├── .gitignore ├── LICENSE ├── README.md ├── sg_carbon-relay-ng ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_cassandra ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_consul ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_default ├── README.md ├── output.tf ├── sg_default.tf └── variables.tf ├── sg_docker_swarm ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_elasticsearch ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_https_only ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_kafka ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_ldap ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_ldaps_only ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_memcached ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_mysql ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_nomad ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_openvpn ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_postgresql ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_redis ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_ssh ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_storm ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_web ├── README.md ├── main.tf ├── outputs.tf └── variables.tf ├── sg_zipkin ├── README.md ├── main.tf ├── outputs.tf └── variables.tf └── sg_zookeeper ├── README.md ├── main.tf ├── outputs.tf └── variables.tf /.gitignore: -------------------------------------------------------------------------------- 1 | *.tfvars* 2 | *.tfstate* 3 | .terraform/ 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Author:: Brandon Burton () 2 | 3 | Copyright 2015 Brandon Burton 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | tf_aws_sg 2 | ====================== 3 | 4 | # This module is deprecated and [terraform-aws-modules/terraform-aws-security-group module](https://github.com/terraform-aws-modules/terraform-aws-security-group) published on [the Terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws) should be used instead. 5 | 6 | ## This repository will not have active support any more. 7 | 8 | --- 9 | 10 | A Terraform module which contains a number of common configurations for AWS security groups. 11 | * It assumes you're putting your SGs in a VPC. 12 | 13 | Security Group Catalog 14 | ---------------------- 15 | 16 | This module contains the following security group templates for you to use as modules in 17 | service Terraform templates. 18 | 19 | - [sg_memcached](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_memcached) 20 | - It allows incoming TCP 11211 (memcached) 21 | - [sg_ssh](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_ssh) 22 | - It allows incoming TCP 22 (ssh) 23 | - [sg_web](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_web) - this is a security group for web applications 24 | - It allows incoming TCP 80 (HTTP), TCP 443 (HTTPS), TCP 8080 (HTTP/S), TCP 1099 (JMX) 25 | - [sg_zookeeper](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_zookeeper) - this is a security group for zookeeper 26 | - It Allows incoming TCP 2181, TCP 2888, TCP 3888, TCP 7199 (Used for zk JMX) 27 | - [sg_https_only](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_https_only) - This is a security group for external HTTPS ELBs 28 | - It only allows incoming TCP 443 (HTTPS) 29 | - [sg_consul](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_consul) - This is a security group for Consul clusters 30 | - It allows incoming TCP 8300 (Server RPC), TCP 8301 (Serf LAN), UDP 8301 (Serf LAN), TCP 8302 (Serf WAN), and UDP 8302 (Serf WAN) 31 | - It allows incoming TCP 8400 (Consul RPC), TCP 8500 (Consul HTTP), TCP 8600 (Consul DNS), and UDP 8600 (Consul DNS) 32 | - [sg_redis](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_redis) - This is a security group for Redis clusters 33 | - It allows incoming TCP 6379 (redis) 34 | - [sg_kafka](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_kafka) - This is a security group for Kafka clusters 35 | - It allows incoming TCP 6667 (Kafka broker) TCP 9092 (Kafka broker) 36 | - [sg_cassandra](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_cassandra) - This is a security group for Cassandra clusters 37 | - It allows incoming TCP 7199 (JMX), 9042 (Cassandra clients), 9160 (Cassandra Thrift clients) 38 | - [sg_mysql](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_mysql) - This is a security group for MySQL 39 | - It allows incoming TCP 3306 (MySQL) 40 | - [sg_postgresql](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_postgresql) - This is a security group for PostgreSQL 41 | - It allows incoming TCP 5432 (PostgreSQL) 42 | - [sg_elasticsearch](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_elasticsearch) - This is a security group for ElasticSearch 43 | - It allows incoming TCP 9200 (REST Interface) 44 | - [sg_storm](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_storm) - This is a security group for Apache Storm Cluster 45 | - It allows incoming TCP 6627 (Default Nimbus port), TCP 8080 (Storm UI), TCP 6700, 6701, 6702, 6703 (Default Supervisor port) 46 | - [sg_zipkin](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_zipkin) - This is a security group for Zipkin 47 | - It allows incoming TCP 9990 (zipkin admin port collector), TCP 9901 (zipkin admin port query) 48 | - It allows TCP 9991 (zipkin admin port web), TCP 9411 (zipkin query port), TCP 8080 (zipkin web port) 49 | - [sg_ldap](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_ldap) - This is a security group for LDAP 50 | - It allows incoming TCP 636 (LDAPS) 51 | - [sg_ldaps_only](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_ldaps_only) - This is a security group for LDAPS only 52 | - It allows incoming TCP 636 (LDAPS) 53 | - [sg_carbon-relay-ng](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_carbon-relay-ng) - This is a security group for carbon-relay-ng 54 | - It allows incoming TCP 2003 (carbon-in), 2004 (admin), 2013 (pickle), 8081 (GUI) and UDP 2003 (carbon-in), 2013 (pickle) 55 | - [sg_openvpn](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_openvpn) - This is a security group for OpenVPN 56 | - It allows incoming UDP 1194 (OpenVPN), TCP 443 (user web port), TCP 943 (admin web port) 57 | - [sg_docker_swarm](https://github.com/terraform-community-modules/tf_aws_sg/tree/master/sg_docker_swarm) - This is a security group for Docker Swarm 58 | - It allows incoming TCP 2377 (Swarm management communication), 7946 (Swarm node communication), UDP 7946 (Swarm node communication), 4789 (Swarm overlay network communication) 59 | 60 | 61 | Usage 62 | ------ 63 | 64 | You can use these in your terraform template with the following steps. 65 | 66 | 1.) Adding a module resource to your template, e.g. `main.tf` 67 | 68 | ``` 69 | module "sg_web" { 70 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_web" 71 | security_group_name = "${var.security_group_name}-web" 72 | vpc_id = "${var.vpc_id}" 73 | source_cidr_block = ["${var.source_cidr_block}"] 74 | } 75 | ``` 76 | 77 | 2.) Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 78 | 79 | - security_group_name 80 | - vpc_id 81 | - source_cidr_block 82 | 83 | Authors 84 | ======= 85 | 86 | Created and maintained by [Brandon Burton](https://github.com/solarce) 87 | (brandon@inatree.org). 88 | 89 | License 90 | ======= 91 | 92 | Apache 2 Licensed. See LICENSE for full details. 