IBM Security Group for VPC module

This module supports most operations on security groups for VPC. For more information, see About security groups in the IBM Cloud Docs.

The module supports the following scenarios:

• Create a security group in a VPC
• Create security group rules for a new or existing security group
• Create pre-defined security group rules to cover the range of IBM Cloud internal CIDRs for (service endpoints and IaaS endpoints)
• Attach a security group to one or more existing targets in the VPC (for example, VSI network interface, VPC load balancer, Virtual Private Endpoint gateways, VPC VPN servers)

See the following examples section for code that illustrates these scenarios.

Overview

• terraform-ibm-security-group
• Examples
  • Default example
  • Example to add security group rules to an existing security group (kube)
  • Example to add security group rules to an existing security group
  • Example to attach resources to security group
• Contributing

terraform-ibm-security-group

Usage

module "create_sgr_rule" {
  source                       = "terraform-ibm-modules/security-group/ibm"
  version                      = "latest" # Replace "latest" with a release version to lock into a specific release
  add_ibm_cloud_internal_rules = true
  security_group_name          = "test-sg"
  security_group_rules         = [{
    name      = "allow-all-inbound"
    direction = "inbound"
    remote    = "0.0.0.0/0"
  }]
  target_ids                   = ["r006-37e5b107-3006-480b-a340-bb1951357a73"]
}

Required IAM access policies

You need the following permissions to run this module.

• IAM services
  • VPC Infrastructure services
    • Editor platform access

Requirements

Name	Version
terraform	>= 1.3
ibm	>= 1.59.0, < 2.0.0

Modules

No modules.

Resources

Name	Type
ibm_is_security_group.sg	resource
ibm_is_security_group_rule.security_group_rule	resource
ibm_is_security_group_target.sg_target	resource
ibm_is_security_group.existing_sg	data source

Inputs

Name	Description	Type	Default	Required
access_tags	A list of access management tags to attach to the security group. For more information, see working with tags	list(string)	[]	no
add_ibm_cloud_internal_rules	Add IBM cloud Internal rules to the provided security group rules	bool	false	no
existing_security_group_id	Id of an existing security group. Mutually exclusive with existing_security_group_name. If set, rules will be added to the specified security group.	string	null	no
existing_security_group_name	Name of an existing security group. Mutually exclusive with existing_security_group_id. If set, rules will be added to the specified security group.	string	null	no
resource_group	An existing resource group name to use for this example, if unset a new resource group will be created	string	null	no
security_group_name	Name of the security group to be created	string	"test-sg"	no
security_group_rules	A list of security group rules to be added to the default vpc security group	list( object({ name = string direction = optional(string, "inbound") remote = string tcp = optional( object({ port_max = optional(number) port_min = optional(number) }) ) udp = optional( object({ port_max = optional(number) port_min = optional(number) }) ) icmp = optional( object({ type = optional(number) code = optional(number) }) ) }) )	[]	no
tags	List of resource tags to apply to security group created by this module.	list(string)	[]	no
target_ids	(Optional) A list of target identifiers from the same VPC as the security group. It may contain one or more of the following identifiers: network interface, application load balancer, endpoint gateway, and VPN server	list(string)	[]	no
use_existing_security_group	If set, the modules modifies the specified existing_security_group_name.	bool	false	no
use_existing_security_group_id	If set, the modules modifies the specified existing_security_group_id.	bool	false	no
vpc_id	ID of the VPC to create security group. Only required if 'existing_security_group_name' is null	string	null	no

Outputs

Name	Description
security_group_id	The ID of the security group where the rules are added. NOTE: This value will not be available until rules are applied, and it cannot be referenced as a remote for a rule variable for the same module block. If you need this value to use in a rule you are supplying, please use the security_group_id_for_ref output instead.
security_group_id_for_ref	The ID of the security group which can be used as remote reference in rules. NOTE: This value will be available as soon as the security group is created, and before rules are applied, which means it can be referenced as a remote in the rules input variable itself. If you require that all rules are applied first, please use the security_group_id output instead.
security_group_rule	Security group rules
security_target	Resources added to the security group

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.