Initial commit

.gitignore

@@ -0,0 +1,4 @@
+.terraform
+terraform.tfstate
+*.tfstate*
+terraform.tfvars

LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -0,0 +1,85 @@
+AWS EC2-VPC Security Group Terraform module
+===========================================
+
+Terraform module which creates [EC2 security group within VPC](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) on AWS.
+
+These types of resources are supported:
+
+* [EC2-VPC Security Group](https://www.terraform.io/docs/providers/aws/r/security_group.html)
+* [EC2-VPC Security Group Rules](https://www.terraform.io/docs/providers/aws/r/security_group_rule.html)
+
+Root module creates security group with provided arguments.
+
+Modules in [modules directory](modules) has been configured with the list of ingress (inbound) and egress (outbound) ports open for common scenarios (eg, [ssh](modules/ssh), [http](modules/http), [mysql](modules/mysql)).
+
+Code in this module aims to implement **ALL** combinations of arguments (IPV4/IPV6 CIDR blocks, [VPC endpoint prefix lists](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html), source security groups, self), named rules.
+
+If there is something missing - [open an issue](https://github.com/terraform-aws-modules/terraform-aws-security-group/issues/new).
+
+Usage
+-----
+
+There are two ways to create security groups using this module:
+
+##### 1. Security group with pre-defined rules
+
+```hcl
+module "web_server_sg" {
+  source = "terraform-aws-modules/security-group/aws//modules/http"
+
+  name        = "web-server"
+  description = "Security group for web-server with HTTP ports open within VPC"
+  vpc_id      = "vpc-12345678"
+
+  ingress_cidr_blocks = ["10.10.0.0/16"]
+}
+```
+
+##### 2. Security group with custom rules
+
+```hcl
+module "vote_service_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
+  name        = "user-service"
+  description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
+  vpc_id      = "vpc-12345678"
+
+  ingress_cidr_blocks      = ["10.10.0.0/16"]
+  ingress_rules            = ["mysql"]
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 8080
+      to_port     = 8090
+      protocol    = 6
+      description = "User-service ports"
+      cidr_blocks = "10.10.0.0/16"
+    },
+    {
+      rule        = "postgres"
+      cidr_blocks = "0.0.0.0/0"
+    },
+  ]
+}
+```
+
+Parameters
+----------
+
+Ingress and egress rules can be configured in a variety of ways as listed on [the registry](https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/?tab=inputs).
+
+Examples
+--------
+
+* [Complete Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/complete)
+* [HTTP Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/http)
+
+Authors
+-------
+
+Module managed by [Anton Babenko](https://github.com/antonbabenko).
+
+License
+-------
+
+Apache 2 Licensed. See LICENSE for full details.

examples/complete/README.md

@@ -0,0 +1,19 @@
+Complete Security Group example
+===============================
+
+Configuration in this directory creates set of Security Group and Security Group Rules resources in various combination.
+
+Data sources are used to discover existing VPC resources (VPC and default security group).
+
+Usage
+=====
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.

