feat: added new resource and update module

clouddrove · Jun 30, 2023 · ac15889 · ac15889
1 parent 3fcd6cd
commit ac15889
Show file tree

Hide file tree

Showing 13 changed files with 573 additions and 374 deletions.
diff --git a/_example/new_security_group/example.tf b/_example/new_security_group/example.tf
@@ -5,31 +5,28 @@ provider "aws" {
   region = "eu-west-1"
 }
 
-####----------------------------------------------------------------------------------
-## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
-####----------------------------------------------------------------------------------
-module "vpc" {
-  source      = "clouddrove/vpc/aws"
-  version     = "1.3.1"
-  name        = "vpc"
-  environment = "test"
-  label_order = ["name", "environment"]
-  cidr_block  = "10.0.0.0/16"
-}
-
-##----------------------------------------------------------------------------------
-## Below module will create SECURITY-GROUP and its components.
-##----------------------------------------------------------------------------------
 module "security_group" {
-  source = "../../"
+  source = "./../../"
 
-  name        = "security-group"
-  environment = "test"
-  label_order = ["name", "environment"]
+  ## new_enable_security_group #######
 
-  vpc_id          = module.vpc.vpc_id
-  allowed_ip      = ["172.16.0.0/16", "10.0.0.0/16"]
-  allowed_ports   = [22, 27017]
-  security_groups = ["sg-xxxxxxxxxxxx"]
-  prefix_list_ids = ["pl-xxxxxxxxxxxx"]
-}
+  new_enable_security_group = true
+  allowed_ip                = ["172.16.0.0/16", "10.0.0.0/16"]
+  allowed_ports             = [22, 27017]
+  security_groups           = []
+  #-------------------------------------------------------------------------------
+  ### prefix_list
+  #-------------------------------------------------------------------------------
+  max_entries         = 5
+  prefix_list_enabled = true
+  entry = [
+    {
+      cidr        = "10.0.0.0/16"
+      description = "VPC CIDR"
+    },
+    {
+      cidr        = "10.10.0.0/24"
+      description = "VPC CIDR"
+    }
+  ]
+}
diff --git a/_example/new_security_group/outputs.tf b/_example/new_security_group/outputs.tf
diff --git a/main.tf b/main.tf
@@ -1,189 +1,43 @@
-##----------------------------------------------------------------------------------
-## This terraform module is designed to generate consistent label names and
-## tags for resources. You can use terraform-labels to implement a strict naming convention.
-##----------------------------------------------------------------------------------
-module "labels" {
-  source  = "clouddrove/labels/aws"
-  version = "1.3.0"
-
-  enabled     = var.enable_security_group
-  name        = var.name
-  repository  = var.repository
-  environment = var.environment
-  attributes  = var.attributes
-  managedby   = var.managedby
-  label_order = var.label_order
-}
-
-locals {
-  sg_existing                    = var.is_external == true
-  egress_rule                    = var.egress_rule == true
-  id                             = local.sg_existing ? join("", data.aws_security_group.existing.*.id) : join("", aws_security_group.default.*.id)
-  security_group_count           = var.enable_security_group == true ? 1 : 0
-  enable_cidr_rules              = length(var.allowed_ip) > 0
-  enable_cidr_rules_ipv6         = length(var.allowed_ipv6) > 0
-  enable_source_sec_group_rules  = length(var.security_groups) == 0 ? false : true
-  enable_source_prefix_list_ids  = length(var.prefix_list_ids) == 0 ? false : true
-  ports_source_sec_group_product = setproduct(compact(var.allowed_ports), length(var.security_groups) > 0 ? var.security_groups : [""])
-  ports_source_prefix_product    = setproduct(compact(var.allowed_ports), length(var.prefix_list_ids) > 0 ? var.prefix_list_ids : [""])
-  prefix_list                    = var.prefix_list_ids
-
-  #egress local parameters
-  enable_source_sec_group_rules_eg = length(var.egress_security_groups) == 0 ? false : true
-  enable_source_prefix_list_ids_eg = length(var.egress_prefix_list_ids) == 0 ? false : true
-  enable_cidr_rules_ipv6_eg        = length(var.egress_allowed_ipv6) > 0
-
-  ports_source_sec_group_product_eg = setproduct(
-    length(var.egress_allowed_ports) > 0 ? compact(var.egress_allowed_ports) : [""],
-  length(var.egress_security_groups) > 0 ? var.egress_security_groups : [""])
-  ports_source_prefix_product_eg = setproduct(
-    length(var.egress_allowed_ports) > 0 ? compact(var.egress_allowed_ports) : [""],
-  length(var.egress_prefix_list_ids) > 0 ? var.egress_prefix_list_ids : [""])
-  prefix_list_eg = var.egress_prefix_list_ids
-
-}
-
-##----------------------------------------------------------------------------------
-## Here are an example of how you can use this resource in your inventory structure.
-##----------------------------------------------------------------------------------
-resource "aws_security_group" "default" {
-  count = local.security_group_count
 
