Merge pull request #24 from Aswin-Vijayan/TEC-56

[TEC-56][Change] - made changes in security groups

Author: techiescamp

environments/dev/alb-asg/main.tf

@@ -14,19 +14,37 @@ module "alb-sg" {
   source                          = "../../../modules/security-group"
   region                          = var.region
   tags                            = var.tags
+  name                            = "${var.environment}-${var.application}"
   environment                     = var.environment
   owner                           = var.owner
   cost_center                     = var.cost_center
   application                     = var.application
+  sg_name                         = var.alb_sg_name
   vpc_id                          = var.vpc_id
-  ingress_from_port               = var.alb_ingress_from_port
-  ingress_to_port                 = var.alb_ingress_to_port
-  ingress_protocol                = var.alb_ingress_protocol
+
+  ingress_cidr_from_port          = var.alb_ingress_cidr_from_port
+  ingress_cidr_to_port            = var.alb_ingress_cidr_to_port
+  ingress_cidr_protocol           = var.ingress_cidr_protocol
   ingress_cidr_block              = var.alb_ingress_cidr_block
-  egress_from_port                = var.alb_egress_from_port
-  egress_to_port                  = var.alb_egress_to_port
-  egress_protocol                 = var.alb_egress_protocol
+  create_ingress_cidr             = var.alb_create_ingress_cidr
+
+  ingress_sg_from_port            = var.alb_ingress_sg_from_port
+  ingress_sg_to_port              = var.alb_ingress_sg_to_port
+  ingress_sg_protocol             = var.alb_ingress_sg_protocol
+  ingress_security_group_ids      = var.security_group_id
+  create_ingress_sg               = var.alb_create_ingress_sg
+
+  egress_cidr_from_port           = var.alb_egress_cidr_from_port
+  egress_cidr_to_port             = var.alb_egress_cidr_to_port
+  egress_cidr_protocol            = var.alb_egress_cidr_protocol
   egress_cidr_block               = var.alb_egress_cidr_block
+  create_egress_cidr              = var.alb_create_egress_cidr
+
+  egress_sg_from_port             = var.alb_egress_sg_from_port
+  egress_sg_to_port               = var.alb_egress_sg_to_port
+  egress_sg_protocol              = var.alb_egress_sg_protocol
+  egress_security_group_ids       = var.security_group_id
+  create_egress_sg                = var.alb_create_egress_sg
 }
 
 module "alb" {
@@ -57,17 +75,46 @@ module "alb" {
   security_group_ids              = module.alb-sg.security_group_ids
 }
 
+module "instance-sg" {
+  source                          = "../../../modules/security-group"
+  region                          = var.region
+  tags                            = var.tags
+  name                            = "${var.environment}-${var.application}"
+  environment                     = var.environment
+  owner                           = var.owner
+  cost_center                     = var.cost_center
+  application                     = var.application
+  sg_name                         = var.sg_name
+  vpc_id                          = var.vpc_id
+
+  ingress_cidr_from_port          = var.ingress_cidr_from_port
+  ingress_cidr_to_port            = var.ingress_cidr_to_port
+  ingress_cidr_protocol           = var.ingress_cidr_protocol
+  ingress_cidr_block              = var.ingress_cidr_block
+  create_ingress_cidr             = var.create_ingress_cidr
+
+  ingress_sg_from_port            = var.ingress_sg_from_port
+  ingress_sg_to_port              = var.ingress_sg_to_port
+  ingress_sg_protocol             = var.ingress_sg_protocol
+  ingress_security_group_ids      = module.alb-sg.security_group_ids
+  create_ingress_sg               = var.create_ingress_sg
+
+  egress_cidr_from_port           = var.egress_cidr_from_port
+  egress_cidr_to_port             = var.egress_cidr_to_port
+  egress_cidr_protocol            = var.egress_cidr_protocol
+  egress_cidr_block               = var.egress_cidr_block
+  create_egress_cidr              = var.create_egress_cidr
+
+  egress_sg_from_port             = var.egress_sg_from_port
+  egress_sg_to_port               = var.egress_sg_to_port
+  egress_sg_protocol              = var.egress_sg_protocol
+  egress_security_group_ids       = module.alb-sg.security_group_ids
+  create_egress_sg                = var.create_egress_sg
+}
+
 module "asg" {
   source                          = "../../../modules/asg"
   ami_id                          = var.ami_id
-  ingress_from_port               = var.ingress_from_port
-  ingress_to_port                 = var.ingress_to_port
-  ingress_protocol                = var.ingress_protocol
-  ingress_cidr_block              = var.ingress_cidr_block
-  egress_from_port                = var.egress_from_port
-  egress_to_port                  = var.egress_to_port
-  egress_protocol                 = var.egress_protocol
-  egress_cidr_block               = var.egress_cidr_block
   instance_type                   = var.instance_type
   key_name                        = var.key_name
   vpc_id                          = var.vpc_id
@@ -84,7 +131,7 @@ module "asg" {
   application                     = var.application
   alb_target_group_arn            = module.alb.alb_target_group_arn
   iam_role                        = module.iam-policy.iam_role
-  security_group_ids              = module.alb-sg.security_group_ids
+  security_group_ids              = module.instance-sg.security_group_ids
   tags = {
     Owner                         = "${var.owner}"
     Environment                   = "${var.environment}"