93 | -------------------------------------------------------------------------------- /sg_carbon-relay-ng/README.md: -------------------------------------------------------------------------------- 1 | sg_carbon-relay-ng terraform module 2 | ============================== 3 | 4 | A Terraform security group module for carbon-relay-ng 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 2003 (carbon-relay-ng carbon line-in) 10 | - UDP 2003 (carbon-relay-ng carbon line-in) 11 | - TCP 2013 (carbon-relay-ng carbon pickle) 12 | - UDP 2013 (carbon-relay-ng carbon pickle) 13 | - TCP 8081 (carbon-relay-ng carbon GUI) 14 | - TCP 2004 (carbon-relay-ng carbon admin port) 15 | 16 | 17 | Input Variables 18 | --------------- 19 | 20 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 21 | - `vpc_id` - The VPC this security group should be created in. 22 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 23 | for this module. 24 | 25 | Usage 26 | ----- 27 | 28 | You can use these in your terraform template with the following steps. 29 | 30 | 1. Adding a module resource to your template, e.g. `main.tf` 31 | 32 | ``` 33 | module "sg_carbon-relay-ng" { 34 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_carbon-relay-ng" 35 | security_group_name = "${var.security_group_name}-carbon-relay-ng" 36 | vpc_id = "${var.vpc_id}" 37 | source_cidr_block = ["${var.source_cidr_block}"] 38 | } 39 | ``` 40 | 41 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 42 | 43 | - security_group_name 44 | - vpc_id 45 | - source_cidr_block 46 | -------------------------------------------------------------------------------- /sg_carbon-relay-ng/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_carbon-relay-ng 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow: TCP:2003 for carbon line-in. 23 | resource "aws_security_group_rule" "ingress_tcp_2003_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 2003 26 | to_port = 2003 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow: UDP:2013 for carbon line-in. 33 | resource "aws_security_group_rule" "ingress_udp_2003_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 2003 36 | to_port = 2003 37 | protocol = "udp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow: TCP:2013 for Pickle. 43 | resource "aws_security_group_rule" "ingress_tcp_2013_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 2013 46 | to_port = 2013 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow: UDP:2013 for Pickle. 53 | resource "aws_security_group_rule" "ingress_udp_2013_cidr" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 2013 56 | to_port = 2013 57 | protocol = "udp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } 61 | 62 | // Allow: TCP:2004 for Admin port. 63 | resource "aws_security_group_rule" "ingress_tcp_2004_cidr" { 64 | security_group_id = "${aws_security_group.main_security_group.id}" 65 | from_port = 2004 66 | to_port = 2004 67 | protocol = "tcp" 68 | cidr_blocks = "${var.source_cidr_block}" 69 | type = "ingress" 70 | } 71 | 72 | // Allow: TCP:8081 for graphical user interface. 73 | resource "aws_security_group_rule" "ingress_tcp_8081_cidr" { 74 | security_group_id = "${aws_security_group.main_security_group.id}" 75 | from_port = 8081 76 | to_port = 8081 77 | protocol = "tcp" 78 | cidr_blocks = "${var.source_cidr_block}" 79 | type = "ingress" 80 | } 81 | -------------------------------------------------------------------------------- /sg_carbon-relay-ng/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_carbon-relay-ng SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_carbon-relay-ng/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_cassandra/README.md: -------------------------------------------------------------------------------- 1 | sg_cassandra terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Cassandra 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 7199 (JMX) 10 | - TCP 9042 (Cassandra clients) 11 | - TCP 9160 (Cassandra Thrift clients) 12 | 13 | Input Variables 14 | --------------- 15 | 16 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 17 | - `vpc_id` - The VPC this security group should be created in. 18 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 19 | for this module. 20 | 21 | Usage 22 | ----- 23 | 24 | You can use these in your terraform template with the following steps. 25 | 26 | 1.) Adding a module resource to your template, e.g. `main.tf` 27 | 28 | ``` 29 | module "sg_cassandra" { 30 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_cassandra" 31 | security_group_name = "${var.security_group_name}-cassandra" 32 | vpc_id = "${var.vpc_id}" 33 | source_cidr_block = ["${var.source_cidr_block}"] 34 | } 35 | ``` 36 | 37 | 2.) Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 38 | 39 | - security_group_name 40 | - vpc_id 41 | - source_cidr_block 42 | -------------------------------------------------------------------------------- /sg_cassandra/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_cassandra 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:9042 (Cassandra clients). 23 | resource "aws_security_group_rule" "ingress_tcp_9042_self" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 9042 26 | to_port = 9042 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:9160 (Cassandra Thrift clients) 33 | resource "aws_security_group_rule" "ingress_tcp_9160_self" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 9160 36 | to_port = 9160 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:7199 (JMX) 43 | resource "aws_security_group_rule" "ingress_tcp_7199_self" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 7199 46 | to_port = 7199 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | -------------------------------------------------------------------------------- /sg_cassandra/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_cassandra SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_cassandra/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_consul/README.md: -------------------------------------------------------------------------------- 1 | sg_consul terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Consul 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 8300 (Server RPC) 10 | - TCP 8301 (Serf LAN) 11 | - UDP 8301 (Serf LAN) 12 | - TCP 8302 (Serf WAN) 13 | - UDP 8302 (Serf WAN) 14 | - TCP 8400 (Consul RPC) 15 | - TCP 8500 (Consul HTTP API) 16 | - TCP 8600 (Consul DNS) 17 | - UDP 8600 (Consul DNS) 18 | 19 | Input Variables 20 | --------------- 21 | 22 | - `security_group_name` - The name for your security group, e.g. `bluffdale_consul_stage1` 23 | - `vpc_id` - The VPC this security group should be created in. 24 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 25 | for this module. 26 | 27 | Usage 28 | ----- 29 | 30 | You can use these in your terraform template with the following steps. 31 | 32 | 1. Adding a module resource to your template, e.g. `main.tf` 33 | 34 | ``` 35 | module "sg_consul" { 36 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_consul" 37 | security_group_name = "${var.security_group_name}-consul" 38 | vpc_id = "${var.vpc_id}" 39 | source_cidr_block = ["${var.source_cidr_block}"] 40 | } 41 | ``` 42 | 43 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 44 | 45 | - security_group_name 46 | - vpc_id 47 | - source_cidr_block 48 | -------------------------------------------------------------------------------- /sg_consul/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_consul 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:8300 (Server RPC). 23 | resource "aws_security_group_rule" "ingress_tcp_8300_self" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 8300 26 | to_port = 8300 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:8500 (Consul Web UI). 