Terraform module for AWS Security group, which aims to focus on actual service operations.
The module has the following characteristics:
- You can provision multiple security groups and rules at one time.
- Individual
identifier
are entered into each security group, ingress, and egress rule to applylifecycle { create_before_destroy = true}
. - There is a caution when using
cidr_blocks
,ipv6_cidr_blocks
, andprefix_list_ids
inaws_security_group_rule
. If there is a change incidr_blocks
, theaws_security_group_rule
itself is replaced (delete and create), not just the changed part. This can cause an issue in service operation. Therefore,aws_security_group_rule
is created by separating the items ofcidr_block
individually (This is the same foripv6_cidr_blocks
andprefix_list_ids
.).
If var.security_groups
is too long, please consider writing it in yaml or json file and using yamldcode()
or jsondecode()
.
The contents below are generated by terrform-docs
.
Name | Version |
---|---|
terraform | >= 1.6.0 |
aws | >= 5.0.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
global_additional_tag | Additional tags for all resources. | map(string) |
{ |
no |
name_prefix | The name-prefix of all resources. | string |
"tf-poc" |
no |
security_groups | The security gorup information | list(object({ |
[] |
no |
vpc_id | The id of vpc where you want to place security group | string |
n/a | yes |
Name | Description |
---|---|
security_group_ids | The map of the security group id. |
module "security_group" {
source = "github.com/Yunsang-Jeong/terraform-aws-securitygroup"
vpc_id = "vpc-000000000000"
security_groups = [
{
identifier = "ec2-bastion"
description = "the security group for bastion host"
ingresses = [
{
identifier = "ssh-public"
description = "SSH connection"
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = ["1.2.3.4/32"]
}
]
},
{
identifier = "elb-web"
description = "the security group for web-elb"
ingresses = [
{
identifier = "web"
description = "Web service"
from_port = "443"
to_port = "443"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
]
egresses = [
{
identifier = "health-check-to-web"
description = "Health check"
from_port = "80"
to_port = "80"
protocol = "tcp"
destination_security_group_identifier = "ec2-web"
}]
},
{
identifier = "ec2-web"
description = "the security group for web-elb"
ingresses = [
{
identifier = "srv-web-elb"
description = "Connection from elb"
from_port = "80"
to_port = "80"
protocol = "tcp"
source_security_group_identifier = "elb-web"
}, {
identifier = "ssh-from-bastion"
description = "Connection from bastion"
from_port = "22"
to_port = "22"
protocol = "tcp"
source_security_group_identifier = "ec2-bastion"
}
]
},
{
identifier = "vpc-endpoint"
description = "the security group for vpc-endpoint"
ingresses = [
{
identifier = "https-itself"
description = "itself"
from_port = "443"
to_port = "443"
protocol = "tcp"
self = true
}
]
}
]
}