├── CHANGELOG.md ├── outputs.tf ├── LICENSE ├── Readme.md ├── variables.tf └── main.tf /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # cidr-house-rules-terraform-nat-gateway Terraform module CHANGELOG 2 | 3 | This file is used to list changes made in each version of the cidr-house-rules-terraform-nat-gateway terraform module. 4 | 5 | ## v0.0.1 (2018-03-15) 6 | - [Zane Williamson] Initial open-source version 7 | 8 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | output "cidr_house_rules_sg_security_group_id_tcp" { 2 | value = "${aws_security_group.chr_sg_security_group_tcp.id}" 3 | } 4 | 5 | output "cidr_house_rules_sg_security_group_id_udp" { 6 | value = "${aws_security_group.chr_sg_security_group_udp.id}" 7 | } 8 | 9 | output "cidr_house_rules_sg_security_group_id_icmp" { 10 | value = "${aws_security_group.chr_sg_security_group_icmp.id}" 11 | } 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Trulia 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | cidr-house-rules-terraform-nat-gateway Terraform module 2 | =========== 3 | 4 | This module allows for whitelisting of an entire team's NAT gateway IPs using cidr-house-rules API 5 | 6 | 7 | Module Input Variables 8 | ---------------------- 9 | 10 | - `team_to_whitelist` A team that is tracked by cidr-house-rules system 11 | - `from_port` 12 | - `to_port` 13 | - `vpc_id` VPC to apply security group to 14 | - `cidr_house_rules_endpoint` The API endpoint for cidr-house-rules, required! example: https://mycidr-house-rules-deploy.mydomain.com/prod/ 15 | - `cidr_house_api_key` AWS API Gateway API key for cidr house rules access 16 | - `product` The product this security group is supporting 17 | - `environment` The environment this security group is supporting, i.e. dev, stage, or prod 18 | 19 | Usage 20 | ----- 21 | 22 | ``` 23 | module "platform-team-access" { 24 | source = "https://github.com/trulia/cidr-house-rules-terraform-nat-gateway-sg.git" 25 | team_to_whitelist = "platform-team" 26 | from_port = "443" 27 | to_port = "443" 28 | vpc_id = "vpc-1233455" 29 | product = "platform" 30 | environment = "prod" 31 | } 32 | ``` 33 | 34 | Outputs 35 | ======= 36 | 37 | - `cidr_house_rules_sg_security_group_id_tcp` - ID of security group created 38 | - `cidr_house_rules_sg_security_group_id_udp` - ID of security group created 39 | - `cidr_house_rules_sg_security_group_id_icmp` - ID of security group created 40 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | data "http" "vpc-nat-gateway-api" { 2 | url = "${var.cidr_house_rules_endpoint}/get_nat_gateways_for_team?team=${var.team_to_whitelist}" 3 | 4 | request_headers { 5 | "X-Api-Key" = "${var.cidr_house_api_key}" 6 | } 7 | } 8 | 9 | variable "from_port" { 10 | type = "string" 11 | description = "The networking port to start accept range from" 12 | default = "0" 13 | } 14 | 15 | variable "to_port" { 16 | type = "string" 17 | description = "The networking port to end accept range" 18 | default = "65535" 19 | } 20 | 21 | variable "vpc_id" { 22 | type = "string" 23 | description = "The VPC ID to place this security group" 24 | default = "" 25 | } 26 | 27 | variable "product" { 28 | type = "string" 29 | description = "The product this security group is supporting" 30 | default = "unknown" 31 | } 32 | 33 | variable "environment" { 34 | type = "string" 35 | description = "The environment this security group is supporting, i.e. dev, stage, or prod" 36 | default = "unknown" 37 | } 38 | 39 | variable "team_to_whitelist" { 40 | type = "string" 41 | description = "The team to whitelist, should coorelate to a team/AWS account managed by cidr-house-rules" 42 | } 43 | 44 | variable "cidr_house_api_key" { 45 | type = "string" 46 | description = "AWS API Gateway API key for cidr house rules access" 47 | } 48 | 49 | variable "cidr_house_rules_endpoint" { 50 | type = "string" 51 | description = "The API endpoint for cidr-house-rules, required! example: https://mycidr-house-rules-deploy.mydomain.com/prod/" 52 | } 53 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_security_group" "chr_sg_security_group_tcp" { 2 | name = "ng-sg-${var.team_to_whitelist}-${var.product}-${var.environment}-tcp" 3 | description = "Nat gateway whitelist for ${var.team_to_whitelist} tcp" 4 | vpc_id = "${var.vpc_id}" 5 | 6 | ingress { 7 | from_port = "${var.from_port}" 8 | to_port = "${var.to_port}" 9 | protocol = "tcp" 10 | cidr_blocks = ["${split(",", data.http.vpc-nat-gateway-api.body)}"] 11 | } 12 | 13 | egress { 14 | from_port = 0 15 | to_port = 0 16 | protocol = "-1" 17 | cidr_blocks = ["0.0.0.0/0"] 18 | } 19 | } 20 | 21 | resource "aws_security_group" "chr_sg_security_group_udp" { 22 | name = "ng-sg-${var.team_to_whitelist}-${var.product}-${var.environment}-udp" 23 | description = "Nat gateway whitelist for ${var.team_to_whitelist} udp " 24 | vpc_id = "${var.vpc_id}" 25 | 26 | ingress { 27 | from_port = "${var.from_port}" 28 | to_port = "${var.to_port}" 29 | protocol = "udp" 30 | cidr_blocks = ["${split(",", data.http.vpc-nat-gateway-api.body)}"] 31 | } 32 | 33 | egress { 34 | from_port = 0 35 | to_port = 0 36 | protocol = "-1" 37 | cidr_blocks = ["0.0.0.0/0"] 38 | } 39 | } 40 | 41 | resource "aws_security_group" "chr_sg_security_group_icmp" { 42 | name = "ng-sg-${var.team_to_whitelist}-${var.product}-${var.environment}-icmp" 43 | description = "Nat gateway whitelist for ${var.team_to_whitelist} icmp" 44 | vpc_id = "${var.vpc_id}" 45 | 46 | ingress { 47 | from_port = -1 48 | to_port = -1 49 | protocol = "icmp" 50 | cidr_blocks = ["${split(",", data.http.vpc-nat-gateway-api.body)}"] 51 | } 52 | 53 | egress { 54 | from_port = -1 55 | to_port = -1 56 | protocol = "icmp" 57 | cidr_blocks = ["0.0.0.0/0"] 58 | } 59 | } 60 | --------------------------------------------------------------------------------