软件概览
AWS EC2-VPC Security Group Terraform module
Terraform module which creates EC2 security group within VPC on AWS.
Features
This module aims to implement ALL combinations of arguments supported by AWS and latest stable version of Terraform:
- IPv4/IPv6 CIDR blocks
- VPC endpoint prefix lists (use data source aws_prefix_list)
- Access from source security groups
- Access from self
- Named rules (see the rules here)
- Named groups of rules with ingress (inbound) and egress (outbound) ports open for common scenarios (eg, ssh, http-80, mysql, see the whole list here)
- Conditionally create security group and/or all required security group rules.
Ingress and egress rules can be configured in a variety of ways. See inputs section for all supported arguments and complete example for the complete use-case.
If there is a missing feature or a bug - open an issue.
Terraform versions
For Terraform 0.12 use version v4.* of this module or newer.
If you are using Terraform 0.11 you can use versions v2.*.
Usage
There are two ways to create security groups using this module:
Security group with predefined rules
module "web_server_sg" {
source = "terraform-aws-modules/security-group/aws//modules/http-80"
name = "web-server"
description = "Security group for web-server with HTTP ports open within VPC"
vpc_id = "vpc-12345678"
ingress_cidr_blocks = ["10.10.0.0/16"]
}
Security group with custom rules
module "vote_service_sg" {
source = "terraform-aws-modules/security-group/aws"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_cidr_blocks = ["10.10.0.0/16"]
ingress_rules = ["https-443-tcp"]
ingress_with_cidr_blocks = [
{
from_port = 8080
to_port = 8090
protocol = "tcp"
description = "User-service ports"
cidr_blocks = "10.10.0.0/16"
},
{
rule = "postgresql-tcp"
cidr_blocks = "0.0.0.0/0"
},
]
}
Note about "value of 'count' cannot be computed"
Terraform 0.11 has a limitation which does not allow computed values inside count attribute on resources (issues: #16712, #18015, ...)
Computed values are values provided as outputs from module. Non-computed values are all others - static values, values referenced as variable and from data-sources.
When you need to specify computed value inside security group rule argument you need to specify it using an argument which starts with computed_ and provide a number of elements in the argument which starts with number_of_computed_. See these examples:
module "http_sg" {
source = "terraform-aws-modules/security-group/aws"
# omitted for brevity
}
module "db_computed_source_sg" {
# omitted for brevity
vpc_id = "vpc-12345678" # these are valid values also - `module.vpc.vpc_id` and `local.vpc_id`
computed_ingress_with_source_security_group_id = [
{
rule = "mysql-tcp"
source_security_group_id = module.http_sg.security_group_id
}
]
number_of_computed_ingress_with_source_security_group_id = 1
}
module "db_computed_sg" {
# omitted for brevity
ingress_cidr_blocks = ["10.10.0.0/16", data.aws_security_group.default.id]
computed_ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
number_of_computed_ingress_cidr_blocks = 1
}
module "db_computed_merged_sg" {
# omitted for brevity
computed_ingress_cidr_blocks = ["10.10.0.0/16", module.vpc.vpc_cidr_block]
number_of_computed_ingress_cidr_blocks = 2
}
Note that db_computed_sg and db_computed_merged_sg are equal, because it is possible to put both computed and non-computed values in arguments starting with computed_.
Conditional creation
Sometimes you need to have a way to create security group conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create.
# This security group will not be created
module "vote_service_sg" {
source = "terraform-aws-modules/security-group/aws"
create = false
# ... omitted
}
Examples
- Complete Security Group example shows all available parameters to configure security group.
- Security Group "Rules Only" example shows how to manage just rules of a security group that is created outside.
- HTTP Security Group example shows more applicable security groups for common web-servers.
- Disable creation of Security Group example shows how to disable creation of security group.
- Dynamic values inside Security Group rules example shows how to specify values inside security group rules (data-sources and variables are allowed).
- Computed values inside Security Group rules example shows how to specify computed values inside security group rules (solution for
value of 'count' cannot be computedproblem).
How to add/update rules/groups?
Rules and groups are defined in rules.tf. Run update_groups.sh when content of that file has changed to recreate content of all automatic modules.
Known issues
No issue is creating limit on this module.
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.12.6 |
| aws | >= 2.42 |
Providers
| Name | Version |
|---|---|
| aws | >= 2.42 |
Modules
No modules.
