Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/techservicesillinois/terraform-aws-client-server-security-group

Provide two-level security groups for RDS instances
https://github.com/techservicesillinois/terraform-aws-client-server-security-group

Last synced: 2 months ago
JSON representation

Provide two-level security groups for RDS instances

Awesome Lists containing this project

README 

          
# client-server-security-group



[![Terraform actions status](https://github.com/techservicesillinois/terraform-aws-client-server-security-group/workflows/terraform/badge.svg)](https://github.com/techservicesillinois/terraform-aws-client-server-security-group/actions)



Provides two security groups for use in client/server communications

on a given port. The client security group allows only outbound

connections to servers belonging to the server security group. The

server security group only allows inbound connections from clients

that are members of the client security group. This restricts server

access to only those clients in the client security group.



Example Usage

-----------------



```hcl

module "foo" {

  source = "git@github.com:techservicesillinois/terraform-aws-client-server-security-group"

  vpc         = include.vpc.inputs.vpc.name

  name_prefix = "authman-db"

  rules = {

    tcp = [1521, 5432]

  }

  vpc         = "dev-vpc"

}

```



Note: this will create two security groups: `authman-db-clients` and `authman-db-servers`.



![Client-Server Security Group Graphic](images/terraform-aws-client-server-security-group.png)



The above graphic depicts a security group configuration for an RDS instance

running MySQL, and three clients, which may be EC2 instances, ECS containers,

and so forth.

Only clients that are members of the`authman-db-clients` security group are able to

establish a connection with the servers in the `authman-db-servers` security group,

and only on the designated port (3306 in this example).



Argument Reference

-----------------



The following arguments are supported:



* `cidr_blocks_extra` - (Optional) List of additional CIDR blocks granted access to the server security group. Defaults to an empty list.

* `client_sg_name` - Client security group name (Ignored if name_prefix is set).

* `name_prefix` - Prefix to prepend to autogenerated security group names

* `rules` – (Required) A [rules](#rules) block used to define the security group based on protocol and port.

* `server_sg_name` - Server security group name (Ignored if name_prefix is set).

* `tags` - Tags to be applied. (A default `Name` tag is assigned using the security group  name.)

* `vpc` - (Required) The VPC name.



`rules`

-----



A `rules` block supports the following:



* `icmp` - (Optional) A list of ports to be opened for the ICMP protocol. See note below.

* `tcp` - (Optional) A list of ports to be opened for the TCP protocol.

* `udp` - (Optional) A list of ports to be opened for the UDP protocol.



**NOTE:** For the ICMP protocol, use one or more ICMP type number(s) in the port list.



While none of the supported protocols are required as part of the `rules` block, **at least one** protocol must be specified with a non-empty port list. 



Attributes Reference

--------------------



The following attributes are exported:



* `client_security_group_id` - The ID of the client security group

* `client_security_group_name` - The name of the client security group

* `rule_map` - A map listing each port and protocol granted access to the security group. See below for details.

* `server_security_group_id` - The ID of the server security group

* `server_security_group_name` - The name of the server security group

   

### The `rule_map` attribute



The `rule_map` attribute expresses the security group rules as a map of maps.



For example, the following `rules` block grants access to the standard TCP ports used by Oracle and PostgreSQL:

   

```hcl

rules = {

  tcp = [1521, 5432]

}

```



The `rule_map` attribute would be produced as shown below.



```hcl

rule_map = {

  "tcp:1521" = {

    "key" = "tcp:1521"

    "port" = 1521

    "protocol" = "tcp"

  }

  "tcp:5432" = {

    "key" = "tcp:5432"

    "port" = 5432

    "protocol" = "tcp"

  }

}

```