forked from monzo/etcd3-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsg.tf
144 lines (131 loc) · 4.54 KB
/
sg.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
resource "aws_security_group" "default" {
name = "${var.role}.${data.aws_region.current.name}.i.${var.environment}.${var.dns}"
description = "ASG-${var.role}"
vpc_id = data.aws_vpc.target.id
tags = {
Name = "${var.role}.${data.aws_region.current.name}.i.${var.environment}.${var.dns}"
role = var.role
environment = var.environment
}
}
resource "aws_security_group_rule" "etcd_peers_i" {
# etcd peer + client traffic within the etcd nodes themselves
type = "ingress"
from_port = 2379
to_port = 2380
protocol = "tcp"
self = true
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_peers_e" {
# etcd peer + client traffic within the etcd nodes themselves
type = "egress"
from_port = 2379
to_port = 2380
protocol = "tcp"
self = true
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_clients_i" {
# etcd peer + client traffic within the etcd nodes themselves
type = "ingress"
from_port = 2379
to_port = 2380
protocol = "tcp"
cidr_blocks = var.client_cidrs
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_health_i" {
# plain http healthcheck and metrics from lb & to/from peers
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = var.client_cidrs
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_health_e" {
# plain http healthcheck and metrics from lb & to/from peers
type = "egress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = var.client_cidrs
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_heal_p_e" {
# plain http healthcheck and metrics from lb & to/from peers
type = "egress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = [data.aws_vpc.target.cidr_block]
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_heal_p_i" {
# plain http healthcheck and metrics from lb & to/from peers
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = [data.aws_vpc.target.cidr_block]
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_heal_a_i" {
# plain http healthcheck and metrics from lb & to/from peers
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
self = true
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "etcd_heal_a_e" {
# plain http healthcheck and metrics from lb & to/from peers
type = "egress"
from_port = 8080
to_port = 8080
protocol = "tcp"
self = true
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "ssh_i" {
count = length(var.ssh_cidrs) > 0 ? 1 : 0
# ssh
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.ssh_cidrs
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "tls_e" {
count = length(var.allow_download_from_cidrs) > 0 ? 1 : 0
# https outbound (for github and metadata access)
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.allow_download_from_cidrs
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "ntp_t_e" {
count = length(var.allow_download_from_cidrs) > 0 ? 1 : 0
# ntp outbound (TCP)
type = "egress"
from_port = 123
to_port = 123
protocol = "tcp"
cidr_blocks = var.allow_download_from_cidrs
security_group_id = aws_security_group.default.id
}
resource "aws_security_group_rule" "ntp_u_e" {
count = length(var.allow_download_from_cidrs) > 0 ? 1 : 0
# ntp outbound (UDP)
type = "egress"
from_port = 123
to_port = 123
protocol = "udp"
cidr_blocks = var.allow_download_from_cidrs
security_group_id = aws_security_group.default.id
}