connect to the instance."
}

variable "egress_allowed_ipv6" {
type = list(any)
default = []
description = "List of allowed ipv6."
}

variable "egress_prefix_list_ids" {
type = list(any)
default = []
description = "List of prefix list IDs (for allowing access to VPC endpoints)Only valid with egress"
}

0 comments on commit ced170a

Please sign in to comment.