Merge pull request #1 from solutionDrive/add-terraform-module

added existing module and updated the README.md so no internal stuff …
solutionDrive · Apr 25, 2019 · 218ca96 · 218ca96
2 parents 0d269a9 + b6fc1c3
commit 218ca96
Show file tree

Hide file tree

Showing 5 changed files with 404 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+/.idea
diff --git a/README.md b/README.md
@@ -1,2 +1,112 @@
 # terraform-security-group
-Terraform-Module for creating security-groups
+Terraform-Module for creating security-groups for terraform v0.11.x.
+In future releases of terraform a lot of this hopefully won't be necessary anymore.
+
+Till then, we hope this module can help others out there.
+Good Luck!
+
+### Input Parameters
+
+see variables.tf
+
+**__caution!!__**
+Due to terraform the following is absolutley important
+To be able to generate security_groups with a dynamic amount of ingress/egress rules some tripwires should be known
+1. each Port defined in one of the *_rules-variables will lead to a new rule for this port
+2. for each Port a protocol has to be defined, even if they are all the same
+3. in cidr_based rules, it is possible to define multiple cidr-blocks per rule. In this case the Delimiter for 2 rules is '~~~' 
+
+
+### Output Parameters
++ security_group_id: The ID of the created security-group
+
+### Example
+```hcl-terraform
+module "security_group_webserver" {
+  source = "git::ssh://[email protected]:solutionDrive/terraform-security-group.git"
+    # Basic stuff
+    profile = "Name of AWS Profile to use"
+    name = "name_of_your_security_group"
+    description = "desctiption of your security group"
+    vpc_id = "${var.vpc_id}"
+  
+    # cidr-rules related stuff
+    cidr_ingress_rules = {
+      "ports"  = "80~~~443~~~22"
+      "protocols" = "tcp~~~tcp~~~tcp"
+      "cidr_blocks" = "your.ip.address.here/32,your.second.ip.address/32~~~your.ip.address.here/32,your.second.ip.address/32~~~0.0.0.0/0"
+      "descriptions" = "your-description-here,somebody-elses-desciption~~~still-your-description-here,still-somebody-elses-desciption~~~the evil rest"
+    }
+    cidr_ingress_rules_count = 3 # This count has to equal the amount of Ports defined in <cidr_ingress_rules>
+    
+    # security_group related stuff
+    security_group_ingress_rules = {
+      "ports" = "6379"
+      "protocols" = "tcp"
+      "source_security_groups" = "self"
+      "descriptions" = "That is me"
+    }
+    security_group_ingress_rules_count = 1 # This count has to equal the amount of Ports defined in <security_group_ingress_rules>
+    
+    provider_region = "${var.default_region}"
+    account_id = "${var.oxid_dev_account_id}" # to be able to assume Roles from a specific account
+}
+```
+
+##### Example Output
+```bash
++ module.security_group_webserver.aws_security_group.security_group
+    description: "desctiption of your security group"
+    egress.#:    "<computed>"
+    ingress.#:   "<computed>"
+    name:        "name_of_your_security_group"
+    owner_id:    "<computed>"
+    tags.%:      "1"
+    tags.Name:   "name_of_your_security_group"
+    vpc_id:      "${var.vpc_id}"
+
++ module.security_group_webserver.aws_security_group_rule.cidr_ingress_rule.0
+    cidr_blocks.#:            "2"
+    cidr_blocks.0:            "your.ip.address.here/32"
+    cidr_blocks.1:            "your.second.ip.address/32"
+    from_port:                "80"
+    protocol:                 "tcp"
+    security_group_id:        "${aws_security_group.security_group.id}"
+    self:                     "false"
+    source_security_group_id: "<computed>"
+    to_port:                  "80"
+    type:                     "ingress"
+
++ module.security_group_webserver.aws_security_group_rule.cidr_ingress_rule.1
+    cidr_blocks.#:            "2"
+    cidr_blocks.0:            "your.ip.address.here/32"
+    cidr_blocks.1:            "your.second.ip.address/32"
+    from_port:                "443"
