add consul-client-sg-rules

dsaidgovsg · Dec 1, 2023 · 4c69524 · 4c69524
1 parent 152a19a
commit 4c69524
Show file tree

Hide file tree

Showing 4 changed files with 184 additions and 0 deletions.
diff --git a/modules/consul-client-security-group-rules/INOUT.md b/modules/consul-client-security-group-rules/INOUT.md
@@ -0,0 +1,20 @@
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| allowed\_inbound\_cidr\_blocks | A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow connections to Consul | `list(string)` | `[]` | no |
+| allowed\_inbound\_security\_group\_count | The number of entries in var.allowed\_inbound\_security\_group\_ids. Ideally, this value could be computed dynamically, but we pass this variable to a Terraform resource's 'count' property and Terraform requires that 'count' be computed with literals or data sources only. | `number` | `0` | no |
+| allowed\_inbound\_security\_group\_ids | A list of security group IDs that will be allowed to connect to Consul | `list(string)` | `[]` | no |
+| security\_group\_id | The ID of the security group to which we should add the Consul security group rules | `any` | n/a | yes |
+| serf\_lan\_port | The port used to handle gossip in the LAN. Required by all agents. | `number` | `8301` | no |
+
+## Outputs
+
+No output.
+
diff --git a/modules/consul-client-security-group-rules/README.md b/modules/consul-client-security-group-rules/README.md
@@ -0,0 +1,47 @@
+# Consul Client Security Group Rules Module
+
+This folder contains a [Terraform](https://www.terraform.io/) module that defines the security group rules used by a 
+[Consul](https://www.consul.io/) client to control the traffic that is allowed to go in and out. 
+
+Normally, you'd get these rules by default if you're using the [consul-cluster module](https://github.com/hashicorp/terraform-aws-consul/tree/master/modules/consul-cluster), but if 
+you're running Consul on top of a different cluster, then you can use this module to add the necessary security group 
+rules to that cluster. For example, imagine you were using the [vault-cluster 
+module](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster) to run a cluster of 
+servers that have both Vault and Consul agent on each node:
+
+```hcl
+module "vault_servers" {
+  source = "git::[email protected]:hashicorp/terraform-aws-vault.git//modules/vault-cluster?ref=v0.0.1"
+  
+  # This AMI has both Vault and Consul installed
+  ami_id = "ami-1234abcd"
+}
+```
+
+The `vault-cluster` module will provide the security group rules for Vault, but not for the Consul agent. To ensure those servers
+have the necessary ports open for using Consul, you can use this module as follows:
+
+```hcl
+module "security_group_rules" {
+  source = "git::[email protected]:hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.0.2"
+
+  security_group_id = "${module.vault_servers.security_group_id}"
+  
+  # ... (other params omitted) ...
+}
+```
+
+Note the following parameters:
+
+* `source`: Use this parameter to specify the URL of this module. The double slash (`//`) is intentional 
+  and required. Terraform uses it to specify subfolders within a Git repo (see [module 
+  sources](https://www.terraform.io/docs/modules/sources.html)). The `ref` parameter specifies a specific Git tag in 
+  this repo. That way, instead of using the latest version of this module from the `master` branch, which 
+  will change every time you run Terraform, you're using a fixed version of the repo.
+
+* `security_group_id`: Use this parameter to specify the ID of the security group to which the rules in this module
+  should be added.
+
+You can find the other parameters in [variables.tf](variables.tf).
+
+Check out the [consul-cluster module](https://github.com/hashicorp/terraform-aws-consul/tree/master/modules/consul-cluster) for working sample code.
diff --git a/modules/consul-client-security-group-rules/main.tf b/modules/consul-client-security-group-rules/main.tf
@@ -0,0 +1,81 @@
+## ---------------------------------------------------------------------------------------------------------------------
+# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER
+# ---------------------------------------------------------------------------------------------------------------------
+
+terraform {
+  # This module is now only being tested with Terraform 0.13.x. However, to make upgrading easier, we are setting
+  # 0.12.26 as the minimum version, as that version added support for required_providers with source URLs, making it
+  # forwards compatible with 0.13.x code.
+  required_version = ">= 0.12.26"
+}
+
+## ---------------------------------------------------------------------------------------------------------------------
+# CREATE THE SECURITY GROUP RULES THAT CONTROL WHAT TRAFFIC CAN GO IN AND OUT OF A CONSUL AGENT CLUSTER
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound" {
+  count       = length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0
+  type        = "ingress"
+  from_port   = var.serf_lan_port
+  to_port     = var.serf_lan_port
+  protocol    = "tcp"
+  cidr_blocks = var.allowed_inbound_cidr_blocks
+
+  security_group_id = var.security_group_id
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_udp_inbound" {
+  count       = length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0
+  type        = "ingress"
+  from_port   = var.serf_lan_port
+  to_port     = var.serf_lan_port
+  protocol    = "udp"
+  cidr_blocks = var.allowed_inbound_cidr_blocks
+
+  security_group_id = var.security_group_id
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_security_group_ids" {
+  count                    = var.allowed_inbound_security_group_count
+  type                     = "ingress"
+  from_port                = var.serf_lan_port
+  to_port                  = var.serf_lan_port
+  protocol                 = "tcp"
+  source_security_group_id = element(var.allowed_inbound_security_group_ids, count.index)
+
+  security_group_id = var.security_group_id
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_security_group_ids" {
+  count                    = var.allowed_inbound_security_group_count
+  type                     = "ingress"
+  from_port                = var.serf_lan_port
+  to_port                  = var.serf_lan_port
+  protocol                 = "udp"
+  source_security_group_id = element(var.allowed_inbound_security_group_ids, count.index)
+
+  security_group_id = var.security_group_id
+}
+
+# Similar to the *_inbound_from_security_group_ids rules, allow inbound from ourself
+
+resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_self" {
+  type      = "ingress"
+  from_port = var.serf_lan_port
+  to_port   = var.serf_lan_port
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = var.security_group_id
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_self" {
+  type      = "ingress"
+  from_port = var.serf_lan_port
+  to_port   = var.serf_lan_port
+  protocol  = "udp"
+  self      = true
+
+  security_group_id = var.security_group_id
+}
+
diff --git a/modules/consul-client-security-group-rules/variables.tf b/modules/consul-client-security-group-rules/variables.tf
@@ -0,0 +1,36 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# REQUIRED PARAMETERS
+# You must provide a value for each of these parameters.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "security_group_id" {
+  description = "The ID of the security group to which we should add the Consul security group rules"
+}
+
+variable "allowed_inbound_cidr_blocks" {
+  description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow connections to Consul"
+  type        = list(string)
+  default     = []
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# OPTIONAL PARAMETERS
+# These parameters have reasonable defaults.
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "allowed_inbound_security_group_ids" {
+  description = "A list of security group IDs that will be allowed to connect to Consul"
+  type        = list(string)
+  default     = []
+}
+
+variable "allowed_inbound_security_group_count" {
+  description = "The number of entries in var.allowed_inbound_security_group_ids. Ideally, this value could be computed dynamically, but we pass this variable to a Terraform resource's 'count' property and Terraform requires that 'count' be computed with literals or data sources only."
+  default     = 0
+}
+
+variable "serf_lan_port" {
+  description = "The port used to handle gossip in the LAN. Required by all agents."
+  default     = 8301
+}
+