-  name        = module.labels.id
-  vpc_id      = var.vpc_id
-  description = var.description
-  tags        = module.labels.tags
-  lifecycle {
-    create_before_destroy = true
-  }
-}
+####----------------------------------------------------------------------------------
+## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
+####----------------------------------------------------------------------------------
 
-data "aws_security_group" "existing" {
-  count  = local.sg_existing ? 1 : 0
-  id     = var.existing_sg_id
-  vpc_id = var.vpc_id
+module "vpc" {
+  source      = "clouddrove/vpc/aws"
+  version     = "1.3.1"
+  name        = "vpc"
+  environment = "prashant"
+  label_order = ["name", "environment"]
+  cidr_block  = "10.0.0.0/16"
 }
 
-##----------------------------------------------------------------------------------
-## Provides a security group rule resource. Represents a single egress
-## group rule, which can be added to external Security Groups.
-##----------------------------------------------------------------------------------
-resource "aws_security_group_rule" "egress" {
-  count = (var.enable_security_group == true && local.sg_existing == false && local.egress_rule == false) ? 1 : 0
+module "prefix_list" {
+  source = "./modules/prefix_list"
 
-  type              = "egress"
-  from_port         = 0
-  to_port           = 65535
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
-  description       = var.security_group_egress_rule_description
-  security_group_id = local.id
-}
-resource "aws_security_group_rule" "egress_ipv6" {
-  count = (var.enable_security_group == true && local.sg_existing == false) && local.egress_rule == false && local.enable_cidr_rules_ipv6 == true ? 1 : 0
+  name        = "prefix_list"
+  environment = "prashant"
+  label_order = ["name", "environment"]
 
-  type              = "egress"
-  from_port         = 0
-  to_port           = 65535
-  protocol          = "-1"
-  ipv6_cidr_blocks  = ["::/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
-  security_group_id = local.id
-  description       = var.security_group_egress_ipv6_rule_description
-  prefix_list_ids   = var.prefix_list
+  max_entries         = var.max_entries
+  prefix_list_enabled = var.prefix_list_enabled
+  entry = var.entry
 }
 
 ##----------------------------------------------------------------------------------
-## Provides a security group rule resource. Represents a single ingress
-## group rule, which can be added to external Security Groups.
+## Below module will create SECURITY-GROUP and its components.
 ##----------------------------------------------------------------------------------
-resource "aws_security_group_rule" "ingress" {
-  count = local.enable_cidr_rules == true ? length(compact(var.allowed_ports)) : 0
-
-  type              = "ingress"
-  from_port         = element(var.allowed_ports, count.index)
-  to_port           = element(var.allowed_ports, count.index)
-  protocol          = var.protocol
-  cidr_blocks       = var.allowed_ip
-  security_group_id = local.id
-}
-resource "aws_security_group_rule" "ingress_ipv6" {
-  count = local.enable_cidr_rules_ipv6 == true ? length(compact(var.allowed_ports)) : 0
-
-  type              = "ingress"
-  from_port         = element(var.allowed_ports, count.index)
-  to_port           = element(var.allowed_ports, count.index)
-  protocol          = var.protocol
-  ipv6_cidr_blocks  = var.allowed_ipv6
-  security_group_id = local.id
-}
+module "security_group" {
+  source = "./modules/security_group"
 
-resource "aws_security_group_rule" "ingress_sg" {
-  count = local.enable_source_sec_group_rules == true ? length(local.ports_source_sec_group_product) : 0
+  name        = "security-group"
+  environment = "test"
+  label_order = ["name", "environment"]
 