Resources
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auto_groups | Map of groups of security group rules to use to generate modules (see update_groups.sh) | map(map(list(string))) |
{ |
no |
| computed_egress_rules | List of computed egress rules to create by name | list(string) |
[] |
no |
| computed_egress_with_cidr_blocks | List of computed egress rules to create where 'cidr_blocks' is used | list(map(string)) |
[] |
no |
| computed_egress_with_ipv6_cidr_blocks | List of computed egress rules to create where 'ipv6_cidr_blocks' is used | list(map(string)) |
[] |
no |
| computed_egress_with_self | List of computed egress rules to create where 'self' is defined | list(map(string)) |
[] |
no |
| computed_egress_with_source_security_group_id | List of computed egress rules to create where 'source_security_group_id' is used | list(map(string)) |
[] |
no |
| computed_ingress_rules | List of computed ingress rules to create by name | list(string) |
[] |
no |
| computed_ingress_with_cidr_blocks | List of computed ingress rules to create where 'cidr_blocks' is used | list(map(string)) |
[] |
no |
| computed_ingress_with_ipv6_cidr_blocks | List of computed ingress rules to create where 'ipv6_cidr_blocks' is used | list(map(string)) |
[] |
no |
| computed_ingress_with_self | List of computed ingress rules to create where 'self' is defined | list(map(string)) |
[] |
no |
| computed_ingress_with_source_security_group_id | List of computed ingress rules to create where 'source_security_group_id' is used | list(map(string)) |
[] |
no |
| create | Whether to create security group and all rules | bool |
true |
no |
| create_sg | Whether to create security group | bool |
true |
no |
| create_timeout | Time to wait for a security group to be created | string |
10m |
no |
| delete_timeout | Time to wait for a security group to be deleted | string |
15m |
no |
| description | Description of security group | string |
"Security Group managed by Terraform" |
no |
| egress_cidr_blocks | List of IPv4 CIDR ranges to use on all egress rules | list(string) |
[ |
no |
| egress_ipv6_cidr_blocks | List of IPv6 CIDR ranges to use on all egress rules | list(string) |
[ |
no |
| egress_prefix_list_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules | list(string) |
[] |
no |
| egress_rules | List of egress rules to create by name | list(string) |
[] |
no |
| egress_with_cidr_blocks | List of egress rules to create where 'cidr_blocks' is used | list(map(string)) |
[] |
no |
| egress_with_ipv6_cidr_blocks | List of egress rules to create where 'ipv6_cidr_blocks' is used | list(map(string)) |
[] |
no |
| egress_with_self | List of egress rules to create where 'self' is defined | list(map(string)) |
[] |
no |
| egress_with_source_security_group_id | List of egress rules to create where 'source_security_group_id' is used | list(map(string)) |
[] |
no |
| ingress_cidr_blocks | List of IPv4 CIDR ranges to use on all ingress rules | list(string) |
[] |
no |
| ingress_ipv6_cidr_blocks | List of IPv6 CIDR ranges to use on all ingress rules | list(string) |
[] |
no |
| ingress_prefix_list_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules | list(string) |
[] |
no |
| ingress_rules | List of ingress rules to create by name | list(string) |
[] |
no |
| ingress_with_cidr_blocks | List of ingress rules to create where 'cidr_blocks' is used | list(map(string)) |
[] |
no |
| ingress_with_ipv6_cidr_blocks | List of ingress rules to create where 'ipv6_cidr_blocks' is used | list(map(string)) |
[] |
no |
| ingress_with_self | List of ingress rules to create where 'self' is defined | list(map(string)) |
[] |
no |
| ingress_with_source_security_group_id | List of ingress rules to create where 'source_security_group_id' is used | list(map(string)) |
[] |
no |
| name | Name of security group - not required if create_group is false | string |
null |
no |
| number_of_computed_egress_rules | Number of computed egress rules to create by name | number |
0 |
no |
| number_of_computed_egress_with_cidr_blocks | Number of computed egress rules to create where 'cidr_blocks' is used | number |
0 |
no |
| number_of_computed_egress_with_ipv6_cidr_blocks | Number of computed egress rules to create where 'ipv6_cidr_blocks' is used | number |
0 |
no |
| number_of_computed_egress_with_self | Number of computed egress rules to create where 'self' is defined | number |
0 |
no |
| number_of_computed_egress_with_source_security_group_id | Number of computed egress rules to create where 'source_security_group_id' is used | number |
0 |
no |
| number_of_computed_ingress_rules | Number of computed ingress rules to create by name | number |
0 |
no |
| number_of_computed_ingress_with_cidr_blocks | Number of computed ingress rules to create where 'cidr_blocks' is used | number |
0 |
no |
| number_of_computed_ingress_with_ipv6_cidr_blocks | Number of computed ingress rules to create where 'ipv6_cidr_blocks' is used | number |
0 |
no |
| number_of_computed_ingress_with_self | Number of computed ingress rules to create where 'self' is defined | number |
0 |
no |
| number_of_computed_ingress_with_source_security_group_id | Number of computed ingress rules to create where 'source_security_group_id' is used | number |
0 |
no |
| revoke_rules_on_delete | Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. Enable for EMR. | bool |
false |
no |
| rules | Map of known security group rules (define as 'name' = ['from port', 'to port', 'protocol', 'description']) | map(list(any)) |
{ |
no |
| security_group_id | ID of existing security group whose rules we will manage | string |
null |
no |
| tags | A mapping of tags to assign to security group | map(string) |
{} |
no |
| use_name_prefix | Whether to use name_prefix or fixed name. Should be true to able to update security group name after initial creation | bool |
true |
no |
| vpc_id | ID of the VPC where to create security group | string |
null |
no |
Outputs
| Name | Description |
|---|---|
| security_group_description | The description of the security group |
| security_group_id | The ID of the security group |
| security_group_name | The name of the security group |
| security_group_owner_id | The owner ID |
| security_group_vpc_id | The VPC ID |
Authors
Module managed by Anton Babenko.
