A helper module to make managing rules for Security Groups and NACLs less painful.

This module is only a one-stop-shop for network security rule generation. It may stray into the realm of VPC setup, but only the parts directly relating to network security.

Usage

This module requires you to assign every port range, CIDR block, and Security Group a name. Then you provide a set of mappings between source and destination groups, listing the port ranges that are open. All of this is done by referencing the names you gave them earlier. Finally, the module flattens this config and builds the network security rules from it.

Example

The following example hopefully shows how easy setting up the rules becomes when you’re focusing on the intent.

resource "aws_security_group" "Group" {
	for_each = toset([ "Albs", "Apps", "Data" ])
}

module "NetSec" {
	source  = "../.."

	SecurityGroupIds = {
		Albs = aws_security_group.Group["Albs"].id # Public-facing load balancers.
		Apps = aws_security_group.Group["Apps"].id # Protected apps
		Data = aws_security_group.Group["Data"].id # Private database
	}

	CidrBlocks = {
		Anywhere = "0.0.0.0/0" # A.k.a The internet. Always included, but can be overridden.
		AdminVm  = "123.123.123.123/32" # An extremely bad example, don't actually do this.
	}

	PortRanges = {
		Dns    = { Proto = "udp", Min = 53,   Max = 53 }
		Http   = { Proto = "tcp", Min = 80,   Max = 80 }
		Https  = { Proto = "tcp", Min = 443,  Max = 443 }
		Https2 = { Proto = "tcp", Min = 8443, Max = 8443 }
		Jdbc   = { Proto = "tcp", Min = 5432, Max = 5432 }
		Ssh    = { Proto = "tcp", Min = 22,   Max = 22 }
	}

	Rules = {
		Anywhere = {
			Albs = [ "Http", "Https" ] # The internet can access albs via https or http (which redirects to https).
		}
		Albs = {
			Apps = [ "Https2" ] # Albs can access apps via unreserved https.
		}
		Apps = {
			Anywhere = [ "Https" ] # Apps can access the internet via https.
			Apps     = [ "Https2", "Dns" ] # Apps can access each other via https and dns.
			Data     = [ "Jdbc", "Dns" ] # Apps can access the database via JDBC.
		}
		AdminVm = {
			Apps = [ "Https2", "Ssh" ] # The admin VM can access apps via unreserved https or ssh.
			Data = [ "Https",  "Ssh", "Jdbc" ] # The admin VM can access the database by https, ssh, and jdbc.
		}
		Data = {} # Databases don't initiate any connections.
	}

}

# Output all the security rules generated by the module and attached to the
# "Alb" security group.
output "NetSecAlbRules" {
	value = [ for Rule in module.NetSec.Rules["Albs"] : Rule["Id"] ]
}

Terraform Docs

Requirements

Name Version

terraform

>= 1.3

Providers

Name Version

aws

n/a

Resources

Name Type

aws_security_group_rule.CidrEgress

resource

aws_security_group_rule.CidrIngress

resource

aws_security_group_rule.GroupEgress

resource

aws_security_group_rule.GroupIngress

resource

aws_security_group.Groups

data source

Inputs

Name Description Type Default Required

CidrBlocks

Named CIDR address blocks to incorporate into rules. CIDR blocks don’t have rules applied against them directly, so don’t appear in outputs, but the Security Group part of the rule is included on the subject in question. CIDR to CIDR rules will be ignored.

map(string)

 
{
  "Anywhere": "0.0.0.0/0"
}

no

PortRanges

Definitions for all the port ranges used in this config.

 
map(object({
		Proto = optional(string)
		Min   = number
		Max   = optional(number)
		Tags  = optional(map(string))
	}))

n/a

yes

Rules

Traffic allowed from where to where over which ranges.

map(map(set(string)))

n/a

yes

SecurityGroupIds

Security groups that already exist and should be integrated with a specific rule configuration.

map(string)

n/a

yes

Outputs

Name Description

Rules

Ids of all the created rules.

Potential Future Work

  • Security Group creation.

  • Output graphviz of rules.