environments/dev/alb-asg/variables.tf

@@ -120,11 +120,6 @@ variable "asg_subnets" {
   type        = list(string)
 }
 
-variable "security_group_ids" {
-  type        = list(string)
-  description = "Security group id of the ec2 instance"
-}
-
 variable "public_access" {
   description = "Whether the instance is public or not"
   type        = bool
@@ -175,83 +170,198 @@ variable "application" {
   description = "Name of the application"
 }
 
+variable "security_group_id" {
+  description = "List of security group IDs to attach"
+  type        = list(string)
+}
 
 variable "ingress_cidr_block" {
   type        = list(string)
   description = "CIDR blocks for EC2 security group ingress rules"
 }
 
-variable "ingress_from_port" {
+variable "ingress_cidr_from_port" {
   description = "The starting port for ingress rules"
   type        = list(number)
 }
 
-variable "ingress_to_port" {
+variable "ingress_cidr_to_port" {
   description = "The ending port for ingress rules"
   type        = list(number)
 }
 
-variable "ingress_protocol" {
+variable "ingress_cidr_protocol" {
   description = "The protocol for ingress rules"
   type        = list(any)
 }
 
+variable "create_ingress_cidr" {
+  description = "Whether to create the ingress cidr or not"
+  type        = bool
+}
+
+variable "ingress_sg_from_port" {
+  type        = list(number)
+  description = "List of starting ports for sg ingress rules"
+}
+
+variable "ingress_sg_to_port" {
+  type        = list(number)
+  description = "List of ending ports for sg ingress rules"
+}
+
+variable "ingress_sg_protocol" {
+  type        = list(any)
+  description = "List of protocols for sg ingress rules"
+}
+
+variable "create_ingress_sg" {
+  type        = bool
+  description = "Enable or disable Security Groups ingress rules."
+}
+
 variable "egress_cidr_block" {
   type        = list(string)
-  description = "CIDR blocks for EC2 security group egress rules"
+  description = "CIDR blocks for group egress rules"
+}
+
+variable "egress_cidr_from_port" {
+  description = "The starting port for egress rules"
+  type        = list(number)
+}
+
+variable "egress_cidr_to_port" {
+  description = "The ending port for egress rules"
+  type        = list(number)
+}
+
+variable "egress_cidr_protocol" {
+  description = "The protocol for egress rules"
+  type        = list(any)
+}
+
+variable "create_egress_cidr" {
+  type        = bool
+  description = "Enable or disable CIDR block egress rules."
 }
 
-variable "egress_from_port" {
+variable "egress_sg_from_port" {
   description = "The starting port for egress rules"
   type        = list(number)
 }
 
-variable "egress_to_port" {
+variable "egress_sg_to_port" {
   description = "The ending port for egress rules"
   type        = list(number)
 }
 
-variable "egress_protocol" {
+variable "egress_sg_protocol" {
   description = "The protocol for egress rules"
   type        = list(any)
 }
 
+variable "create_egress_sg" {
+  type        = bool
+  description = "Enable or disable CIDR block egress rules."
+}
+
+
 variable "alb_ingress_cidr_block" {
   type        = list(string)
   description = "CIDR blocks for EC2 security group ingress rules"
 }
 
-variable "alb_ingress_from_port" {
+variable "alb_ingress_cidr_from_port" {
   description = "The starting port for ingress rules"
   type        = list(number)
 }
 