33 | resource "aws_security_group_rule" "ingress_tcp_8500_self" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 8500 36 | to_port = 8500 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:8301 (Serf LAN). 43 | resource "aws_security_group_rule" "ingress_tcp_8301_self" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 8301 46 | to_port = 8301 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow UDP:8301 (Serf LAN). 53 | resource "aws_security_group_rule" "ingress_udp_8301_self" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 8301 56 | to_port = 8301 57 | protocol = "udp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } 61 | 62 | // Allow TCP:8302 (Serf WAN). 63 | resource "aws_security_group_rule" "ingress_tcp_8302_self" { 64 | security_group_id = "${aws_security_group.main_security_group.id}" 65 | from_port = 8302 66 | to_port = 8302 67 | protocol = "tcp" 68 | cidr_blocks = "${var.source_cidr_block}" 69 | type = "ingress" 70 | } 71 | 72 | // Allow UDP:8302 (Serf WAN). 73 | resource "aws_security_group_rule" "ingress_udp_8302_self" { 74 | security_group_id = "${aws_security_group.main_security_group.id}" 75 | from_port = 8302 76 | to_port = 8302 77 | protocol = "udp" 78 | cidr_blocks = "${var.source_cidr_block}" 79 | type = "ingress" 80 | } 81 | 82 | // Allow TCP:8600 (Consul DNS). 83 | resource "aws_security_group_rule" "ingress_tcp_8600_self" { 84 | security_group_id = "${aws_security_group.main_security_group.id}" 85 | from_port = 8600 86 | to_port = 8600 87 | protocol = "tcp" 88 | cidr_blocks = "${var.source_cidr_block}" 89 | type = "ingress" 90 | } 91 | 92 | // Allow UDP:8600 (Consul DNS). 93 | resource "aws_security_group_rule" "ingress_udp_8600_self" { 94 | security_group_id = "${aws_security_group.main_security_group.id}" 95 | from_port = 8600 96 | to_port = 8600 97 | protocol = "udp" 98 | cidr_blocks = "${var.source_cidr_block}" 99 | type = "ingress" 100 | } 101 | -------------------------------------------------------------------------------- /sg_consul/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_consul SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_consul/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_default/README.md: -------------------------------------------------------------------------------- 1 | # sg_default terraform module 2 | A terraform module which contains default rules to create a specific security group. 3 | ## Input Variables 4 | * sg_name - The name for your security group, e.g. bluffdale_web_stage1 5 | * vpc_id - The VPC this security group should be created in. 6 | * sg_description - The description for your security group. 7 | * inbound_rules - A map that contains the inbound rules for the security group. 8 | * outbound_rules - A map that contains the outbound rules for the security group. 9 | * tags - A map that contains the tags for the security group. 10 | ## Output Variables 11 | * sg_id - The security group ID. 12 | ## Usage 13 | You can use these in your terraform template with the following steps. 14 | 1. Adding a module resource to your template, e.g. main.tf 15 | ``` 16 | module "sg_default" { 17 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_default" 18 | sg_name = "${var.sg_name}" 19 | sg_description = "Security Group managed by Terraform" 20 | vpc_id = "${var.vpc_id}" 21 | 22 | ### Inbound rules ### 23 | inbound_rules = { 24 | "0" = [ "${var.source_cidr_block}", "80", "80", "TCP" ] 25 | "1" = [ "${var.source_cidr_block}", "443", "443" "TCP" ] 26 | "2" = [ "${var.another_source_cidr_block}", "1234", "4321" "UDP" ] 27 | } 28 | 29 | ### Outbound rules ### 30 | # outbound_rules = { 31 | "0" = [ "0.0.0.0/0", "0", "0", "-1" ] 32 | # } 33 | 34 | ### Tags ### 35 | tags = { 36 | Name = "${var.sg_name}" 37 | Project = "test" 38 | } 39 | } 40 | ``` 41 | 2. Setting values for the following variables, either through terraform.tfvars or -var arguments on the CLI 42 | * sg_name 43 | * sg_description 44 | * vpc_id 45 | * inbound_rules 46 | * outbound_rules 47 | * tags 48 | -------------------------------------------------------------------------------- /sg_default/output.tf: -------------------------------------------------------------------------------- 1 | output "sg_id" { 2 | value = "${aws_security_group.default_sg.id}" 3 | } 4 | -------------------------------------------------------------------------------- /sg_default/sg_default.tf: -------------------------------------------------------------------------------- 1 | resource "aws_security_group" "default_sg" { 2 | name = "${var.sg_name}" 3 | description = "${var.sg_description}" 4 | vpc_id = "${var.vpc_id}" 5 | tags = "${var.tags}" 6 | } 7 | 8 | resource "aws_security_group_rule" "ingress_rule" { 9 | count = "${length(var.inbound_rules)}" 10 | type = "ingress" 11 | cidr_blocks = ["${element(var.inbound_rules[count.index], 0)}"] 12 | from_port = "${element(var.inbound_rules[count.index], 1)}" 13 | to_port = "${element(var.inbound_rules[count.index], 2)}" 14 | protocol = "${element(var.inbound_rules[count.index], 3)}" 15 | security_group_id = "${aws_security_group.default_sg.id}" 16 | } 17 | 18 | resource "aws_security_group_rule" "egress_rule" { 19 | count = "${length(var.outbound_rules)}" 20 | type = "egress" 21 | cidr_blocks = ["${element(var.outbound_rules[count.index], 0)}"] 22 | from_port = "${element(var.outbound_rules[count.index], 1)}" 23 | to_port = "${element(var.outbound_rules[count.index], 2)}" 24 | protocol = "${element(var.outbound_rules[count.index], 3)}" 25 | security_group_id = "${aws_security_group.default_sg.id}" 26 | } 27 | -------------------------------------------------------------------------------- /sg_default/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vpc_id" {} 2 | variable "sg_name" {} 3 | 4 | variable "sg_description" { 5 | default = "Security Group managed by Terraform" 6 | } 7 | 8 | variable "inbound_rules" { 9 | type = "map" 10 | } 11 | 12 | variable "outbound_rules" { 13 | type = "map" 14 | } 15 | 16 | variable "tags" { 17 | type = "map" 18 | } 19 | -------------------------------------------------------------------------------- /sg_docker_swarm/README.md: -------------------------------------------------------------------------------- 1 | sg_docker_swarm terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Docker Swarm Nodes 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 2377 (Swarm management communication) 10 | - TCP 7946 (Swarm node communication) 11 | - UDP 7946 (Swarm node communication) 12 | - UDP 4789 (Swarm overlay network communication) 13 | 14 | Input Variables 15 | --------------- 16 | 17 | - `security_group_name` - The name for your security group, e.g. `banach_docker_swarm` 18 | - `vpc_id` - The VPC this security group should be created in. 19 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 20 | for this module. 21 | 22 | Usage 23 | ----- 24 | 25 | You can use these in your terraform template with the following steps. 