Skip to content

Commit

Permalink
Update Security Group rules (cloudposse#186)
Browse files Browse the repository at this point in the history
* Update Security Group

* Update Security Group

* Update Security Group

* Update Security Group
  • Loading branch information
aknysh authored May 24, 2023
1 parent c0993cc commit c8a4adf
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 25 deletions.
1 change: 1 addition & 0 deletions .github/workflows/release-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- 'docs/**'
- 'examples/**'
- 'test/**'
- 'README.*'

permissions:
contents: write
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright 2018-2022 Cloud Posse, LLC
Copyright 2018-2023 Cloud Posse, LLC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,7 @@ Available targets:
| <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
| <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br> The value of the `name` tag, if included, will be the `id`, not the `name`.<br> Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br> changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br> "default"<br>]</pre> | no |
| <a name="input_local_exec_interpreter"></a> [local\_exec\_interpreter](#input\_local\_exec\_interpreter) | shell to use for local\_exec | `list(string)` | <pre>[<br> "/bin/sh",<br> "-c"<br>]</pre> | no |
| <a name="input_managed_security_group_rules_enabled"></a> [managed\_security\_group\_rules\_enabled](#input\_managed\_security\_group\_rules\_enabled) | Flag to enable/disable the ingress and egress rules for the EKS managed Security Group | `bool` | `true` | no |
| <a name="input_map_additional_aws_accounts"></a> [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap | `list(string)` | `[]` | no |
| <a name="input_map_additional_iam_roles"></a> [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br> rolearn = string<br> username = string<br> groups = list(string)<br> }))</pre> | `[]` | no |
| <a name="input_map_additional_iam_users"></a> [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM users to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br> userarn = string<br> username = string<br> groups = list(string)<br> }))</pre> | `[]` | no |
Expand Down
1 change: 1 addition & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@
| <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
| <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br> The value of the `name` tag, if included, will be the `id`, not the `name`.<br> Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br> changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br> "default"<br>]</pre> | no |
| <a name="input_local_exec_interpreter"></a> [local\_exec\_interpreter](#input\_local\_exec\_interpreter) | shell to use for local\_exec | `list(string)` | <pre>[<br> "/bin/sh",<br> "-c"<br>]</pre> | no |
| <a name="input_managed_security_group_rules_enabled"></a> [managed\_security\_group\_rules\_enabled](#input\_managed\_security\_group\_rules\_enabled) | Flag to enable/disable the ingress and egress rules for the EKS managed Security Group | `bool` | `true` | no |
| <a name="input_map_additional_aws_accounts"></a> [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap | `list(string)` | `[]` | no |
| <a name="input_map_additional_iam_roles"></a> [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br> rolearn = string<br> username = string<br> groups = list(string)<br> }))</pre> | `[]` | no |
| <a name="input_map_additional_iam_users"></a> [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM users to add to `config-map-aws-auth` ConfigMap | <pre>list(object({<br> userarn = string<br> username = string<br> groups = list(string)<br> }))</pre> | `[]` | no |
Expand Down
3 changes: 0 additions & 3 deletions security-group-variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,6 @@ variable "allowed_cidr_blocks" {
EOT
}



variable "custom_ingress_rules" {
type = list(object({
description = string
Expand All @@ -58,5 +56,4 @@ variable "custom_ingress_rules" {
description = <<-EOT
A List of Objects, which are custom security group rules that
EOT

}
47 changes: 26 additions & 21 deletions security-group.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,36 +2,54 @@
# Rules for EKS-managed Security Group
# -----------------------------------------------------------------------

locals {
cluster_security_group_id = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
managed_security_group_rules_enabled = local.enabled && var.managed_security_group_rules_enabled
}

resource "aws_security_group_rule" "managed_ingress_security_groups" {
count = local.enabled ? length(local.allowed_security_group_ids) : 0
count = local.managed_security_group_rules_enabled ? length(local.allowed_security_group_ids) : 0

description = "Allow inbound traffic from existing Security Groups"
from_port = 0
to_port = 65535
protocol = "-1"
source_security_group_id = local.allowed_security_group_ids[count.index]
security_group_id = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
security_group_id = local.cluster_security_group_id
type = "ingress"
}

resource "aws_security_group_rule" "managed_ingress_cidr_blocks" {
count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
count = local.managed_security_group_rules_enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0

description = "Allow inbound traffic from CIDR blocks"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = var.allowed_cidr_blocks
security_group_id = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
security_group_id = local.cluster_security_group_id
type = "ingress"
}

resource "aws_security_group_rule" "custom_ingress_rules" {
for_each = { for sg_rule in var.custom_ingress_rules : sg_rule.source_security_group_id => sg_rule }

description = each.value.description
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.value.source_security_group_id
security_group_id = local.cluster_security_group_id
type = "ingress"
}

# -----------------------------------------------------------------------
# DEPRECATED: Additional Security Group
# -----------------------------------------------------------------------

locals {
create_security_group = local.enabled && var.create_security_group
security_group_id = one(aws_security_group.default[*].id)
}

resource "aws_security_group" "default" {
Expand All @@ -51,7 +69,7 @@ resource "aws_security_group_rule" "egress" {
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = one(aws_security_group.default[*].id)
security_group_id = local.security_group_id
type = "egress"
}

Expand All @@ -63,7 +81,7 @@ resource "aws_security_group_rule" "ingress_workers" {
to_port = 65535
protocol = "-1"
source_security_group_id = var.workers_security_group_ids[count.index]
security_group_id = one(aws_security_group.default[*].id)
security_group_id = local.security_group_id
type = "ingress"
}

Expand All @@ -75,7 +93,7 @@ resource "aws_security_group_rule" "ingress_security_groups" {
to_port = 65535
protocol = "-1"
source_security_group_id = var.allowed_security_groups[count.index]
security_group_id = one(aws_security_group.default[*].id)
security_group_id = local.security_group_id
type = "ingress"
}

Expand All @@ -87,19 +105,6 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
to_port = 65535
protocol = "-1"
cidr_blocks = var.allowed_cidr_blocks
security_group_id = one(aws_security_group.default[*].id)
security_group_id = local.security_group_id
type = "ingress"
}

resource "aws_security_group_rule" "custom_ingress_rules" {

for_each = { for sg_rule in var.custom_ingress_rules : sg_rule.source_security_group_id => sg_rule }

description = each.value.description
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.value.source_security_group_id
security_group_id = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
type = "ingress"
}
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -326,3 +326,9 @@ variable "cluster_attributes" {
description = "Override label module default cluster attributes"
default = ["cluster"]
}

variable "managed_security_group_rules_enabled" {
type = bool
description = "Flag to enable/disable the ingress and egress rules for the EKS managed Security Group"
default = true
}

0 comments on commit c8a4adf

Please sign in to comment.