Skip to content

Commit

Permalink
feat: Added support of kubernetes api server - 6443-tcp (#166)
Browse files Browse the repository at this point in the history
  • Loading branch information
@boeboe
boeboe authored Apr 16, 2020
1 parent 7a2f052 commit 7e35afa
Show file tree
Hide file tree
Showing 7 changed files with 669 additions and 0 deletions.
1 change: 1 addition & 0 deletions modules/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ List of Security Groups implemented as Terraform modules
* [ipsec-4500](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ipsec-4500)
* [ipsec-500](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ipsec-500)
* [kafka](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/kafka)
* [kubernetes-api](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/kubernetes-api)
* [ldaps](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ldaps)
* [memcached](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/memcached)
* [mongodb](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/mongodb)
Expand Down
102 changes: 102 additions & 0 deletions modules/kubernetes-api/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# kubernetes-api - AWS EC2-VPC Security Group Terraform module

## Usage

```hcl
module "kubernetes_api_security_group" {
source = "terraform-aws-modules/security-group/aws//modules/kubernetes-api"
version = "~> 3.0"
# omitted...
}
```

All automatic values **kubernetes-api module** is using are available [here](https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/modules/kubernetes-api/auto_values.tf).

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers

No provider.

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:-----:|
| auto\_computed\_egress\_rules | List of computed egress rules to add automatically | `list(string)` | `[]` | no |
| auto\_computed\_egress\_with\_self | List of maps defining computed egress rules with self to add automatically | `list(map(string))` | `[]` | no |
| auto\_computed\_ingress\_rules | List of ingress rules to add automatically | `list(string)` | `[]` | no |
| auto\_computed\_ingress\_with\_self | List of maps defining computed ingress rules with self to add automatically | `list(map(string))` | `[]` | no |
| auto\_egress\_rules | List of egress rules to add automatically | `list(string)` | <pre>[<br> "all-all"<br>]<br></pre> | no |
| auto\_egress\_with\_self | List of maps defining egress rules with self to add automatically | `list(map(string))` | `[]` | no |
| auto\_ingress\_rules | List of ingress rules to add automatically | `list(string)` | <pre>[<br> "kubernetes-api-tcp"<br>]<br></pre> | no |
| auto\_ingress\_with\_self | List of maps defining ingress rules with self to add automatically | `list(map(string))` | <pre>[<br> {<br> "rule": "all-all"<br> }<br>]<br></pre> | no |
| auto\_number\_of\_computed\_egress\_rules | Number of computed egress rules to create by name | `number` | `0` | no |
| auto\_number\_of\_computed\_egress\_with\_self | Number of computed egress rules to create where 'self' is defined | `number` | `0` | no |
| auto\_number\_of\_computed\_ingress\_rules | Number of computed ingress rules to create by name | `number` | `0` | no |
| auto\_number\_of\_computed\_ingress\_with\_self | Number of computed ingress rules to create where 'self' is defined | `number` | `0` | no |
| computed\_egress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all computed egress rules | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]<br></pre> | no |
| computed\_egress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all computed egress rules | `list(string)` | <pre>[<br> "::/0"<br>]<br></pre> | no |
| computed\_egress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all computed egress rules | `list(string)` | `[]` | no |
| computed\_egress\_rules | List of computed egress rules to create by name | `list(string)` | `[]` | no |
| computed\_egress\_with\_cidr\_blocks | List of computed egress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| computed\_egress\_with\_ipv6\_cidr\_blocks | List of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| computed\_egress\_with\_self | List of computed egress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
| computed\_egress\_with\_source\_security\_group\_id | List of computed egress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
| computed\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all computed ingress rules | `list(string)` | `[]` | no |
| computed\_ingress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all computed ingress rules | `list(string)` | `[]` | no |
| computed\_ingress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all computed ingress rules | `list(string)` | `[]` | no |
| computed\_ingress\_rules | List of computed ingress rules to create by name | `list(string)` | `[]` | no |
| computed\_ingress\_with\_cidr\_blocks | List of computed ingress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| computed\_ingress\_with\_ipv6\_cidr\_blocks | List of computed ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| computed\_ingress\_with\_self | List of computed ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
| computed\_ingress\_with\_source\_security\_group\_id | List of computed ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