License
Apache 2 Licensed. See LICENSE for full details.
-
Terraform安装完成以后,我们直接开始创建一些基础设施。 我们在AWS上创建一些基础设施来开始入门指南,因为它最流行且通常可以被理解,但是Terraform可以管理许多provider,包含在单个配置文件中管理多个provider。在使用案例中有一些例子。 如果你没有AWS账号,就创建一个。在入门指南中,我们将只会用AWS免费试用的资源,也就是说它是免费的。如果你已经有一个AWS账号,你可能
-
aws terraform Getting Started with Atlas by HashiCorp tutorial series HashiCorp的Atlas入门教程系列的第3部分 In the previous tutorial, three AMIs were built. This step will deploy those AMIs with Terraform. 在上一教程
-
以前,我们在自动缩放组中设置了一些Apache Ignite服务器。 下一步是在自动扩展组前面添加负载均衡器。 在执行任何步骤之前,我们将一些环境变量添加到variables.tf中。 variable "autoscalling_group_elb_name" { type = string default = "autoscallinggroupelb" } variab
-
在上个页面,你使用Terraform创建了你第一个基础设施:一个EC2实例。在本页,我们将变更那个资源,并了解Terraform如何处理变更。 基础设施在持续发展,Terraform的创建就是为了管理和实施这些变更。当你修改配置文件时,Terraform构建一个变更必要的执行计划来达到你的期望状态。 使用Terraform变更基础设施,你不仅可以版本控制你的配置也可以版本控制你的状态,所以你可以看
-
aws terraform 以前,我们在自动缩放组中设置了一些Apache Ignite服务器。 下一步是在自动扩展组前面添加负载均衡器。 在执行任何步骤之前,我们将一些环境变量添加到variables.tf中。 variable "autoscalling_group_elb_name" { type = string default = "autoscallinggroupe
-
aws cloud map 因此,您在开发帐户上工作,并且Terraform陷入了一个循环,难道不让您轻易销毁剩余资源吗? 进入nuke CLI的世界! 在撰写本文时,我使用的是v0.1.16版本 用Go语言编写的《 Gruntwork》不会破坏掉aws-nuke那样多的对象; 自2017年5月以来一直存在 如果您使用~/.aws/credentials ,请在~/.aws/credentials
相关资料
-
Terraform AWS frontend module Collection of Terraform modules for frontend app deployment on AWS. List of submodules Frontend app Maintainers Bartłomiej Wójtowicz (@qbart) Łukasz Pawlik (@LukeP91) LIC
-
Terraform Provider for AWS Website: terraform.io Tutorials: learn.hashicorp.com Forum: discuss.hashicorp.com Chat: gitter Mailing List: Google Groups The Terraform AWS provider is a plugin for Terrafo
-
AWS VPC Terraform module Terraform module which creates VPC resources on AWS. Usage module "vpc" { source = "terraform-aws-modules/vpc/aws" name = "my-vpc" cidr = "10.0.0.0/16" azs = [
-
Mastodon on AWS with Terraform Terraform module for mastodon service deploy Will deploy an ec2 instance with mastodon and run the service. Requirements AWS account EC2 domain with Route53 Terraform Us
-
AWS RDS Terraform module Terraform module which creates RDS resources on AWS. Root module calls these modules which can also be used separately to create independent resources: db_instance - creates R
-
AWS Identity and Access Management (IAM) Terraform module Features Cross-account access. Define IAM roles using iam_assumable_role or iam_assumable_roles submodules in "resource AWS accounts (prod, st