AWS Security Group

The module creates AWS Security Group and Rules setup.

NOTE: This module is meant to be used with an already created VPC.

NOTE Rules for Security Group are passed as a list of objects (where each object is defining different options for single rule). Parameters of each object are equal to the parameters of Security Group Rules in the corresponding AWS Terraform provider resource, so you can define ingress or egress rules, per IP blocks (CIDRs) or per Security Group attachments, etc.

€50

BUY

674

License

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

hashicorp/aws

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_aws_security_group" {
  source  = "solutions.corewide.com/aws/tf-aws-security-group/aws"
  version = "~> 2.0.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 2.0 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "2.0.0"

v2.0.0 released 8 months, 4 weeks ago

New version approx. every 30 weeks

Upgrade Notes

Changelog

Module from v2.0 has changed AWS provider version which isn't compatible with an old version. After the module version is upgraded, re-init module to upgrade AWS provider version.

From `v1.x` to `v2.x`

Upgrade AWS provider version on project level to ~> 5.0:

 hclrequired_providers {
  aws = {
    source  = "hashicorp/aws"
    version = "~> 5.0"
  }
}

Upgrade project dependencies:

 bashterraform init --upgrade

Create a security group with a rule for inbound traffic to SSH port and outbound traffic to all ports:

 hclmodule "sg" {
  source  = "solutions.corewide.com/aws/tf-aws-security-group/aws"
  version = "~> 2.0"

  name        = "ssh"
  vpc_id      = module.vpc.id
  description = "Security group to allow ssh connections"

  rules = [
    {
      id          = "ssh"
      type        = "ingress"
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      description = "Allow all SSH (you better not use that rule in real case)"

      cidr_blocks = [
        "0.0.0.0/0",
      ]

      ipv6_cidr_blocks = [
        "::/0",
      ]
    },
    {
      id          = "outbound"
      type        = "egress"
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      description = "Allow all outbound traffic"

      cidr_blocks = [
        "0.0.0.0/0",
      ]

      ipv6_cidr_blocks = [
        "::/0",
      ]
    },
  ]

  tags = {
    Project = "Application"
  }
}

Variable	Description	Type	Default	Required	Sensitive
`description`	Description for Security Group	`string`		yes	no
`name`	Name of Security Group	`string`		yes	no
`vpc_id`	The ID of VPC to create Security Group in	`string`		yes	no
`rules`	A set of Security Group Rules	`set(object)`	`[]`	no	no
`rules.cidr_blocks`	List of CIDR blocks. Cannot be specified with `source_security_group_id` or `self`	`list(string)`	`[]`	no	no
`rules.description`	Security Group rule description	`string`		no	no
`rules.from_port`	Start port (or ICMP type number if protocol is `icmp` or `icmpv6`)	`number`		yes	no
`rules.id`	The Rule ID (unique within SG)	`string`		yes	no
`rules.ipv6_cidr_blocks`	List of IPv6 CIDR blocks. Cannot be specified with `source_security_group_id` or `self`	`list(string)`	`[]`	no	no
`rules.protocol`	Protocol. If not `icmp`, `icmpv6`, `tcp`, `udp`, or all use the protocol number	`string`		yes	no
`rules.self`	Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with `cidr_blocks`, `ipv6_cidr_blocks`, or `source_security_group_id`	`bool`		no	no
`rules.source_security_group_id`	Security group id to allow access to/from, depending on the `type`. Cannot be specified with `cidr_blocks`, `ipv6_cidr_blocks`, or `self`	`string`		no	no
`rules.to_port`	End port (or ICMP code if protocol is `icmp`)	`number`		yes	no
`rules.type`	Type of rule being created. Valid options are `ingress` (inbound) or `egress` (outbound)	`string`		yes	no
`tags`	A map of tags to assign to Security Group	`map(string)`		no	no