Skip to content
This repository has been archived by the owner on Jan 25, 2023. It is now read-only.

Commit

Permalink
Support source security group id ingress access to cluster
Browse files Browse the repository at this point in the history
  • Loading branch information
@sclausson
sclausson committed Oct 11, 2017
1 parent 9e95fed commit 49f2db5
Show file tree
Hide file tree
Showing 5 changed files with 140 additions and 4 deletions.
4 changes: 2 additions & 2 deletions modules/consul-cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,10 +298,10 @@ This module attaches a security group to each EC2 Instance that allows inbound r
* **Consul**: For all the [ports used by Consul](https://www.consul.io/docs/agent/options.html#ports), you can
use the `allowed_inbound_cidr_blocks` parameter to control the list of
[CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access.
[CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access and the `allowed_inbound_security_group_ids` parameter to control the security groups that will be allowed access.
* **SSH**: For the SSH port (default: 22), you can use the `allowed_ssh_cidr_blocks` parameter to control the list of
[CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access.
[CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. You can use the `allowed_inbound_ssh_security_group_ids` parameter to control the list of source Security Groups that will be allowed access.
Note that all the ports mentioned above are configurable via the `xxx_port` variables (e.g. `server_rpc_port`). See
[vars.tf](vars.tf) for the full list.
Expand Down
17 changes: 15 additions & 2 deletions modules/consul-cluster/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ resource "aws_security_group" "lc_security_group" {
}

resource "aws_security_group_rule" "allow_ssh_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.ssh_port}"
to_port = "${var.ssh_port}"
Expand All @@ -104,6 +105,17 @@ resource "aws_security_group_rule" "allow_ssh_inbound" {
security_group_id = "${aws_security_group.lc_security_group.id}"
}

resource "aws_security_group_rule" "allow_ssh_inbound_from_security_group_ids" {
count = "${length(var.allowed_ssh_security_group_ids)}"
type = "ingress"
from_port = "${var.ssh_port}"
to_port = "${var.ssh_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_ssh_security_group_ids, count.index)}"

security_group_id = "${aws_security_group.lc_security_group.id}"
}

resource "aws_security_group_rule" "allow_all_outbound" {
type = "egress"
from_port = 0
Expand All @@ -122,8 +134,9 @@ resource "aws_security_group_rule" "allow_all_outbound" {
module "security_group_rules" {
source = "../consul-security-group-rules"

security_group_id = "${aws_security_group.lc_security_group.id}"
allowed_inbound_cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"]
security_group_id = "${aws_security_group.lc_security_group.id}"
allowed_inbound_cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"]
allowed_inbound_security_group_ids = ["${var.allowed_inbound_security_group_ids}"]

server_rpc_port = "${var.server_rpc_port}"
cli_rpc_port = "${var.cli_rpc_port}"
Expand Down
11 changes: 11 additions & 0 deletions modules/consul-cluster/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ variable "allowed_inbound_cidr_blocks" {
type = "list"
}

variable "allowed_inbound_security_group_ids" {
description = "A list of security group IDs that will be allowed to connect to Consul"
type = "list"
}

variable "user_data" {
description = "A User Data script to execute while the server is booting. We remmend passing in a bash script that executes the run-consul script, which should have been installed in the Consul AMI by the install-consul module."
}
Expand Down Expand Up @@ -71,6 +76,12 @@ variable "allowed_ssh_cidr_blocks" {
default = []
}

variable "allowed_ssh_security_group_ids" {
description = "A list of security group IDs from which the EC2 Instances will allow SSH connections"
type = "list"
default = []
}

variable "termination_policies" {
description = "A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, Default."
default = "Default"
Expand Down
107 changes: 107 additions & 0 deletions modules/consul-security-group-rules/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
# ---------------------------------------------------------------------------------------------------------------------

resource "aws_security_group_rule" "allow_server_rpc_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.server_rpc_port}"
to_port = "${var.server_rpc_port}"
Expand All @@ -13,6 +14,7 @@ resource "aws_security_group_rule" "allow_server_rpc_inbound" {
}

resource "aws_security_group_rule" "allow_cli_rpc_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.cli_rpc_port}"
to_port = "${var.cli_rpc_port}"
Expand All @@ -23,6 +25,7 @@ resource "aws_security_group_rule" "allow_cli_rpc_inbound" {
}

resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.serf_lan_port}"
to_port = "${var.serf_lan_port}"
Expand All @@ -33,6 +36,7 @@ resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound" {
}

resource "aws_security_group_rule" "allow_serf_lan_udp_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.serf_lan_port}"
to_port = "${var.serf_lan_port}"
Expand All @@ -43,6 +47,7 @@ resource "aws_security_group_rule" "allow_serf_lan_udp_inbound" {
}

resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.serf_wan_port}"
to_port = "${var.serf_wan_port}"
Expand All @@ -53,6 +58,7 @@ resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound" {
}

resource "aws_security_group_rule" "allow_serf_wan_udp_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.serf_wan_port}"
to_port = "${var.serf_wan_port}"
Expand All @@ -63,6 +69,7 @@ resource "aws_security_group_rule" "allow_serf_wan_udp_inbound" {
}

resource "aws_security_group_rule" "allow_http_api_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.http_api_port}"
to_port = "${var.http_api_port}"
Expand All @@ -73,6 +80,7 @@ resource "aws_security_group_rule" "allow_http_api_inbound" {
}

resource "aws_security_group_rule" "allow_dns_tcp_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.dns_port}"
to_port = "${var.dns_port}"
Expand All @@ -83,6 +91,7 @@ resource "aws_security_group_rule" "allow_dns_tcp_inbound" {
}

resource "aws_security_group_rule" "allow_dns_udp_inbound" {
count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"
type = "ingress"
from_port = "${var.dns_port}"
to_port = "${var.dns_port}"
Expand All @@ -92,3 +101,101 @@ resource "aws_security_group_rule" "allow_dns_udp_inbound" {
security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_server_rpc_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.server_rpc_port}"
to_port = "${var.server_rpc_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_cli_rpc_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.cli_rpc_port}"
to_port = "${var.cli_rpc_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.serf_lan_port}"
to_port = "${var.serf_lan_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.serf_lan_port}"
to_port = "${var.serf_lan_port}"
protocol = "udp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.serf_wan_port}"
to_port = "${var.serf_wan_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_serf_wan_udp_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.serf_wan_port}"
to_port = "${var.serf_wan_port}"
protocol = "udp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_http_api_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.http_api_port}"
to_port = "${var.http_api_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_dns_tcp_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.dns_port}"
to_port = "${var.dns_port}"
protocol = "tcp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}

resource "aws_security_group_rule" "allow_dns_udp_inbound_from_security_group_ids" {
count = "${length(var.allowed_inbound_security_group_ids)}"
type = "ingress"
from_port = "${var.dns_port}"
to_port = "${var.dns_port}"
protocol = "udp"
source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

security_group_id = "${var.security_group_id}"
}
5 changes: 5 additions & 0 deletions modules/consul-security-group-rules/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ variable "allowed_inbound_cidr_blocks" {
type = "list"
}

variable "allowed_inbound_security_group_ids" {
description = "A list of security group IDs that will be allowed to connect to Consul"
type = "list"
}

# ---------------------------------------------------------------------------------------------------------------------
# OPTIONAL PARAMETERS
# These parameters have reasonable defaults.
Expand Down

0 comments on commit 49f2db5

Please sign in to comment.