-  type                     = "ingress"
-  from_port                = element(element(local.ports_source_sec_group_product, count.index), 0)
-  to_port                  = element(element(local.ports_source_sec_group_product, count.index), 0)
-  protocol                 = var.protocol
-  source_security_group_id = local.enable_source_sec_group_rules == true ? element(element(local.ports_source_sec_group_product, count.index), 1) : 0
-  security_group_id        = local.id
-}
-
-resource "aws_security_group_rule" "ingress_prefix" {
-  count = local.enable_source_prefix_list_ids == true ? length(local.ports_source_prefix_product) : 0
-
-  type              = "ingress"
-  from_port         = element(element(local.ports_source_prefix_product, count.index), 0)
-  to_port           = element(element(local.ports_source_prefix_product, count.index), 0)
-  protocol          = var.protocol
-  prefix_list_ids   = [element(element(local.ports_source_prefix_product, count.index), 1)]
-  security_group_id = local.id
-}
-
-
-##----------------------------------------------------------------------------------
-## egress rules configuration.
-##----------------------------------------------------------------------------------
-resource "aws_security_group_rule" "egress_ipv4_rule" {
-  count = local.egress_rule == true ? length(compact(var.allowed_ports)) : 0
-
-  type              = "egress"
-  from_port         = element(var.egress_allowed_ports, count.index)
-  to_port           = element(var.egress_allowed_ports, count.index)
-  protocol          = var.egress_protocol
-  cidr_blocks       = var.egress_allowed_ip
-  security_group_id = local.id
-}
-
-resource "aws_security_group_rule" "egress_ipv6_rule" {
-  count = local.egress_rule == true && local.enable_cidr_rules_ipv6_eg == true ? 1 : 0
-
-  type              = "egress"
-  from_port         = element(var.egress_allowed_ports, count.index)
-  to_port           = element(var.egress_allowed_ports, count.index)
-  protocol          = var.egress_protocol
-  ipv6_cidr_blocks  = var.egress_allowed_ipv6
-  security_group_id = local.id
-  prefix_list_ids   = var.prefix_list
-}
-
-resource "aws_security_group_rule" "egress_sg_rule" {
-  count = local.egress_rule == true && local.enable_source_sec_group_rules_eg == true ? length(local.ports_source_sec_group_product_eg) : 0
-
-  type                     = "egress"
-  from_port                = element(element(local.ports_source_sec_group_product_eg, count.index), 0)
-  to_port                  = element(element(local.ports_source_sec_group_product_eg, count.index), 0)
-  protocol                 = var.egress_protocol
-  source_security_group_id = element(element(local.ports_source_sec_group_product_eg, count.index), 1)
-  security_group_id        = local.id
-}
-
-resource "aws_security_group_rule" "egress_prefix_rule" {
-  count = local.egress_rule == true && local.enable_source_prefix_list_ids_eg == true ? length(local.ports_source_prefix_product) : 0
-
-  type              = "egress"
-  from_port         = element(element(local.ports_source_prefix_product_eg, count.index), 0)
-  to_port           = element(element(local.ports_source_prefix_product_eg, count.index), 0)
-  protocol          = var.egress_protocol
-  prefix_list_ids   = [element(element(local.ports_source_prefix_product_eg, count.index), 1)]
-  security_group_id = local.id
-}
+  enable_security_group = var.new_enable_security_group
+  vpc_id          = module.vpc.vpc_id
+  allowed_ip      = var.allowed_ip
+  allowed_ports   = var.allowed_ports
+  security_groups = var.security_groups
+  prefix_list_ids = length(var.prefix_list_id) < 1 ? module.prefix_list.prefix_id : var.prefix_list_id
+}
diff --git a/modules/prefix_list/main.tf b/modules/prefix_list/main.tf
@@ -0,0 +1,32 @@
+##----------------------------------------------------------------------------------
+## This terraform module is designed to generate consistent label names and
+## tags for resources. You can use terraform-labels to implement a strict naming convention.
+##----------------------------------------------------------------------------------
+module "labels" {
+  source  = "clouddrove/labels/aws"
+  version = "1.3.0"
+
+  name        = var.name
+  repository  = var.repository
+  environment = var.environment
+  attributes  = var.attributes
+  managedby   = var.managedby
+  label_order = var.label_order
+}
+
+resource "aws_ec2_managed_prefix_list" "prefix_list_sg_example" {
+  count = var.prefix_list_enabled && length(var.prefix_list_id) < 1 ? 1 : 0
+
+  address_family = "IPv4"
+  max_entries    = var.max_entries
+  name           = module.labels.id
+
+  dynamic "entry" {
+    for_each = var.entry
+    content {
+      cidr        = lookup(entry.value, "cidr", null)
+      description = lookup(entry.value, "description", null)
+
+    }
+  }
+}
diff --git a/modules/prefix_list/outputs.tf b/modules/prefix_list/outputs.tf
@@ -0,0 +1,4 @@
+output "prefix_id" {
+  value       = aws_ec2_managed_prefix_list.prefix_list_sg_example.*.id
+  description = "The ID of the prefix list."
+}
diff --git a/modules/prefix_list/variables.tf b/modules/prefix_list/variables.tf
@@ -0,0 +1,61 @@
+#Module      : LABEL
+#Description : Terraform label module variables.
+variable "name" {
+  type        = string
+  default     = ""
+  description = "Name  (e.g. `app` or `cluster`)."
+}
+
+variable "repository" {
+  type        = string
+  default     = "https://github.com/clouddrove/terraform-aws-security-group"
+  description = "Terraform current module repo"
+}
+
+variable "environment" {
+  type        = string
+  default     = ""
+  description = "Environment (e.g. `prod`, `dev`, `staging`)."
+}
+
+variable "attributes" {
+  type        = list(any)
+  default     = []
+  description = "Additional attributes (e.g. `1`)."
+}
+
+variable "managedby" {
+  type        = string
+  default     = "[email protected]"
+  description = "ManagedBy, eg 'CloudDrove'."
+}
+
+variable "label_order" {
+  type        = list(any)
+  default     = []
+  description = "Label order, e.g. `name`,`application`."
+}
+
+variable "prefix_list_id" {
+  type        = list(string)
+  default     = []
+  description = "The ID of the prefix list."
+}
+
+variable "prefix_list_enabled" {
+  type        = bool
+  default     = true
+  description = "Enable prefix_list."
+}
+
+variable "max_entries" {
+  type        = number
+  default     = 5
+  description = "The maximum number of entries that this prefix list can contain."
+}
+
+variable "entry" {
+  type        = list(any)
+  default     = []
+  description = "Can be specified multiple times for each prefix list entry."
+}
diff --git a/versions.tf → modules/prefix_list/versions.tf b/versions.tf → modules/prefix_list/versions.tf