-variable "alb_ingress_to_port" {
+variable "alb_ingress_cidr_to_port" {
   description = "The ending port for ingress rules"
   type        = list(number)
 }
 
-variable "alb_ingress_protocol" {
+variable "alb_ingress_cidr_protocol" {
   description = "The protocol for ingress rules"
   type        = list(any)
 }
 
+variable "alb_create_ingress_cidr" {
+  description = "Whether to create the ingress cidr or not"
+  type        = bool
+}
+
+variable "alb_ingress_sg_from_port" {
+  type        = list(number)
+  description = "List of starting ports for sg ingress rules of the EC2 security group."
+}
+
+variable "alb_ingress_sg_to_port" {
+  type        = list(number)
+  description = "List of ending ports for sg ingress rules of the EC2 security group."
+}
+
+variable "alb_ingress_sg_protocol" {
+  type        = list(any)
+  description = "List of protocols for sg ingress rules of the EC2 security group."
+}
+
+variable "alb_create_ingress_sg" {
+  type        = bool
+  description = "Enable or disable Security Groups ingress rules."
+}
+
 variable "alb_egress_cidr_block" {
   type        = list(string)
   description = "CIDR blocks for EC2 security group egress rules"
 }
 
-variable "alb_egress_from_port" {
+variable "alb_egress_cidr_from_port" {
   description = "The starting port for egress rules"
   type        = list(number)
 }
 
-variable "alb_egress_to_port" {
+variable "alb_egress_cidr_to_port" {
   description = "The ending port for egress rules"
   type        = list(number)
 }
 
-variable "alb_egress_protocol" {
+variable "alb_egress_cidr_protocol" {
   description = "The protocol for egress rules"
   type        = list(any)
+}
+
+variable "alb_create_egress_cidr" {
+  type        = bool
+  description = "Enable or disable CIDR block egress rules."
+}
+
+variable "alb_egress_sg_from_port" {
+  description = "The starting port for egress rules"
+  type        = list(number)
+}
+
+variable "alb_egress_sg_to_port" {
+  description = "The ending port for egress rules"
+  type        = list(number)
+}
+
+variable "alb_egress_sg_protocol" {
+  description = "The protocol for egress rules"
+  type        = list(any)
+}
+
+variable "alb_create_egress_sg" {
+  type        = bool
+  description = "Enable or disable CIDR block egress rules."
+}
+
+variable "sg_name" {
+  type        = string
+  description = "Name of the security group for the instance."
+}
+
+variable "alb_sg_name" {
+  type        = string
+  description = "Name of the security group for the instance."
 }

modules/asg/main.tf

@@ -5,44 +5,6 @@ locals {
   )
 }
 
-resource "aws_security_group" "instance_sg" {
-  name        = "${var.environment}-${var.application}-instance-sg"
-  description = "Security Group for Instance"
-  vpc_id      = var.vpc_id
-
-  dynamic "ingress" {
-    for_each = toset(range(length(var.ingress_from_port)))
-    content {
-      from_port   = var.ingress_from_port[ingress.key]
-      to_port     = var.ingress_to_port[ingress.key]
-      protocol    = var.ingress_protocol[ingress.key]
-      security_groups = var.security_group_ids
-    }
-  }
-
-  dynamic "egress" {
-    for_each = toset(range(length(var.egress_from_port)))
-    content {
-      from_port   = var.egress_from_port[egress.key]
-      to_port     = var.egress_to_port[egress.key]
-      protocol    = var.egress_protocol[egress.key]
-      cidr_blocks = var.egress_cidr_block
-    }
-  }
-
-  tags = merge(
-    {
-      "Name"        = "${var.environment}-${var.application}-sg"
-      "Environment" = var.environment
-      "Owner"       = var.owner
-      "CostCenter"  = var.cost_center
-      "Application" = var.application
-    },
-    var.tags
-  )
-
-}
-
 resource "aws_iam_instance_profile" "instance_profile" {
   name = "${var.environment}-${var.application}-instance_profile"
 
@@ -61,7 +23,7 @@ resource "aws_launch_template" "application_lt" {
 
   network_interfaces {
     associate_public_ip_address = var.public_access
-    security_groups             = [aws_security_group.instance_sg.id]
+    security_groups             = var.security_group_ids
   }
 
   user_data = base64encode(var.user_data)