+    protocol:                 "tcp"
+    security_group_id:        "${aws_security_group.security_group.id}"
+    self:                     "false"
+    source_security_group_id: "<computed>"
+    to_port:                  "443"
+    type:                     "ingress"
+
++ module.security_group_webserver.aws_security_group_rule.cidr_ingress_rule.2
+    cidr_blocks.#:            "1"
+    cidr_blocks.0:            "0.0.0.0/0"
+    from_port:                "22"
+    protocol:                 "tcp"
+    security_group_id:        "${aws_security_group.security_group.id}"
+    self:                     "false"
+    source_security_group_id: "<computed>"
+    to_port:                  "22"
+    type:                     "ingress"
+
++ module.security_group_webserver.aws_security_group_rule.sg_ingress_rule
+    from_port:                "6379"
+    protocol:                 "tcp"
+    security_group_id:        "${aws_security_group.security_group.id}"
+    self:                     "false"
+    source_security_group_id: "${element(split(\",\", var.security_group_ingress_rules[\"source_security_groups\"]), count.index) == \"self\" ? aws_security_group.security_group.id : element(split(\",\", var.security_group_ingress_rules[\"source_security_groups\"]), count.index)}"
+    to_port:                  "6379"
+    type:                     "ingress"
+
+```
diff --git a/main.tf b/main.tf
@@ -0,0 +1,147 @@
+provider "aws" {
+  alias = "module"
+  region = "${var.provider_region}"
+  profile = "${var.profile}"
+  assume_role {
+    role_arn = "${var.assume_role_arn}"
+  }
+}
+
+resource "aws_security_group" "security_group" {
+  provider = "aws.module"
+  name = "${var.name}"
+  description = "${var.description}"
+  vpc_id = "${var.vpc_id}"
+  tags = "${merge(var.custom_tags, map("Name", var.name))}"
+}
+
+##### IPv4 #####
+#
+# Iterates over all given ingress rules and uses some build-in terraform functionality to create all
+# Ingress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+
+resource "aws_security_group_rule" "cidr_ingress_rule" {
+  provider = "aws.module"
+  type = "ingress"
+
+  count = "${var.cidr_ipv4_ingress_rules_count}"
+  security_group_id = "${aws_security_group.security_group.id}"
+
+  from_port = "${element(split("~~~", var.cidr_ipv4_ingress_rules["ports"]), count.index)}"
+  to_port = "${element(split("~~~", var.cidr_ipv4_ingress_rules["ports"]), count.index)}"
+  protocol = "${element(split("~~~", var.cidr_ipv4_ingress_rules["protocols"]), count.index)}"
+
+  cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv4_ingress_rules["cidr_blocks"]), count.index))}"
+
+  description = "${element(split(",", element(split("~~~", var.cidr_ipv4_ingress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+#
+# Iterates over all given egress rules and uses some build-in terraform functionality to create all
+# Egress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "cidr_egress_rule" {
+  provider = "aws.module"
+  type = "egress"
+
+  count = "${var.cidr_ipv4_egress_rules_count}"
+  security_group_id = "${aws_security_group.security_group.id}"
+
+  from_port = "${element(split("~~~", var.cidr_ipv4_egress_rules["ports"]), count.index)}"
+  to_port = "${element(split("~~~", var.cidr_ipv4_egress_rules["ports"]), count.index)}"
+  protocol = "${element(split("~~~", var.cidr_ipv4_egress_rules["protocols"]), count.index)}"
+
+  cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv4_egress_rules["cidr_blocks"]), count.index))}"
+
+  description = "${element(split(",", element(split("~~~", var.cidr_ipv4_egress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+##### IPv6 #####
+#
+# Iterates over all given ipv6 ingress rules and uses some build-in terraform functionality to create all
+# Ingress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+
+resource "aws_security_group_rule" "cidr_ipv6_ingress_rule" {
+  provider = "aws.module"
+  type = "ingress"