26 | 27 | 1. Adding a module resource to your template, e.g. `main.tf` 28 | 29 | ``` 30 | module "sg_docker_swarm" { 31 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_docker_swarm" 32 | security_group_name = "${var.security_group_name}-openvpn" 33 | vpc_id = "${var.vpc_id}" 34 | source_cidr_block = ["${var.source_cidr_block}"] 35 | } 36 | ``` 37 | 38 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 39 | 40 | - security_group_name 41 | - vpc_id 42 | - source_cidr_block -------------------------------------------------------------------------------- /sg_docker_swarm/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_docker_swarm 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:2377 (Docker Swarm cluster management communication) 23 | resource "aws_security_group_rule" "ingress_tcp_2377_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 2377 26 | to_port = 2377 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:7946 (Docker Swarm Node communication) 33 | resource "aws_security_group_rule" "ingress_tcp_7946_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 7946 36 | to_port = 7946 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow UDP:7946 (Docker Swarm Node communication) 43 | resource "aws_security_group_rule" "ingress_udp_7946_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 7946 46 | to_port = 7946 47 | protocol = "udp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow UDP:4789 (Docker Swarm Overlay Network Traffic) 53 | resource "aws_security_group_rule" "ingress_udp_4789_cidr" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 4789 56 | to_port = 4789 57 | protocol = "udp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } -------------------------------------------------------------------------------- /sg_docker_swarm/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_docker_swarm SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_docker_swarm/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } -------------------------------------------------------------------------------- /sg_elasticsearch/README.md: -------------------------------------------------------------------------------- 1 | sg_elasticsearch terraform module 2 | ================================= 3 | 4 | A terraform module which contains rules for a elasticsearch cluster 5 | 6 | Ports 7 | ----- 8 | 9 | - TCP 9200 (REST Interface) 10 | 11 | Input Variables 12 | --------------- 13 | 14 | - `security_group_name` - The name for your security group. 15 | - `vpc_id` - The VPC this security group should be created in. 16 | 17 | Usage 18 | ----- 19 | 20 | You can use these in your terraform template with the following steps. 21 | 22 | 1. Adding a module resource to your template, e.g. `main.tf` 23 | 24 | ``` 25 | module "sg_elasticsearch" { 26 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_elasticsearch" 27 | security_group_name = "${var.security_group_name}-elasticsearch" 28 | vpc_id = "${var.vpc_id}" 29 | source_cidr_block = ["${var.source_cidr_block}"] 30 | } 31 | ``` 32 | 33 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 34 | 35 | - security_group_name 36 | - vpc_id 37 | - source_cidr_block 38 | -------------------------------------------------------------------------------- /sg_elasticsearch/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_elasticsearch 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:9200 (REST Interface). 23 | resource "aws_security_group_rule" "ingress_tcp_9200_self" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 9200 26 | to_port = 9200 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:9300 (Java interface). 33 | resource "aws_security_group_rule" "ingress_tcp_9300_self" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 9300 36 | to_port = 9300 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | -------------------------------------------------------------------------------- /sg_elasticsearch/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_elasticsearch SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_elasticsearch/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_https_only/README.md: -------------------------------------------------------------------------------- 1 | sg_https_only terraform module 2 | ============================== 3 | 4 | A Terraform security group module for just HTTPS, useful for external 5 | ELB instances. 6 | 7 | 8 | Ports 9 | ----- 10 | - TCP 443 (HTTPS) 11 | 12 | Input Variables 13 | --------------- 14 | 15 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 16 | - `vpc_id` - The VPC this security group should be created in. 17 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 18 | for this module. 19 | 20 | Usage 21 | ----- 22 | 23 | You can use these in your terraform template with the following steps. 24 | 25 | 1. Adding a module resource to your template, e.g. `main.tf` 26 | 27 | ``` 28 | module "sg_web" { 29 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_https_only" 30 | security_group_name = "${var.security_group_name}-https" 31 | vpc_id = "${var.vpc_id}" 32 | source_cidr_block = ["${var.source_cidr_block}"] 33 | } 34 | ``` 35 | 36 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 37 | 38 | - security_group_name 39 | - vpc_id 40 | - source_cidr_block 41 | -------------------------------------------------------------------------------- /sg_https_only/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_https_only 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow TCP:443 (HTTPS). 13 | resource "aws_security_group_rule" "ingress_tcp_443_cidr" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 443 16 | to_port = 443 17 | protocol = "tcp" 18 | cidr_blocks = "${var.source_cidr_block}" 19 | type = "ingress" 20 | } 21 | -------------------------------------------------------------------------------- /sg_https_only/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_web SG we made 2 | output "security_group_id_web" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_https_only/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | 16 | variable "tags" { 17 | description = "A map of tags to add to all resources" 18 | default = {} 19 | } 20 | -------------------------------------------------------------------------------- /sg_kafka/README.md: -------------------------------------------------------------------------------- 1 | sg_kafka terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Kafka 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 6667 (Kafka broker) 10 | - TCP 9092 (Kafka broker) 11 | 12 | Input Variables 13 | --------------- 14 | 15 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 16 | - `vpc_id` - The VPC this security group should be created in. 17 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 18 | for this module. 19 | 20 | Usage 21 | ----- 22 | 23 | You can use these in your terraform template with the following steps. 24 | 25 | 1. Adding a module resource to your template, e.g. `main.tf` 26 | 27 | ``` 28 | module "sg_kafka" { 29 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_kafka" 30 | security_group_name = "${var.security_group_name}-kafka" 31 | vpc_id = "${var.vpc_id}" 32 | source_cidr_block = ["${var.source_cidr_block}"] 33 | } 34 | ``` 35 | 36 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 37 | 38 | - security_group_name 39 | - vpc_id 40 | - source_cidr_block 41 | -------------------------------------------------------------------------------- /sg_kafka/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_kafka 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:6667 (Kafka broker 0.8.1.x) 23 | resource "aws_security_group_rule" "ingress_tcp_6667_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 6667 26 | to_port = 6667 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:9092 (Kafka broker 0.8.2+) 33 | resource "aws_security_group_rule" "ingress_tcp_9092_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 9092 36 | to_port = 9092 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | -------------------------------------------------------------------------------- /sg_kafka/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_kafka SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_kafka/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_ldap/README.md: -------------------------------------------------------------------------------- 1 | sg_ldap terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for an LDAP server, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 636 (LDAPS) 10 | 11 | 12 | Input Variables 13 | --------------- 14 | 15 | - `security_group_name` - The name for your security group, e.g. `rolodex_ldap` 16 | - `vpc_id` - The VPC this security group should be created in. 17 | 18 | Usage 19 | ----- 20 | 21 | You can use these in your terraform template with the following steps. 