| create | Whether to create security group and all rules | `bool` | `true` | no |
| description | Description of security group | `string` | `"Security Group managed by Terraform"` | no |
| egress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all egress rules | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]<br></pre> | no |
| egress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all egress rules | `list(string)` | <pre>[<br> "::/0"<br>]<br></pre> | no |
| egress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules | `list(string)` | `[]` | no |
| egress\_rules | List of egress rules to create by name | `list(string)` | `[]` | no |
| egress\_with\_cidr\_blocks | List of egress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| egress\_with\_ipv6\_cidr\_blocks | List of egress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| egress\_with\_self | List of egress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
| egress\_with\_source\_security\_group\_id | List of egress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
| ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules | `list(string)` | `[]` | no |
| ingress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all ingress rules | `list(string)` | `[]` | no |
| ingress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules | `list(string)` | `[]` | no |
| ingress\_rules | List of ingress rules to create by name | `list(string)` | `[]` | no |
| ingress\_with\_cidr\_blocks | List of ingress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| ingress\_with\_ipv6\_cidr\_blocks | List of ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
| ingress\_with\_self | List of ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
| ingress\_with\_source\_security\_group\_id | List of ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
| name | Name of security group | `string` | n/a | yes |
| number\_of\_computed\_egress\_cidr\_blocks | Number of IPv4 CIDR ranges to use on all computed egress rules | `number` | `0` | no |
| number\_of\_computed\_egress\_ipv6\_cidr\_blocks | Number of IPv6 CIDR ranges to use on all computed egress rules | `number` | `0` | no |
| number\_of\_computed\_egress\_prefix\_list\_ids | Number of prefix list IDs (for allowing access to VPC endpoints) to use on all computed egress rules | `number` | `0` | no |
| number\_of\_computed\_egress\_rules | Number of computed egress rules to create by name | `number` | `0` | no |
| number\_of\_computed\_egress\_with\_cidr\_blocks | Number of computed egress rules to create where 'cidr\_blocks' is used | `number` | `0` | no |
| number\_of\_computed\_egress\_with\_ipv6\_cidr\_blocks | Number of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no |
| number\_of\_computed\_egress\_with\_self | Number of computed egress rules to create where 'self' is defined | `number` | `0` | no |
| number\_of\_computed\_egress\_with\_source\_security\_group\_id | Number of computed egress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no |
| number\_of\_computed\_ingress\_cidr\_blocks | Number of IPv4 CIDR ranges to use on all computed ingress rules | `number` | `0` | no |
| number\_of\_computed\_ingress\_ipv6\_cidr\_blocks | Number of IPv6 CIDR ranges to use on all computed ingress rules | `number` | `0` | no |
| number\_of\_computed\_ingress\_prefix\_list\_ids | Number of prefix list IDs (for allowing access to VPC endpoints) to use on all computed ingress rules | `number` | `0` | no |
| number\_of\_computed\_ingress\_rules | Number of computed ingress rules to create by name | `number` | `0` | no |
| number\_of\_computed\_ingress\_with\_cidr\_blocks | Number of computed ingress rules to create where 'cidr\_blocks' is used | `number` | `0` | no |
| number\_of\_computed\_ingress\_with\_ipv6\_cidr\_blocks | Number of computed ingress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no |
| number\_of\_computed\_ingress\_with\_self | Number of computed ingress rules to create where 'self' is defined | `number` | `0` | no |
| number\_of\_computed\_ingress\_with\_source\_security\_group\_id | Number of computed ingress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no |
| tags | A mapping of tags to assign to security group | `map(string)` | `{}` | no |
| use\_name\_prefix | Whether to use name\_prefix or fixed name. Should be true to able to update security group name after initial creation | `bool` | `true` | no |
| vpc\_id | ID of the VPC where to create security group | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| this\_security\_group\_description | The description of the security group |
| this\_security\_group\_id | The ID of the security group |
| this\_security\_group\_name | The name of the security group |
| this\_security\_group\_owner\_id | The owner ID |
| this\_security\_group\_vpc\_id | The VPC ID |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
79 changes: 79 additions & 0 deletions modules/kubernetes-api/auto_values.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# This file was generated from values defined in rules.tf using update_groups.sh.
###################################
# DO NOT CHANGE THIS FILE MANUALLY
###################################