+
+  count = "${var.cidr_ipv6_ingress_rules_count}"
+  security_group_id = "${aws_security_group.security_group.id}"
+
+  from_port = "${element(split("~~~", var.cidr_ipv6_ingress_rules["ports"]), count.index)}"
+  to_port = "${element(split("~~~", var.cidr_ipv6_ingress_rules["ports"]), count.index)}"
+  protocol = "${element(split("~~~", var.cidr_ipv6_ingress_rules["protocols"]), count.index)}"
+
+  ipv6_cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv6_ingress_rules["ipv6_cidr_blocks"]), count.index))}"
+
+  description = "${element(split(",", element(split("~~~", var.cidr_ipv6_ingress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+#
+# Iterates over all given ipv6 egress rules and uses some build-in terraform functionality to create all
+# Egress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "cidr_ipv6_egress_rule" {
+  provider = "aws.module"
+  type = "egress"
+
+  count = "${var.cidr_ipv6_egress_rules_count}"
+  security_group_id = "${aws_security_group.security_group.id}"
+
+  from_port = "${element(split("~~~", var.cidr_ipv6_egress_rules["ports"]), count.index)}"
+  to_port = "${element(split("~~~", var.cidr_ipv6_egress_rules["ports"]), count.index)}"
+  protocol = "${element(split("~~~", var.cidr_ipv6_egress_rules["protocols"]), count.index)}"
+
+  ipv6_cidr_blocks = "${split(",", element(split("~~~", var.cidr_ipv6_egress_rules["ipv6_cidr_blocks"]), count.index))}"
+
+  description = "${element(split(",", element(split("~~~", var.cidr_ipv6_egress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+##### SecurityGroups #####
+#
+# Iterates over all given ingress rules and uses some build-in terraform functionality to create all
+# Ingress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "sg_ingress_rule" {
+  provider = "aws.module"
+  type = "ingress"
+
+  count = "${var.security_group_ingress_rules_count}"
+  security_group_id = "${aws_security_group.security_group.id}"
+
+  from_port = "${element(split("~~~", var.security_group_ingress_rules["ports"]), count.index)}"
+  to_port = "${element(split("~~~", var.security_group_ingress_rules["ports"]), count.index)}"
+  protocol = "${element(split("~~~", var.security_group_ingress_rules["protocols"]), count.index)}"
+
+  source_security_group_id = "${element(split("~~~", var.security_group_ingress_rules["source_security_groups"]), count.index) == "self" ? aws_security_group.security_group.id : element(split("~~~", var.security_group_ingress_rules["source_security_groups"]), count.index)}"
+
+  description = "${element(split(",", element(split("~~~", var.security_group_ingress_rules["descriptions"]), count.index)), count.index)}"
+}
+
+#
+# Iterates over all given egress rules and uses some build-in terraform functionality to create all
+# Egress-Rules.
+# see (https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9)
+#
+resource "aws_security_group_rule" "sg_egress_rule" {
+  provider = "aws.module"
+  type = "egress"
+
+  count = "${var.security_group_egress_rules_count}"
+  security_group_id = "${aws_security_group.security_group.id}"
+
+  from_port = "${element(split("~~~", var.security_group_egress_rules["ports"]), count.index)}"
+  to_port = "${element(split("~~~", var.security_group_egress_rules["ports"]), count.index)}"
+  protocol = "${element(split("~~~", var.security_group_egress_rules["protocols"]), count.index)}"
+
+  source_security_group_id = "${element(split("~~~", var.security_group_egress_rules["source_security_groups"]), count.index) == "self" ? aws_security_group.security_group.id : element(split("~~~", var.security_group_egress_rules["source_security_groups"]), count.index)}"
+
+  description = "${element(split(",", element(split("~~~", var.security_group_egress_rules["descriptions"]), count.index)), count.index)}"
+}
diff --git a/output.tf b/output.tf
@@ -0,0 +1,4 @@
+output "security_group_id" {
+  value = "${aws_security_group.security_group.id}"
+}
+