22 | 23 | 1. Adding a module resource to your template, e.g. `main.tf` 24 | 25 | ``` 26 | module "sg_ldap" { 27 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_ldap" 28 | security_group_name = "${var.security_group_name}-ldap" 29 | vpc_id = "${var.vpc_id}" 30 | source_cidr_block = ["${var.source_cidr_block}"] 31 | } 32 | ``` 33 | 34 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 35 | 36 | - security_group_name 37 | - vpc_id 38 | - source_cidr_block 39 | -------------------------------------------------------------------------------- /sg_ldap/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_ldap 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:636 (LDAPS) 23 | resource "aws_security_group_rule" "ingress_tcp_636_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 636 26 | to_port = 636 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | -------------------------------------------------------------------------------- /sg_ldap/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_web SG we made 2 | output "security_group_id_ldap" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_ldap/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_ldaps_only/README.md: -------------------------------------------------------------------------------- 1 | sg_ldaps_only terraform module 2 | ============================== 3 | 4 | A Terraform security group module for just LDAPS, useful for external 5 | ELB instances. 6 | 7 | 8 | Ports 9 | ----- 10 | - TCP 636 (LDAPS) 11 | 12 | Input Variables 13 | --------------- 14 | 15 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 16 | - `vpc_id` - The VPC this security group should be created in. 17 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 18 | for this module. 19 | 20 | Usage 21 | ----- 22 | 23 | You can use these in your terraform template with the following steps. 24 | 25 | 1. Adding a module resource to your template, e.g. `main.tf` 26 | 27 | ``` 28 | module "sg_ldaps" { 29 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_ldaps_only" 30 | security_group_name = "${var.security_group_name}-ldaps" 31 | vpc_id = "${var.vpc_id}" 32 | source_cidr_block = ["${var.source_cidr_block}"] 33 | } 34 | ``` 35 | 36 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 37 | 38 | - security_group_name 39 | - vpc_id 40 | - source_cidr_block 41 | -------------------------------------------------------------------------------- /sg_ldaps_only/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_ldaps_only 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow TCP:636 (LDAPS) 13 | resource "aws_security_group_rule" "ingress_tcp_636_cidr" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 636 16 | to_port = 636 17 | protocol = "tcp" 18 | cidr_blocks = "${var.source_cidr_block}" 19 | type = "ingress" 20 | } 21 | -------------------------------------------------------------------------------- /sg_ldaps_only/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_ldaps_only SG we made 2 | output "security_group_id_ldaps_only" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_ldaps_only/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_memcached/README.md: -------------------------------------------------------------------------------- 1 | sg_web terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for a memcached, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 11211 (memcached) 10 | 11 | Input Variables 12 | --------------- 13 | 14 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 15 | - `vpc_id` - The VPC this security group should be created in. 16 | 17 | Usage 18 | ----- 19 | 20 | You can use these in your terraform template with the following steps. 21 | 22 | 1. Adding a module resource to your template, e.g. `main.tf` 23 | 24 | ``` 25 | module "sg_web" { 26 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_memcached" 27 | security_group_name = "${var.security_group_name}-memcached" 28 | vpc_id = "${var.vpc_id}" 29 | source_cidr_block = ["${var.source_cidr_block}"] 30 | } 31 | ``` 32 | 33 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 34 | 35 | - security_group_name 36 | - vpc_id 37 | - source_cidr_block 38 | -------------------------------------------------------------------------------- /sg_memcached/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_memcached 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:11211 (Memcached) 23 | resource "aws_security_group_rule" "ingress_tcp_11211_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 11211 26 | to_port = 11211 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | -------------------------------------------------------------------------------- /sg_memcached/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_web SG we made 2 | output "security_group_id_memcached" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_memcached/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_mysql/README.md: -------------------------------------------------------------------------------- 1 | sg_mysql terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for a mysql, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 3306 (mysql) 10 | 11 | Input Variables 12 | --------------- 13 | 14 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 15 | - `vpc_id` - The VPC this security group should be created in. 16 | 17 | Usage 18 | ----- 19 | 20 | You can use these in your terraform template with the following steps. 21 | 22 | 1. Adding a module resource to your template, e.g. `main.tf` 23 | 24 | ``` 25 | module "sg_mysql" { 26 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_mysql" 27 | security_group_name = "${var.security_group_name}-mysql" 28 | vpc_id = "${var.vpc_id}" 29 | source_cidr_block = ["${var.source_cidr_block}"] 30 | } 31 | ``` 32 | 33 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 34 | 35 | - security_group_name 36 | - vpc_id 37 | - source_cidr_block 38 | -------------------------------------------------------------------------------- /sg_mysql/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_mysql 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:3306 (MySQL) 23 | resource "aws_security_group_rule" "ingress_tcp_3306_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 3306 26 | to_port = 3306 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | -------------------------------------------------------------------------------- /sg_mysql/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_web SG we made 2 | output "security_group_id_mysql" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_mysql/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_nomad/README.md: -------------------------------------------------------------------------------- 1 | sg_nomad terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Nomad 5 | 6 | 7 | Ports 8 | ----- 9 | 10 | - TCP 4646 (HTTP) 11 | - TCP 4647 (RPC) 12 | - TCP 4648 (Serf) 13 | - UDP 4648 (Serf) 14 | 15 | Input Variables 16 | --------------- 17 | 18 | - `security_group_name` - The name for your security group, e.g. `bluffdale_nomad_stage1` 19 | - `vpc_id` - The VPC this security group should be created in. 20 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 21 | for this module. 