examples/complete/main.tf

@@ -0,0 +1,157 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#############################################################
+# Data sources to get VPC and default security group details
+#############################################################
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = "${data.aws_vpc.default.id}"
+}
+
+################################################
+# Security group with complete set of arguments
+################################################
+module "complete_sg" {
+  source = "../../"
+
+  name        = "complete-sg"
+  description = "Security group with all available arguments set (this is just an example)"
+  vpc_id      = "${data.aws_vpc.default.id}"
+
+  tags = {
+    Cash       = "king"
+    Department = "kingdom"
+  }
+
+  # Default CIDR blocks, which will be used for all ingress rules in this module. Typically these are CIDR blocks of the VPC.
+  # If this is not specified then world-open CIDR blocks are used.
+  ingress_cidr_blocks = ["10.10.0.0/16"]
+
+  ingress_ipv6_cidr_blocks = ["2001:db8::/64"]
+
+  # Prefix list ids to use in all ingress rules in this module.
+  # ingress_prefix_list_ids = ["pl-123456"]
+
+  # Open for all CIDRs defined in ingress_cidr_blocks
+  ingress_rules = ["http"]
+  # Open to CIDRs blocks (rule or from_port+to_port+protocol+description)
+  ingress_with_cidr_blocks = [
+    {
+      rule             = "postgres"
+      cidr_blocks      = "0.0.0.0/0,2.2.2.2/32"
+      ipv6_cidr_blocks = "2001:db8::/60"
+    },
+    {
+      rule        = "postgres"
+      cidr_blocks = "30.30.30.30/32"
+    },
+    {
+      from_port   = 10
+      to_port     = 20
+      protocol    = 6
+      description = "Service name"
+      cidr_blocks = "10.10.0.0/20"
+    },
+  ]
+  # Open for security group id (rule or from_port+to_port+protocol+description)
+  ingress_with_source_security_group_id = [
+    {
+      rule                     = "mysql"
+      source_security_group_id = "${data.aws_security_group.default.id}"
+    },
+    {
+      from_port                = 10
+      to_port                  = 10
+      protocol                 = 6
+      description              = "Service name"
+      source_security_group_id = "${data.aws_security_group.default.id}"
+    },
+  ]
+  # Open for self (rule or from_port+to_port+protocol+description)
+  ingress_with_self = [
+    {
+      rule = "all-all"
+    },
+    {
+      from_port   = 30
+      to_port     = 40
+      protocol    = 6
+      description = "Service name"
+      self        = true
+    },
+    {
+      from_port = 41
+      to_port   = 51
+      protocol  = 6
+      self      = false
+    },
+  ]
+  # Default CIDR blocks, which will be used for all egress rules in this module. Typically these are CIDR blocks of the VPC.
+  # If this is not specified then world-open CIDR blocks are used.
+  egress_cidr_blocks = ["10.10.0.0/16"]
+  egress_ipv6_cidr_blocks = ["2001:db8::/64"]
+
+  # Prefix list ids to use in all egress rules in this module.
+  # egress_prefix_list_ids = ["pl-123456"]
+
+  # Open for all CIDRs defined in egress_cidr_blocks
+  egress_rules = ["http"]
+  # Open to CIDRs blocks (rule or from_port+to_port+protocol+description)
+  egress_with_cidr_blocks = [
+    {
+      rule             = "postgres"
+      cidr_blocks      = "0.0.0.0/0,2.2.2.2/32"
+      ipv6_cidr_blocks = "2001:db8::/60"
+    },
+    {
+      rule        = "postgres"
+      cidr_blocks = "30.30.30.30/32"
+    },
+    {
+      from_port   = 10
+      to_port     = 20
+      protocol    = 6
+      description = "Service name"
+      cidr_blocks = "10.10.0.0/20"
+    },
+  ]
+  # Open for security group id (rule or from_port+to_port+protocol+description)
+  egress_with_source_security_group_id = [
+    {
+      rule                     = "mysql"
+      source_security_group_id = "${data.aws_security_group.default.id}"
+    },
+    {
+      from_port                = 10
+      to_port                  = 10
+      protocol                 = 6
+      description              = "Service name"
+      source_security_group_id = "${data.aws_security_group.default.id}"
+    },
+  ]
+  # Open for self (rule or from_port+to_port+protocol+description)
+  egress_with_self = [
+    {
+      rule = "all-all"
+    },
+    {
+      from_port   = 30
+      to_port     = 40
+      protocol    = 6
+      description = "Service name"
+      self        = true
+    },
+    {
+      from_port = 41
+      to_port   = 51
+      protocol  = 6
+      self      = false
+    },
+  ]
+}

examples/complete/outputs.tf

@@ -0,0 +1,34 @@
+output "this_security_group_id" {
+  description = "The ID of the security group"
+  value       = "${module.complete_sg.this_security_group_id}"
+}
+
+output "this_security_group_vpc_id" {
+  description = "The VPC ID"
+  value       = "${module.complete_sg.this_security_group_vpc_id}"
+}
+
+output "this_security_group_owner_id" {
+  description = "The owner ID"
+  value       = "${module.complete_sg.this_security_group_owner_id}"
+}
+
+output "this_security_group_name" {
+  description = "The name of the security group"
+  value       = "${module.complete_sg.this_security_group_name}"
+}
+
+output "this_security_group_description" {
+  description = "The description of the security group"
+  value       = "${module.complete_sg.this_security_group_description}"
+}
+
+output "this_security_group_ingress" {
+  description = "The ingress rules"
+  value       = "${module.complete_sg.this_security_group_ingress}"
+}
+
+output "this_security_group_egress" {
+  description = "The egress rules"
+  value       = "${module.complete_sg.this_security_group_egress}"
+}

examples/http/README.md

@@ -0,0 +1,19 @@
+Complete Security Group example
+===============================
+
+Configuration in this directory creates set of Security Group and Security Group Rules resources in various combination.
+
+Data sources are used to discover existing VPC resources (VPC and default security group).
+
+Usage
+=====
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.