NEW: Initial commit

Terraform modules for AWS Zonal Shift demo

modules/security_group/README.md

@@ -0,0 +1,43 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_egress_rule.egress-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.ingress-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_default_tags.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| description | Description of SG | `string` | n/a | yes |
+| egress | Map of string where each string is a comma-separated Egress SG rule. For example r1 = "-1,-1,-1,0.0.0.0/0,Allow All" | `map(string)` | n/a | yes |
+| ingress | Map of string where each string is a comma-separated Ingress SG rule. For example r1 = "-1,-1,-1,0.0.0.0/0,Allow All" | `map(string)` | n/a | yes |
+| name | Name of SG | `string` | n/a | yes |
+| vpc-id | ID of VPC | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| id | n/a |
+
+---
+## Authorship
+This module was developed by xpk.

modules/security_group/example/main.tf

@@ -0,0 +1,32 @@
+module "example-sg" {
+  source      = "../"
+  name        = "bastion-sg"
+  description = "SG of EC2 bastion instances"
+  vpc-id      = "vpc-12345678"
+  ingress = {
+    r1 = "tcp,4750,4750,1.2.3.4/32,Patch Management Tool"
+    r2 = "tcp,22,22,1.2.3.4/32,Patch Management Tool"
+    r3 = "tcp,52311,52311,${aws_ec2_managed_prefix_list.example.id},BigFix server to client"
+  }
+  egress = {
+    r1 = "-1,-1,-1,0.0.0.0/0,Allow Ingress from all"
+  }
+}
+
+
+resource "aws_ec2_managed_prefix_list" "example" {
+  name           = "Omprem subnets"
+  address_family = "IPv4"
+  max_entries    = 5
+
+  dynamic "entry" {
+    for_each = toset([
+      "192.168.99.0/24",
+      "192.168.100.0/24"
+    ])
+    content {
+      cidr        = entry.value
+      description = "Onprem management subnets"
+    }
+  }
+}

modules/security_group/main.tf

@@ -0,0 +1,39 @@
+data "aws_default_tags" "this" {
+  lifecycle {
+    postcondition {
+      condition     = length(self.tags) >= 1
+      error_message = "Validation failed: Provider default_tags not set."
+    }
+  }
+}
+
+resource "aws_security_group" "sg" {
+  name        = var.name
+  description = var.description
+  vpc_id      = var.vpc-id
+  tags        = { Name = var.name }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ingress-rules" {
+  for_each                     = var.ingress
+  security_group_id            = aws_security_group.sg.id
+  ip_protocol                  = split(",", each.value)[0]
+  from_port                    = split(",", each.value)[1]
+  to_port                      = split(",", each.value)[2]
+  cidr_ipv4                    = substr(split(",", each.value)[3], 2, 1) != "-" ? split(",", each.value)[3] : null
+  referenced_security_group_id = substr(split(",", each.value)[3], 0, 2) == "sg" ? split(",", each.value)[3] : null
+  prefix_list_id               = substr(split(",", each.value)[3], 0, 2) == "pl" ? split(",", each.value)[3] : null
+  description                  = split(",", each.value)[4]
+}
+
+resource "aws_vpc_security_group_egress_rule" "egress-rules" {
+  for_each                     = var.egress
+  security_group_id            = aws_security_group.sg.id
+  ip_protocol                  = split(",", each.value)[0]
+  from_port                    = split(",", each.value)[1]
+  to_port                      = split(",", each.value)[2]
+  cidr_ipv4                    = substr(split(",", each.value)[3], 2, 1) != "-" ? split(",", each.value)[3] : null
+  referenced_security_group_id = substr(split(",", each.value)[3], 0, 2) == "sg" ? split(",", each.value)[3] : null
+  prefix_list_id               = substr(split(",", each.value)[3], 0, 2) == "pl" ? split(",", each.value)[3] : null
+  description                  = split(",", each.value)[4]
+}

modules/security_group/outputs.tf

@@ -0,0 +1,3 @@
+output id {
+  value = aws_security_group.sg.id
+}

modules/security_group/variables.tf

@@ -0,0 +1,20 @@
+variable "name" {
+  description = "Name of SG"
+  type        = string
+}
+variable "description" {
+  description = "Description of SG"
+  type        = string
+}
+variable "vpc-id" {
+  description = "ID of VPC"
+  type        = string
+}
+variable "ingress" {
+  description = "Map of string where each string is a comma-separated Ingress SG rule. For example r1 = \"-1,-1,-1,0.0.0.0/0,Allow All\""
+  type        = map(string)
+}
+variable "egress" {
+  description = "Map of string where each string is a comma-separated Egress SG rule. For example r1 = \"-1,-1,-1,0.0.0.0/0,Allow All\""
+  type        = map(string)
+}