variable "auto_ingress_rules" {
description = "List of ingress rules to add automatically"
type = list(string)
default = ["kubernetes-api-tcp"]
}

variable "auto_ingress_with_self" {
description = "List of maps defining ingress rules with self to add automatically"
type = list(map(string))
default = [{ "rule" = "all-all" }]
}

variable "auto_egress_rules" {
description = "List of egress rules to add automatically"
type = list(string)
default = ["all-all"]
}

variable "auto_egress_with_self" {
description = "List of maps defining egress rules with self to add automatically"
type = list(map(string))
default = []
}

# Computed
variable "auto_computed_ingress_rules" {
description = "List of ingress rules to add automatically"
type = list(string)
default = []
}

variable "auto_computed_ingress_with_self" {
description = "List of maps defining computed ingress rules with self to add automatically"
type = list(map(string))
default = []
}

variable "auto_computed_egress_rules" {
description = "List of computed egress rules to add automatically"
type = list(string)
default = []
}

variable "auto_computed_egress_with_self" {
description = "List of maps defining computed egress rules with self to add automatically"
type = list(map(string))
default = []
}

# Number of computed rules
variable "auto_number_of_computed_ingress_rules" {
description = "Number of computed ingress rules to create by name"
type = number
default = 0
}

variable "auto_number_of_computed_ingress_with_self" {
description = "Number of computed ingress rules to create where 'self' is defined"
type = number
default = 0
}

variable "auto_number_of_computed_egress_rules" {
description = "Number of computed egress rules to create by name"
type = number
default = 0
}

variable "auto_number_of_computed_egress_with_self" {
description = "Number of computed egress rules to create where 'self' is defined"
type = number
default = 0
}

114 changes: 114 additions & 0 deletions modules/kubernetes-api/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
module "sg" {
source = "../../"

create = var.create
name = var.name
use_name_prefix = var.use_name_prefix
description = var.description
vpc_id = var.vpc_id
tags = var.tags

##########
# Ingress
##########
# Rules by names - open for default CIDR
ingress_rules = sort(compact(distinct(concat(var.auto_ingress_rules, var.ingress_rules, [""]))))

# Open for self
ingress_with_self = concat(var.auto_ingress_with_self, var.ingress_with_self)

# Open to IPv4 cidr blocks
ingress_with_cidr_blocks = var.ingress_with_cidr_blocks

# Open to IPv6 cidr blocks
ingress_with_ipv6_cidr_blocks = var.ingress_with_ipv6_cidr_blocks

# Open for security group id
ingress_with_source_security_group_id = var.ingress_with_source_security_group_id

# Default ingress CIDR blocks
ingress_cidr_blocks = var.ingress_cidr_blocks
ingress_ipv6_cidr_blocks = var.ingress_ipv6_cidr_blocks

# Default prefix list ids
ingress_prefix_list_ids = var.ingress_prefix_list_ids

###################
# Computed Ingress
###################
# Rules by names - open for default CIDR
computed_ingress_rules = sort(compact(distinct(concat(var.auto_computed_ingress_rules, var.computed_ingress_rules, [""]))))