22 | 23 | Usage 24 | ----- 25 | 26 | You can use these in your terraform template with the following steps. 27 | 28 | 1. Adding a module resource to your template, e.g. `main.tf` 29 | 30 | ``` 31 | module "sg_nomad" { 32 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_nomad" 33 | security_group_name = "${var.security_group_name}-nomad" 34 | vpc_id = "${var.vpc_id}" 35 | source_cidr_block = ["${var.source_cidr_block}"] 36 | } 37 | ``` 38 | 39 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 40 | 41 | - security_group_name 42 | - vpc_id 43 | - source_cidr_block 44 | -------------------------------------------------------------------------------- /sg_nomad/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_nomad 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:4646 (Nomad HTTP) 23 | resource "aws_security_group_rule" "ingress_tcp_4646_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 4646 26 | to_port = 4646 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:4647 (Nomad RPC) 33 | resource "aws_security_group_rule" "ingress_tcp_4647_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 4647 36 | to_port = 4647 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:4648 (Serf) 43 | resource "aws_security_group_rule" "ingress_tcp_4648_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 4648 46 | to_port = 4648 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow UDP:4648 (Serf) 53 | resource "aws_security_group_rule" "ingress_udp_4648_cidr" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 4648 56 | to_port = 4648 57 | protocol = "udp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } 61 | -------------------------------------------------------------------------------- /sg_nomad/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_nomad SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_nomad/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_openvpn/README.md: -------------------------------------------------------------------------------- 1 | sg_openvpn terraform module 2 | =========================== 3 | 4 | A terraform module which contains rules for a OpenVPN server, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - UDP 1194 (OpenVPN) 10 | 11 | 12 | Input Variables 13 | --------------- 14 | 15 | - `security_group_name` - The name for your security group, e.g. `rolodex_openvpn` 16 | - `vpc_id` - The VPC this security group should be created in. 17 | 18 | Usage 19 | ----- 20 | 21 | You can use these in your terraform template with the following steps. 22 | 23 | 1. Adding a module resource to your template, e.g. `main.tf` 24 | 25 | ``` 26 | module "sg_openvpn" { 27 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_openvpn" 28 | security_group_name = "${var.security_group_name}-openvpn" 29 | vpc_id = "${var.vpc_id}" 30 | source_cidr_block = ["${var.source_cidr_block}"] 31 | } 32 | ``` 33 | 34 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 35 | 36 | - security_group_name 37 | - vpc_id 38 | - source_cidr_block 39 | -------------------------------------------------------------------------------- /sg_openvpn/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_openvpn 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow UDP:1194 (OpenVPN) 23 | resource "aws_security_group_rule" "ingress_udp_1194_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 1194 26 | to_port = 1194 27 | protocol = "udp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:943 (OpenVPN) 33 | resource "aws_security_group_rule" "ingress_tcp_943_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 943 36 | to_port = 943 37 | protocol = "tcp" 38 | self = true 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:443 (OpenVPN) 43 | resource "aws_security_group_rule" "ingress_tcp_443_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 443 46 | to_port = 443 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | -------------------------------------------------------------------------------- /sg_openvpn/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_openvpn SG we made 2 | output "security_group_id_openvpn" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_openvpn/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_postgresql/README.md: -------------------------------------------------------------------------------- 1 | sg_postgresql terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for postgresql, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 5432 (postgresql) 10 | 11 | Input Variables 12 | --------------- 13 | 14 | - `security_group_name` - The name for your security group. 15 | - `vpc_id` - The VPC this security group should be created in. 16 | 17 | Usage 18 | ----- 19 | 20 | You can use these in your terraform template with the following steps. 21 | 22 | 1. Adding a module resource to your template, e.g. `main.tf` 23 | 24 | ``` 25 | module "sg_postgresql" { 26 | source = "github.com/terraform-community-modules/tf_aws_sg/sg_postgresql" 27 | security_group_name = "${var.security_group_name}-postgresql" 28 | vpc_id = "${var.vpc_id}" 29 | source_cidr_block = ["${var.source_cidr_block}"] 30 | } 31 | ``` 32 | 33 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 34 | 35 | - security_group_name 36 | - vpc_id 37 | - source_cidr_block 38 | -------------------------------------------------------------------------------- /sg_postgresql/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_postgresql 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:5432 (PostgreSQL) 23 | resource "aws_security_group_rule" "ingress_tcp_5432_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 5432 26 | to_port = 5432 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | -------------------------------------------------------------------------------- /sg_postgresql/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_web SG we made 2 | output "security_group_id_postgresql" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_postgresql/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_redis/README.md: -------------------------------------------------------------------------------- 1 | sg_redis terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for a redis, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 6379 (redis) 10 | 11 | Input Variables 12 | --------------- 13 | 14 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 15 | - `vpc_id` - The VPC this security group should be created in. 16 | 17 | Usage 18 | ----- 19 | 20 | You can use these in your terraform template with the following steps. 