-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsecurity_groups.tf
132 lines (121 loc) · 5.09 KB
/
security_groups.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#------------------------------------------------------------------------------
# SECURITY GROUPS - Open a list of Ports to allow connections to Nomad and Consul Instances
#------------------------------------------------------------------------------
## Security Group
resource "aws_security_group" "instances_security_group" {
name = "instances_security_group"
description = "Open ports on instances"
vpc_id = var.vpc_id
tags = {
Name = "${var.names_prefix}_instances_security_group"
}
}
## Allow trafic from within the security group
resource "aws_security_group_rule" "instances_security_group_allow_ingress_self" {
depends_on = [aws_security_group.instances_security_group]
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
self = true
security_group_id = aws_security_group.instances_security_group.id
}
## Allow traffic from subnets
resource "aws_security_group_rule" "instances_security_group_allow_ingress_subnets" {
depends_on = [aws_security_group.instances_security_group]
count = length(data.aws_subnet.subnets.*.cidr_block)
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = data.aws_subnet.subnets.*.cidr_block
security_group_id = aws_security_group.instances_security_group.id
}
## Open TCP Ports on Security Group
resource "aws_security_group_rule" "instances_security_group_allow_ingress_open_tcp_ports" {
depends_on = [aws_security_group.instances_security_group]
count = length(var.tcp_ports_to_open_on_instances_security_group)
type = "ingress"
from_port = element(
var.tcp_ports_to_open_on_instances_security_group,
count.index,
)
to_port = element(
var.tcp_ports_to_open_on_instances_security_group,
count.index,
)
protocol = "tcp"
cidr_blocks = var.cidrs_to_open_ports_on_security_groups
security_group_id = aws_security_group.instances_security_group.id
}
## Open UDP Ports on Security Group
resource "aws_security_group_rule" "instances_security_group_allow_ingress_open_udp_ports" {
depends_on = [aws_security_group.instances_security_group]
count = length(var.udp_ports_to_open_on_instances_security_group)
type = "ingress"
from_port = element(
var.udp_ports_to_open_on_instances_security_group,
count.index,
)
to_port = element(
var.udp_ports_to_open_on_instances_security_group,
count.index,
)
protocol = "udp"
cidr_blocks = var.cidrs_to_open_ports_on_security_groups
security_group_id = aws_security_group.instances_security_group.id
}
## Allow all outbound traffic
resource "aws_security_group_rule" "instances_security_group_allow_egress_traffic" {
depends_on = [aws_security_group.instances_security_group]
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.instances_security_group.id
}
#------------------------------------------------------------------------------
# SECURITY GROUPS - Open 22, 80 and 443 ports to allow connections on Load Balancers
#------------------------------------------------------------------------------
## Security Group
resource "aws_security_group" "elb_security_group" {
name = "elb_security_group"
description = "Open ports on Load Balanacers"
vpc_id = var.vpc_id
tags = {
Name = "${var.names_prefix}_elb_security_group"
}
}
## Open Ports on Security Group for VPC Connections
resource "aws_security_group_rule" "elb_security_group_allow_ingress_open_ports_vpc" {
depends_on = [aws_security_group.elb_security_group]
count = length(var.ports_to_open_on_elb_security_group)
type = "ingress"
from_port = element(var.ports_to_open_on_elb_security_group, count.index)
to_port = element(var.ports_to_open_on_elb_security_group, count.index)
protocol = "tcp"
cidr_blocks = data.aws_subnet.subnets.*.cidr_block
security_group_id = aws_security_group.elb_security_group.id
}
## Open Ports on Security Group
resource "aws_security_group_rule" "elb_security_group_allow_ingress_open_ports_vpn" {
depends_on = [aws_security_group.elb_security_group]
count = length(var.ports_to_open_on_elb_security_group)
type = "ingress"
from_port = element(var.ports_to_open_on_elb_security_group, count.index)
to_port = element(var.ports_to_open_on_elb_security_group, count.index)
protocol = "tcp"
cidr_blocks = var.cidrs_to_open_ports_on_security_groups
security_group_id = aws_security_group.elb_security_group.id
}
## Allow all outbound traffic
resource "aws_security_group_rule" "elb_security_group_allow_egress_traffic" {
depends_on = [aws_security_group.elb_security_group]
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.elb_security_group.id
}