# Open for self
computed_ingress_with_self = concat(var.auto_computed_ingress_with_self, var.computed_ingress_with_self)

# Open to IPv4 cidr blocks
computed_ingress_with_cidr_blocks = var.computed_ingress_with_cidr_blocks

# Open to IPv6 cidr blocks
computed_ingress_with_ipv6_cidr_blocks = var.computed_ingress_with_ipv6_cidr_blocks

# Open for security group id
computed_ingress_with_source_security_group_id = var.computed_ingress_with_source_security_group_id

#############################
# Number of computed ingress
#############################
number_of_computed_ingress_rules = var.auto_number_of_computed_ingress_rules + var.number_of_computed_ingress_rules
number_of_computed_ingress_with_self = var.auto_number_of_computed_ingress_with_self + var.number_of_computed_ingress_with_self
number_of_computed_ingress_with_cidr_blocks = var.number_of_computed_ingress_with_cidr_blocks
number_of_computed_ingress_with_ipv6_cidr_blocks = var.number_of_computed_ingress_with_ipv6_cidr_blocks
number_of_computed_ingress_with_source_security_group_id = var.number_of_computed_ingress_with_source_security_group_id

#########
# Egress
#########
# Rules by names - open for default CIDR
egress_rules = sort(compact(distinct(concat(var.auto_egress_rules, var.egress_rules, [""]))))

# Open for self
egress_with_self = concat(var.auto_egress_with_self, var.egress_with_self)

# Open to IPv4 cidr blocks
egress_with_cidr_blocks = var.egress_with_cidr_blocks

# Open to IPv6 cidr blocks
egress_with_ipv6_cidr_blocks = var.egress_with_ipv6_cidr_blocks

# Open for security group id
egress_with_source_security_group_id = var.egress_with_source_security_group_id

# Default egress CIDR blocks
egress_cidr_blocks = var.egress_cidr_blocks
egress_ipv6_cidr_blocks = var.egress_ipv6_cidr_blocks

# Default prefix list ids
egress_prefix_list_ids = var.egress_prefix_list_ids

##################
# Computed Egress
##################
# Rules by names - open for default CIDR
computed_egress_rules = sort(compact(distinct(concat(var.auto_computed_egress_rules, var.computed_egress_rules, [""]))))

# Open for self
computed_egress_with_self = concat(var.auto_computed_egress_with_self, var.computed_egress_with_self)

# Open to IPv4 cidr blocks
computed_egress_with_cidr_blocks = var.computed_egress_with_cidr_blocks

# Open to IPv6 cidr blocks
computed_egress_with_ipv6_cidr_blocks = var.computed_egress_with_ipv6_cidr_blocks

# Open for security group id
computed_egress_with_source_security_group_id = var.computed_egress_with_source_security_group_id

#############################
# Number of computed egress
#############################
number_of_computed_egress_rules = var.auto_number_of_computed_egress_rules + var.number_of_computed_egress_rules
number_of_computed_egress_with_self = var.auto_number_of_computed_egress_with_self + var.number_of_computed_egress_with_self
number_of_computed_egress_with_cidr_blocks = var.number_of_computed_egress_with_cidr_blocks
number_of_computed_egress_with_ipv6_cidr_blocks = var.number_of_computed_egress_with_ipv6_cidr_blocks
number_of_computed_egress_with_source_security_group_id = var.number_of_computed_egress_with_source_security_group_id
}
24 changes: 24 additions & 0 deletions modules/kubernetes-api/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
output "this_security_group_id" {
description = "The ID of the security group"
value = module.sg.this_security_group_id
}

output "this_security_group_vpc_id" {
description = "The VPC ID"
value = module.sg.this_security_group_vpc_id
}

output "this_security_group_owner_id" {
description = "The owner ID"
value = module.sg.this_security_group_owner_id
}

output "this_security_group_name" {
description = "The name of the security group"
value = module.sg.this_security_group_name
}

output "this_security_group_description" {
description = "The description of the security group"
value = module.sg.this_security_group_description
}
Loading

0 comments on commit 7e35afa

Please sign in to comment.