21 | 22 | 1. Adding a module resource to your template, e.g. `main.tf` 23 | 24 | ``` 25 | module "sg_redis" { 26 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_redis" 27 | security_group_name = "${var.security_group_name}-redis" 28 | vpc_id = "${var.vpc_id}" 29 | source_cidr_block = ["${var.source_cidr_block}"] 30 | } 31 | ``` 32 | 33 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 34 | 35 | - security_group_name 36 | - vpc_id 37 | - source_cidr_block 38 | -------------------------------------------------------------------------------- /sg_redis/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_redis 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:6379 (Redis) 23 | resource "aws_security_group_rule" "ingress_tcp_6379_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 6379 26 | to_port = 6379 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | -------------------------------------------------------------------------------- /sg_redis/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_redis SG we made 2 | output "security_group_id_redis" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_redis/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_ssh/README.md: -------------------------------------------------------------------------------- 1 | sg_ssh terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for a SSH, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 22 (SSH) 10 | 11 | Input Variables 12 | --------------- 13 | 14 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 15 | - `vpc_id` - The VPC this security group should be created in. 16 | 17 | Usage 18 | ----- 19 | 20 | You can use these in your terraform template with the following steps. 21 | 22 | 1. Adding a module resource to your template, e.g. `main.tf` 23 | 24 | ``` 25 | module "sg_ssh" { 26 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_ssh" 27 | security_group_name = "${var.security_group_name}-ssh" 28 | vpc_id = "${var.vpc_id}" 29 | source_cidr_block = ["${var.source_cidr_block}"] 30 | } 31 | ``` 32 | 33 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 34 | 35 | - security_group_name 36 | - vpc_id 37 | - source_cidr_block 38 | -------------------------------------------------------------------------------- /sg_ssh/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_ssh 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow TCP:22 (SSH) 13 | resource "aws_security_group_rule" "ingress_tcp_22_cidr" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 22 16 | to_port = 22 17 | protocol = "tcp" 18 | cidr_blocks = "${var.source_cidr_block}" 19 | type = "ingress" 20 | } 21 | -------------------------------------------------------------------------------- /sg_ssh/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_ssh SG we made 2 | output "security_group_id_ssh" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_ssh/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_storm/README.md: -------------------------------------------------------------------------------- 1 | sg_storm terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Apache Storm Cluster 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 6627 (Default Nimbus port) 10 | - TCP 8080 (Storm UI) 11 | - TCP 6700, 6701, 6702, 6703 (Default Supervisor port) 12 | 13 | Input Variables 14 | --------------- 15 | 16 | - `security_group_name` - The name for your security group, e.g. `bluffdale_storm_stage1` 17 | - `vpc_id` - The VPC this security group should be created in. 18 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 19 | for this module. 20 | 21 | Usage 22 | ----- 23 | 24 | You can use these in your terraform template with the following steps. 25 | 26 | 1. Adding a module resource to your template, e.g. `main.tf` 27 | 28 | ``` 29 | module "sg_storm" { 30 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_storm" 31 | security_group_name = "${var.security_group_name}-storm" 32 | vpc_id = "${var.vpc_id}" 33 | source_cidr_block = ["${var.source_cidr_block}"] 34 | } 35 | ``` 36 | 37 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 38 | 39 | - security_group_name 40 | - vpc_id 41 | - source_cidr_block 42 | -------------------------------------------------------------------------------- /sg_storm/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_storm 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:6627 (Nimbus) 23 | resource "aws_security_group_rule" "ingress_tcp_6627_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 6627 26 | to_port = 6627 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:8080 (Storm UI) 33 | resource "aws_security_group_rule" "ingress_tcp_8080_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 8080 36 | to_port = 8080 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:6700-6703 (Supervisor) 43 | resource "aws_security_group_rule" "ingress_tcp_6703_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 6700 46 | to_port = 6703 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | -------------------------------------------------------------------------------- /sg_storm/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_storm SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_storm/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_web/README.md: -------------------------------------------------------------------------------- 1 | sg_web terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for a common web application deployment, which 5 | you can use with your service Terraform template. 6 | 7 | Ports 8 | ----- 9 | - TCP 80 (HTTP) 10 | - TCP 443 (HTTPS) 11 | - TCP 1099 (JMX) 12 | - TCP 8080 (HTTP/S) 13 | 14 | Input Variables 15 | --------------- 16 | 17 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 18 | - `vpc_id` - The VPC this security group should be created in. 19 | 20 | Usage 21 | ----- 22 | 23 | You can use these in your terraform template with the following steps. 24 | 25 | 1. Adding a module resource to your template, e.g. `main.tf` 26 | 27 | ``` 28 | module "sg_web" { 29 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_web" 30 | security_group_name = "${var.security_group_name}-web" 31 | vpc_id = "${var.vpc_id}" 32 | source_cidr_block = ["${var.source_cidr_block}"] 33 | } 34 | ``` 35 | 36 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 37 | 38 | - security_group_name 39 | - vpc_id 40 | - source_cidr_block 41 | -------------------------------------------------------------------------------- /sg_web/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_web 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow egress all 23 | resource "aws_security_group_rule" "egress_all_all_all" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 0 26 | to_port = 0 27 | protocol = "-1" 28 | cidr_blocks = ["0.0.0.0/0"] 29 | type = "egress" 30 | } 31 | 32 | // Allow TCP:80 (HTTP) 33 | resource "aws_security_group_rule" "ingress_tcp_80_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 80 36 | to_port = 80 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:443 (HTTPS) 43 | resource "aws_security_group_rule" "ingress_tcp_443_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 443 46 | to_port = 443 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow TCP:1099 (JMX) 53 | resource "aws_security_group_rule" "ingress_tcp_1099_cidr" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 1099 56 | to_port = 1099 57 | protocol = "tcp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } 61 | 62 | // Allow TCP:8080 (HTTP-ALT) 63 | resource "aws_security_group_rule" "ingress_tcp_8080_cidr" { 64 | security_group_id = "${aws_security_group.main_security_group.id}" 65 | from_port = 8080 66 | to_port = 8080 67 | protocol = "tcp" 68 | cidr_blocks = "${var.source_cidr_block}" 69 | type = "ingress" 70 | } 71 | -------------------------------------------------------------------------------- /sg_web/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_web SG we made 2 | output "security_group_id_web" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_web/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | -------------------------------------------------------------------------------- /sg_zipkin/README.md: -------------------------------------------------------------------------------- 1 | sg_zipkin terraform module 2 | ============================== 3 | 4 | A Terraform security group module for Zipkin 5 | 6 | 7 | Ports 8 | ----- 9 | - TCP 9990 (zipkin admin port collector) 10 | - TCP 9901 (zipkin admin port query) 11 | - TCP 9991 (zipkin admin port web) 12 | - TCP 9411 (zipkin query port) 13 | - TCP 8080 (zipkin web port) 14 | 15 | 16 | Input Variables 17 | --------------- 18 | 19 | - `security_group_name` - The name for your security group, e.g. `bluffdale_web_stage1` 20 | - `vpc_id` - The VPC this security group should be created in. 21 | - `source_cidr_block` - The source CIDR block, defaults to `0.0.0.0/0` 22 | for this module. 