From 14ee39e1010d4d9167a6fff59dd19d0389d67af1 Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Thu, 30 Jun 2022 14:34:45 -0600 Subject: [PATCH 1/6] allow traffic inside security group --- main.tf | 11 +++++++++++ variables.tf | 6 ++++++ 2 files changed, 17 insertions(+) diff --git a/main.tf b/main.tf index ce55ea8b..c275e610 100644 --- a/main.tf +++ b/main.tf @@ -33,6 +33,17 @@ resource "aws_security_group_rule" "ingress_security_groups" { security_group_id = join("", aws_security_group.default.*.id) } +resource "aws_security_group_rule" "traffic_inside_security_group" { + count = local.enabled && var.allow_traffic_inside_security_group ? 1 : 0 + description = "Allow traffic between members of the database security group" + type = "ingress" + from_port = var.db_port + to_port = var.db_port + protocol = "tcp" + self = true + security_group_id = join("", aws_security_group.default.*.id) +} + resource "aws_security_group_rule" "ingress_cidr_blocks" { count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0 description = "Allow inbound traffic from existing CIDR blocks" diff --git a/variables.tf b/variables.tf index 08d38a16..6c377f21 100644 --- a/variables.tf +++ b/variables.tf @@ -456,3 +456,9 @@ variable "subnet_group_name" { type = string default = "" } + +variable "allow_traffic_inside_security_group" { + type = bool + default = false + description = "Whether to allow traffic between resources inside the database's security group." +} From a86573ebdae1708097c9c0c7daa73742eeca9381 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Thu, 30 Jun 2022 20:35:49 +0000 Subject: [PATCH 2/6] Auto Format --- README.md | 2 ++ docs/terraform.md | 2 ++ main.tf | 16 ++++++++-------- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7c8f1ad7..a73a9c38 100644 --- a/README.md +++ b/README.md @@ -392,6 +392,7 @@ Available targets: | [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.traffic_inside_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_iam_policy_document.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -404,6 +405,7 @@ Available targets: | [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no | | [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no | | [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no | +| [allow\_traffic\_inside\_security\_group](#input\_allow\_traffic\_inside\_security\_group) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no | | [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 47e8edf7..c9486ab2 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -40,6 +40,7 @@ | [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.traffic_inside_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_iam_policy_document.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -52,6 +53,7 @@ | [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no | | [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no | | [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no | +| [allow\_traffic\_inside\_security\_group](#input\_allow\_traffic\_inside\_security\_group) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no | | [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | diff --git a/main.tf b/main.tf index c275e610..77efcc6c 100644 --- a/main.tf +++ b/main.tf @@ -34,14 +34,14 @@ resource "aws_security_group_rule" "ingress_security_groups" { } resource "aws_security_group_rule" "traffic_inside_security_group" { - count = local.enabled && var.allow_traffic_inside_security_group ? 1 : 0 - description = "Allow traffic between members of the database security group" - type = "ingress" - from_port = var.db_port - to_port = var.db_port - protocol = "tcp" - self = true - security_group_id = join("", aws_security_group.default.*.id) + count = local.enabled && var.allow_traffic_inside_security_group ? 1 : 0 + description = "Allow traffic between members of the database security group" + type = "ingress" + from_port = var.db_port + to_port = var.db_port + protocol = "tcp" + self = true + security_group_id = join("", aws_security_group.default.