initial commit

modules/compute/security-groups/README.md

@@ -0,0 +1,52 @@
+# security-groups-gen2
+This module create security groups from a map
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| tags | tags | List | n/a | yes |
+| vpc-id | VPC id | string | n/a | yes |
+| security-groups | See example below | map | n/a | yes |
+
+### security-groups input
+Below is a sample security-groups map this module ingests. The rule list needs to have
+the id column to prevent list from being randomly sorted.
+
+```hcl
+module "headdesk-sg" {
+  source = "../../modules/compute/security-groups"
+
+  security-groups = [
+    {
+      name        = "WebAccess"
+      description = "Public web access"
+      rules = [
+        [1, "tcp", "0.0.0.0/0", "80", "80", "ingress", "web"],
+        [2, "tcp", "0.0.0.0/0", "443", "443", "ingress", "web"],
+        [3, "tcp", "0.0.0.0/0", "25", "25", "ingress", "mail"],
+        [4, "tcp", "0.0.0.0/0", "587", "587", "ingress", "mail"],
+        [5, "tcp", "0.0.0.0/0", "11993", "11993", "ingress", "mail"],
+        [6, "-1", "0.0.0.0/0", "0", "0", "egress", "Allow outbound traffic"],
+        [7, "tcp", "0.0.0.0/0", "2201", "2201", "ingress", "ssh"]
+      ]
+    },
+    {
+      name        = "MgmtAccess"
+      description = "Allow management access"
+      rules = [
+        [1, "tcp", "223.18.148.85/32", "22", "22", "ingress", "xpk"]
+      ]
+    }
+  ]
+  tags   = local.default-tags
+  vpc-id = module.vpc-subnet.vpc_id
+}
+```
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| sg-id-name | A map of SG id and their names |
+

modules/compute/security-groups/main.tf

@@ -0,0 +1,45 @@
+resource "aws_security_group" "sg" {
+  count       = length(var.security-groups)
+  name        = var.security-groups[count.index].name
+  description = var.security-groups[count.index].description
+  vpc_id      = var.vpc-id
+  tags =  { Name = var.security-groups[count.index].name }
+}
+
+// see https://www.terraform.io/docs/configuration/functions/flatten.html
+
+locals {
+  rules = flatten([
+    for sg_key, sg in var.security-groups : [
+      for rule_key, rule in sg.rules : {
+        sg_key      = trimspace(sg.name)
+        rule_key    = rule[0]
+        sg_name     = sg.name
+        protocol    = rule[1]
+        cidr_blocks = rule[2]
+        from_port   = rule[3]
+        to_port     = rule[4]
+        type        = rule[5]
+        description = rule[6]
+      }
+    ]
+  ])
+
+
+}
+
+resource "aws_security_group_rule" "rules" {
+  for_each = {
+    for rule in local.rules : "${rule.sg_key}.${rule.rule_key}" => rule
+  }
+
+  security_group_id = matchkeys(aws_security_group.sg.*.id, aws_security_group.sg.*.name, [each.value.sg_name])[0]
+  protocol          = each.value.protocol
+  source_security_group_id = substr(each.value.cidr_blocks,0,2) == "sg" ? each.value.cidr_blocks : null
+  cidr_blocks       = substr(each.value.cidr_blocks,0,2) != "sg" ? [each.value.cidr_blocks] : null
+  from_port         = each.value.from_port
+  to_port           = each.value.to_port
+  type              = each.value.type
+  description       = "${each.value.description} (${each.value.sg_name}.${each.value.rule_key})"
+}
+

modules/compute/security-groups/outputs.tf

@@ -0,0 +1,14 @@
+/*
+output sg-id-name {
+  value = [
+  for id, name in zipmap(
+  sort(aws_security_group.sg.*.id),
+  sort(aws_security_group.sg.*.name)) :
+  tomap(id, name)
+  ]
+}
+*/
+
+output sg-ids {
+  value = aws_security_group.sg.*.id
+}

modules/compute/security-groups/variables.tf

@@ -0,0 +1,3 @@
+variable security-groups {}
+variable vpc-id {}
+variable tags {}