Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds support for custom Security Group rules #8

Merged
merged 8 commits into from
Aug 6, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ Available targets:
|------|--------|---------|
| <a name="module_iam_label"></a> [iam\_label](#module\_iam\_label) | cloudposse/label/null | 0.24.1 |
| <a name="module_logging_label"></a> [logging\_label](#module\_logging\_label) | cloudposse/label/null | 0.24.1 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 0.3.1 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.24.1 |

## Resources
Expand Down Expand Up @@ -192,6 +193,10 @@ Available targets:
| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
| <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | This is the bucket that the SFTP users will use when managing files | `string` | n/a | yes |
| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"AWS Transfer Server Security Group"` | no |
| <a name="input_security_group_enabled"></a> [security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create default Security Group for AWS Transfer Server. | `bool` | `true` | no |
| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules. <br>The values of map is fully complated with `aws_security_group_rule` resource. <br>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | <pre>[<br> {<br> "cidr_blocks": [<br> "0.0.0.0/0"<br> ],<br> "description": "Allow inbound traffic",<br> "from_port": 22,<br> "protocol": "tcp",<br> "to_port": 22,<br> "type": "ingress"<br> }<br>]</pre> | no |
| <a name="input_security_group_use_name_prefix"></a> [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no |
| <a name="input_security_policy_name"></a> [security\_policy\_name](#input\_security\_policy\_name) | Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, and TransferSecurityPolicy-FIPS-2020-06. Default value is: TransferSecurityPolicy-2018-11. | `string` | `"TransferSecurityPolicy-2018-11"` | no |
| <a name="input_sftp_users"></a> [sftp\_users](#input\_sftp\_users) | List of SFTP usernames and public keys | <pre>map(object({<br> user_name = string,<br> public_key = string<br> }))</pre> | `{}` | no |
| <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
Expand Down
5 changes: 5 additions & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
|------|--------|---------|
| <a name="module_iam_label"></a> [iam\_label](#module\_iam\_label) | cloudposse/label/null | 0.24.1 |
| <a name="module_logging_label"></a> [logging\_label](#module\_logging\_label) | cloudposse/label/null | 0.24.1 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 0.3.1 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.24.1 |

## Resources
Expand Down Expand Up @@ -62,6 +63,10 @@
| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
| <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | This is the bucket that the SFTP users will use when managing files | `string` | n/a | yes |
| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"AWS Transfer Server Security Group"` | no |
| <a name="input_security_group_enabled"></a> [security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create default Security Group for AWS Transfer Server. | `bool` | `true` | no |
| <a name="input_security_group_rules"></a> [security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules. <br>The values of map is fully complated with `aws_security_group_rule` resource. <br>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | <pre>[<br> {<br> "cidr_blocks": [<br> "0.0.0.0/0"<br> ],<br> "description": "Allow inbound traffic",<br> "from_port": 22,<br> "protocol": "tcp",<br> "to_port": 22,<br> "type": "ingress"<br> }<br>]</pre> | no |
| <a name="input_security_group_use_name_prefix"></a> [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no |
| <a name="input_security_policy_name"></a> [security\_policy\_name](#input\_security\_policy\_name) | Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, and TransferSecurityPolicy-FIPS-2020-06. Default value is: TransferSecurityPolicy-2018-11. | `string` | `"TransferSecurityPolicy-2018-11"` | no |
| <a name="input_sftp_users"></a> [sftp\_users](#input\_sftp\_users) | List of SFTP usernames and public keys | <pre>map(object({<br> user_name = string,<br> public_key = string<br> }))</pre> | `{}` | no |
| <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
Expand Down
38 changes: 12 additions & 26 deletions examples/vpc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,27 +23,6 @@ module "dynamic_subnets" {
context = module.this.context
}

module "security_group" {
source = "cloudposse/security-group/aws"
version = "0.3.1"
environment = "test"
id_length_limit = null
label_key_case = "title"

vpc_id = module.vpc.vpc_id
rules = [
{
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
]

context = module.this.context
}

module "s3_bucket" {
source = "cloudposse/s3-bucket/aws"
version = "0.41.0"
Expand All @@ -59,11 +38,18 @@ module "example" {
source = "../.."

eip_enabled = true
s3_bucket_name = module.s3_bucket.bucket_id
sftp_users = var.sftp_users
subnet_ids = [module.dynamic_subnets.public_subnet_ids[0]]
vpc_id = module.vpc.vpc_id
vpc_security_group_ids = [module.security_group.id]
security_group_enabled = true
security_group_rules = [{
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}]
s3_bucket_name = module.s3_bucket.bucket_id
sftp_users = var.sftp_users
subnet_ids = [module.dynamic_subnets.public_subnet_ids[0]]
vpc_id = module.vpc.vpc_id

context = module.this.context
}
18 changes: 16 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
locals {
enabled = module.this.enabled

is_vpc = var.vpc_id != null
is_vpc = var.vpc_id != null
security_group_enabled = module.this.enabled && var.security_group_enabled
}

data "aws_s3_bucket" "landing" {
Expand All @@ -26,7 +27,7 @@ resource "aws_transfer_server" "default" {

content {
subnet_ids = var.subnet_ids
security_group_ids = var.vpc_security_group_ids
security_group_ids = local.security_group_enabled ? module.security_group.*.id : var.vpc_security_group_ids
vpc_id = var.vpc_id
address_allocation_ids = var.eip_enabled ? aws_eip.sftp.*.id : var.address_allocation_ids
}
Expand Down Expand Up @@ -66,6 +67,19 @@ resource "aws_eip" "sftp" {
vpc = local.is_vpc
}

module "security_group" {
source = "cloudposse/security-group/aws"
version = "0.3.1"

use_name_prefix = var.security_group_use_name_prefix
rules = var.security_group_rules
description = var.security_group_description
vpc_id = local.is_vpc ? var.vpc_id : null

enabled = local.security_group_enabled
context = module.this.context
}

# Custom Domain
resource "aws_route53_record" "main" {
count = local.enabled && length(var.domain_name) > 0 && length(var.zone_id) > 0 ? 1 : 0
Expand Down
37 changes: 37 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,43 @@ variable "address_allocation_ids" {
default = []
}

variable "security_group_enabled" {
type = bool
description = "Whether to create default Security Group for AWS Transfer Server."
default = true
}

variable "security_group_description" {
type = string
default = "AWS Transfer Server Security Group"
description = "The Security Group description."
}

variable "security_group_use_name_prefix" {
type = bool
default = false
description = "Whether to create a default Security Group with unique name beginning with the normalized prefix."
}

variable "security_group_rules" {
type = list(any)
default = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or this be an empty array by default?

{
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow inbound traffic"
}
]
description = <<-EOT
A list of maps of Security Group rules.
The values of map is fully complated with `aws_security_group_rule` resource.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
EOT
}

variable "vpc_security_group_ids" {
type = list(string)
description = "A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when endpoint_type is set to VPC."
Expand Down