*.id) } resource "aws_security_group_rule" "ingress_cidr_blocks" { From 35ee3af80e1c8ec96aeb2aad91af59901c1dd9b4 Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Thu, 30 Jun 2022 14:59:44 -0600 Subject: [PATCH 3/6] add intra-sg traffic to complete example --- examples/complete/fixtures.us-east-2.tfvars | 2 ++ examples/complete/main.tf | 33 +++++++++++---------- examples/complete/variables.tf | 6 ++++ 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index 28e214bf..8e457bed 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -31,3 +31,5 @@ admin_password = "admin_password" enhanced_monitoring_role_enabled = true rds_monitoring_interval = 30 + +allow_traffic_inside_security_group = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index f3f39c01..ddb0b65e 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -28,22 +28,23 @@ module "subnets" { module "rds_cluster" { source = "../../" - engine = var.engine - engine_mode = var.engine_mode - cluster_family = var.cluster_family - cluster_size = var.cluster_size - admin_user = var.admin_user - admin_password = var.admin_password - db_name = var.db_name - instance_type = var.instance_type - vpc_id = module.vpc.vpc_id - subnets = module.subnets.private_subnet_ids - security_groups = [module.vpc.vpc_default_security_group_id] - deletion_protection = var.deletion_protection - autoscaling_enabled = var.autoscaling_enabled - storage_type = var.storage_type - iops = var.iops - allocated_storage = var.allocated_storage + engine = var.engine + engine_mode = var.engine_mode + cluster_family = var.cluster_family + cluster_size = var.cluster_size + admin_user = var.admin_user + admin_password = var.admin_password + db_name = var.db_name + instance_type = var.instance_type + vpc_id = module.vpc.vpc_id + subnets = module.subnets.private_subnet_ids + security_groups = [module.vpc.vpc_default_security_group_id] + deletion_protection = var.deletion_protection + autoscaling_enabled = var.autoscaling_enabled + storage_type = var.storage_type + iops = var.iops + allocated_storage = var.allocated_storage + allow_traffic_inside_security_group = var.allow_traffic_inside_security_group cluster_parameters = [ { diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index a85865f3..ccd9c3bc 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -84,3 +84,9 @@ variable "allocated_storage" { description = "The allocated storage in GBs" default = null } + +variable "allow_traffic_inside_security_group" { + type = bool + default = false + description = "Whether to allow traffic between resources inside the database's security group." +} From 5bea683e4d6bf0e176090b15d2b29074c173a38c Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Tue, 5 Jul 2022 13:42:10 -0600 Subject: [PATCH 4/6] Update variables.tf Co-authored-by: Matt Gowie --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 6c377f21..edd228c7 100644 --- a/variables.tf +++ b/variables.tf @@ -457,7 +457,7 @@ variable "subnet_group_name" { default = "" } -variable "allow_traffic_inside_security_group" { +variable "intra_security_group_traffic_enabled" { type = bool default = false description = "Whether to allow traffic between resources inside the database's security group." From 8ca149939d0820b48dfb2157ea694ba88e1acf58 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Tue, 5 Jul 2022 19:43:07 +0000 Subject: [PATCH 5/6] Auto Format --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a73a9c38..2c8e8623 100644 --- a/README.md +++ b/README.md @@ -405,7 +405,6 @@ Available targets: | [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no | | [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no | | [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no | -| [allow\_traffic\_inside\_security\_group](#input\_allow\_traffic\_inside\_security\_group) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no | | [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | @@ -451,6 +450,7 @@ Available targets: | [instance\_availability\_zone](#input\_instance\_availability\_zone) | Optional parameter to place cluster instances in a specific availability zone. If left empty, will place randomly | `string` | `""` | no | | [instance\_parameters](#input\_instance\_parameters) | List of DB instance parameters to apply | 
list(object({
    apply_method = string
    name         = string
    value        = string
  }))
| `[]` | no | | [instance\_type](#input\_instance\_type) | Instance type to use | `string` | `"db.t2.small"` | no | +| [intra\_security\_group\_traffic\_enabled](#input\_intra\_security\_group\_traffic\_enabled) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no | | [iops](#input\_iops) | The amount of provisioned IOPS. Setting this implies a storage\_type of 'io1'. This setting is required to create a Multi-AZ DB cluster. Check TF docs for values based on db engine | `number` | `null` | no | | [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, `storage_encrypted` needs to be set to `true` | `string` | `""` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index c9486ab2..61a64c8a 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -53,7 +53,6 @@ | [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no | | [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no | | [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no | -| [allow\_traffic\_inside\_security\_group](#input\_allow\_traffic\_inside\_security\_group) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no | | [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | @@ -99,6 +98,7 @@ | [instance\_availability\_zone](#input\_instance\_availability\_zone) | Optional parameter to place cluster instances in a specific availability zone. If left empty, will place randomly | `string` | `""` | no | | [instance\_parameters](#input\_instance\_parameters) | List of DB instance parameters to apply | 
list(object({
    apply_method = string
    name         = string
    value        = string
  }))
| `[]` | no | | [instance\_type](#input\_instance\_type) | Instance type to use | `string` | `"db.t2.small"` | no | +| [intra\_security\_group\_traffic\_enabled](#input\_intra\_security\_group\_traffic\_enabled) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no | | [iops](#input\_iops) | The amount of provisioned IOPS. Setting this implies a storage\_type of 'io1'. This setting is required to create a Multi-AZ DB cluster. Check TF docs for values based on db engine | `number` | `null` | no | | [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, `storage_encrypted` needs to be set to `true` | `string` | `""` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | From a8a245a0b0c0e50bc5acaba28b6d1b2e79e726f9 Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Tue, 5 Jul 2022 13:45:09 -0600 Subject: [PATCH 6/6] update var n ame --- examples/complete/fixtures.us-east-2.tfvars | 2 +- examples/complete/main.tf | 34 ++++++++++----------- examples/complete/variables.tf | 2 +- main.tf | 2 +- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index 8e457bed..d7ee2e2f 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -32,4 +32,4 @@ enhanced_monitoring_role_enabled = true rds_monitoring_interval = 30 -allow_traffic_inside_security_group = true +intra_security_group_traffic_enabled = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index ddb0b65e..be5914a2 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -28,23 +28,23 @@ module "subnets" { module "rds_cluster" { source = "../../" - engine = var.engine - engine_mode = var.engine_mode - cluster_family = var.cluster_family - cluster_size = var.cluster_size - admin_user = var.admin_user - admin_password = var.admin_password - db_name = var.db_name - instance_type = var.instance_type - vpc_id = module.vpc.vpc_id - subnets = module.subnets.private_subnet_ids - security_groups = [module.vpc.vpc_default_security_group_id] - deletion_protection = var.deletion_protection - autoscaling_enabled = var.autoscaling_enabled - storage_type = var.storage_type - iops = var.iops - allocated_storage = var.allocated_storage - allow_traffic_inside_security_group = var.allow_traffic_inside_security_group + engine = var.engine + engine_mode = var.engine_mode + cluster_family = var.cluster_family + cluster_size = var.cluster_size + admin_user = var.admin_user + admin_password = var.admin_password + db_name = var.db_name + instance_type = var.instance_type + vpc_id = module.vpc.vpc_id + subnets = module.subnets.private_subnet_ids + security_groups = [module.vpc.vpc_default_security_group_id] + deletion_protection = var.deletion_protection + autoscaling_enabled = var.autoscaling_enabled + storage_type = var.storage_type + iops = var.iops + allocated_storage = var.allocated_storage + intra_security_group_traffic_enabled = var.intra_security_group_traffic_enabled cluster_parameters = [ { diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index ccd9c3bc..4b7af783 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -85,7 +85,7 @@ variable "allocated_storage" { default = null } -variable "allow_traffic_inside_security_group" { +variable "intra_security_group_traffic_enabled" { type = bool default = false description = "Whether to allow traffic between resources inside the database's security group." diff --git a/main.tf b/main.tf index 77efcc6c..bdc8434d 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ resource "aws_security_group_rule" "ingress_security_groups" { } resource "aws_security_group_rule" "traffic_inside_security_group" { - count = local.enabled && var.allow_traffic_inside_security_group ? 1 : 0 + count = local.enabled && var.intra_security_group_traffic_enabled ? 1 : 0 description = "Allow traffic between members of the database security group" type = "ingress" from_port = var.db_port