23 | 24 | Usage 25 | ----- 26 | 27 | You can use these in your terraform template with the following steps. 28 | 29 | 1. Adding a module resource to your template, e.g. `main.tf` 30 | 31 | ``` 32 | module "sg_zipkin" { 33 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_zipkin" 34 | security_group_name = "${var.security_group_name}-zipkin" 35 | vpc_id = "${var.vpc_id}" 36 | source_cidr_block = ["${var.source_cidr_block}"] 37 | } 38 | ``` 39 | 40 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 41 | 42 | - security_group_name 43 | - vpc_id 44 | - source_cidr_block 45 | -------------------------------------------------------------------------------- /sg_zipkin/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_zipkin 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:9990 (Zipkin Admin port collector) 23 | resource "aws_security_group_rule" "ingress_tcp_9990_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 9990 26 | to_port = 9990 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:9901 (Zipkin Admin port query) 33 | resource "aws_security_group_rule" "ingress_tcp_9901_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 9901 36 | to_port = 9901 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:9991 (Zipkin Admin port web) 43 | resource "aws_security_group_rule" "ingress_tcp_9991_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 9991 46 | to_port = 9991 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow TCP:9411 (Zipkin query port) 53 | resource "aws_security_group_rule" "ingress_tcp_9411_cidr" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 9411 56 | to_port = 9411 57 | protocol = "tcp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } 61 | 62 | // Allow TCP:8080 (Zipkin web port) 63 | resource "aws_security_group_rule" "ingress_tcp_8080_cidr" { 64 | security_group_id = "${aws_security_group.main_security_group.id}" 65 | from_port = 8080 66 | to_port = 8080 67 | protocol = "tcp" 68 | cidr_blocks = "${var.source_cidr_block}" 69 | type = "ingress" 70 | } 71 | -------------------------------------------------------------------------------- /sg_zipkin/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_zipkin SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_zipkin/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | default = ["0.0.0.0/0"] 13 | type = "list" 14 | } 15 | -------------------------------------------------------------------------------- /sg_zookeeper/README.md: -------------------------------------------------------------------------------- 1 | sg_zookeeper terraform module 2 | ======================= 3 | 4 | A terraform module which contains rules for a zookeeper_cluster 5 | 6 | Ports 7 | ----- 8 | - TCP 2181 9 | - TCP 2888 10 | - TCP 3888 11 | - TCP 7199 (JMX we use for Zookeeper) 12 | 13 | Input Variables 14 | --------------- 15 | 16 | - `security_group_name` - The name for your security group. 17 | - `vpc_id` - The VPC this security group should be created in. 18 | 19 | Usage 20 | ----- 21 | 22 | You can use these in your terraform template with the following steps. 23 | 24 | 1. Adding a module resource to your template, e.g. `main.tf` 25 | 26 | ``` 27 | module "sg_zookeeper" { 28 | source = "github.com/terraform-community-modules/tf_aws_sg//sg_zookeeper" 29 | security_group_name = "${var.security_group_name}-zookeeper" 30 | vpc_id = "${var.vpc_id}" 31 | source_cidr_block = ["${var.source_cidr_block}"] 32 | } 33 | ``` 34 | 35 | 2. Setting values for the following variables, either through `terraform.tfvars` or `-var` arguments on the CLI 36 | 37 | - security_group_name 38 | - vpc_id 39 | - source_cidr_block 40 | -------------------------------------------------------------------------------- /sg_zookeeper/main.tf: -------------------------------------------------------------------------------- 1 | // 2 | // Module: tf_aws_sg/sg_zookeeper 3 | // 4 | // 5 | 6 | resource "aws_security_group" "main_security_group" { 7 | name = "${var.security_group_name}" 8 | description = "tf-sg-${var.security_group_name}" 9 | vpc_id = "${var.vpc_id}" 10 | } 11 | 12 | // Allow any internal network flow. 13 | resource "aws_security_group_rule" "ingress_any_any_self" { 14 | security_group_id = "${aws_security_group.main_security_group.id}" 15 | from_port = 0 16 | to_port = 65535 17 | protocol = "-1" 18 | self = true 19 | type = "ingress" 20 | } 21 | 22 | // Allow TCP:2181 (Zookeeper) 23 | resource "aws_security_group_rule" "ingress_tcp_2181_cidr" { 24 | security_group_id = "${aws_security_group.main_security_group.id}" 25 | from_port = 2181 26 | to_port = 2181 27 | protocol = "tcp" 28 | cidr_blocks = "${var.source_cidr_block}" 29 | type = "ingress" 30 | } 31 | 32 | // Allow TCP:2888 (Zookeeper) 33 | resource "aws_security_group_rule" "ingress_tcp_2888_cidr" { 34 | security_group_id = "${aws_security_group.main_security_group.id}" 35 | from_port = 2888 36 | to_port = 2888 37 | protocol = "tcp" 38 | cidr_blocks = "${var.source_cidr_block}" 39 | type = "ingress" 40 | } 41 | 42 | // Allow TCP:7199 (JMX) 43 | resource "aws_security_group_rule" "ingress_tcp_7199_cidr" { 44 | security_group_id = "${aws_security_group.main_security_group.id}" 45 | from_port = 7199 46 | to_port = 7199 47 | protocol = "tcp" 48 | cidr_blocks = "${var.source_cidr_block}" 49 | type = "ingress" 50 | } 51 | 52 | // Allow TCP:3888 (Zookeper) 53 | resource "aws_security_group_rule" "ingress_tcp_3888_cidr" { 54 | security_group_id = "${aws_security_group.main_security_group.id}" 55 | from_port = 3888 56 | to_port = 3888 57 | protocol = "tcp" 58 | cidr_blocks = "${var.source_cidr_block}" 59 | type = "ingress" 60 | } 61 | -------------------------------------------------------------------------------- /sg_zookeeper/outputs.tf: -------------------------------------------------------------------------------- 1 | // Output ID of sg_zookeeper SG we made 2 | output "security_group_id" { 3 | value = "${aws_security_group.main_security_group.id}" 4 | } 5 | -------------------------------------------------------------------------------- /sg_zookeeper/variables.tf: -------------------------------------------------------------------------------- 1 | // Module specific variables 2 | variable "security_group_name" { 3 | description = "The name for the security group" 4 | } 5 | 6 | variable "vpc_id" { 7 | description = "The VPC this security group will go in" 8 | } 9 | 10 | variable "source_cidr_block" { 11 | description = "The source CIDR block to allow traffic from" 12 | type = "list" 13 | } 14 | --------------------------------------------------------------------------------