generated from cloudposse/terraform-example-module
-
-
Notifications
You must be signed in to change notification settings - Fork 35
/
main.tf
150 lines (120 loc) · 4.16 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Terraform for testing with terratest
#
# For this module, a large portion of the test is simply
# verifying that Terraform can generate a plan without errors.
#
provider "aws" {
region = var.region
}
module "vpc" {
source = "cloudposse/vpc/aws"
version = "v2.0.0"
ipv4_primary_cidr_block = "10.0.0.0/24"
assign_generated_ipv6_cidr_block = true
context = module.this.context
}
resource "random_integer" "coin" {
count = local.enabled ? 1 : 0
max = 2
min = 1
}
locals {
enabled = module.this.enabled
coin = local.enabled ? random_integer.coin[0].result : 0
}
module "simple_security_group" {
source = "../.."
attributes = ["simple"]
rules = var.rules
vpc_id = module.vpc.vpc_id
context = module.this.context
}
# Create a new security group
module "new_security_group" {
source = "../.."
allow_all_egress = true
inline_rules_enabled = var.inline_rules_enabled
rule_matrix = [{
key = "stable"
# Allow ingress on ports 22 and 80 from created security group, existing security group, and CIDR "10.0.0.0/8"
# The dynamic value for source_security_group_ids breaks Terraform 0.13 but should work in 0.14 or later
source_security_group_ids = local.enabled ? [aws_security_group.target[0].id] : ["disabled"]
# Either dynamic value for CIDRs breaks Terraform 0.13 but should work in 0.14 or later
# In TF 0.14 and later (through 1.0.x) if the length of the cidr_blocks
# list is not available at plan time, the module breaks.
cidr_blocks = local.coin > 1 ? ["10.0.0.0/16"] : ["10.0.0.0/24"]
ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block]
prefix_list_ids = []
# Making `self` derived should break `count`, as it legitimately makes
# the count impossible to predict
# self = random_integer.coin.result > 0
self = var.rule_matrix_self
rules = [
{
key = "ssh"
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
description = "Allow SSH access"
},
{
# key = "http"
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
description = "Allow HTTP access"
},
]
}]
rules = var.rules
rules_map = merge({ new-cidr = [
{
key = "https-cidr"
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] # ["::/0"] #
source_security_group_id = null
description = "Discrete HTTPS ingress by CIDR"
self = false
}] }, {
new-sg = [{
# no key provided
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
source_security_group_id = local.enabled ? aws_security_group.target[0].id : "disabled"
description = "Discrete HTTPS ingress for special SG"
self = null
}],
})
vpc_id = module.vpc.vpc_id
security_group_create_timeout = "5m"
security_group_delete_timeout = "2m"
security_group_name = [format("%s-%s", module.this.id, "new-")]
context = module.this.context
}
# Create rules for pre-created security group
resource "aws_security_group" "target" {
#bridgecrew:skip=BC_AWS_NETWORKING_31:Not needed for testing
#bridgecrew:skip=BC_AWS_NETWORKING_51:Not needed for testing
count = local.enabled ? 1 : 0
name_prefix = format("%s-%s-", module.this.id, "existing")
vpc_id = module.vpc.vpc_id
tags = module.this.tags
}
module "target_security_group" {
source = "../.."
allow_all_egress = true
# create_security_group = false
target_security_group_id = local.enabled ? [aws_security_group.target[0].id] : ["disabled"]
rules = var.rules
security_group_name = local.enabled ? [aws_security_group.target[0].name_prefix] : ["disabled"]
vpc_id = module.vpc.vpc_id
context = module.this.context
}