Use security_group_ingress/egress rule resources, not inline rules

Signed-off-by: David.Houck <[email protected]>
sassoftware · Dec 3, 2024 · 58f1a6f · 58f1a6f
1 parent 9c8e5dd
commit 58f1a6f
Showing 1 changed file with 9 additions and 93 deletions.
diff --git a/security.tf b/security.tf
@@ -23,17 +23,6 @@ resource "aws_security_group" "sg" {
   tags = merge(local.tags, { "Name" : "${var.prefix}-sg" })
 }
 
-# resource "aws_security_group" "sg_a" {
-#   count  = var.security_group_id == null && var.vpc_private_endpoints_enabled == false ? 1 : 0
-#   name   = "${var.prefix}-sg"
-#   vpc_id = module.vpc.vpc_id
-
-#   description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs"
-# }
-
-  # See above Note, Remove this egress rule and replace with aws_vpc_security_group_ingress_rule resource instead
-  # Look for all instances of this security group egress or ingress pattern in this file and replace likewise
-
 resource "aws_vpc_security_group_egress_rule" "sg" {
 
   security_group_id = local.security_group_id
@@ -45,9 +34,10 @@ resource "aws_vpc_security_group_egress_rule" "sg" {
   tags = merge(local.tags, { "Name" : "${var.prefix}-sg" })
 }
 
-# We only need this/these ingress rule(s) if we are using VPC Endpoints
+# Only create this/these ingress rule(s) if we are using VPC Endpoints
 # Creates an ingress rules for each vpc_endpoint_private_access_cidrs in the list
 resource "aws_vpc_security_group_ingress_rule" "sg" {
+
   for_each = var.security_group_id == null && var.vpc_private_endpoints_enabled ? toset(local.vpc_endpoint_private_access_cidrs) : toset([])
 
   security_group_id = local.security_group_id
@@ -60,47 +50,8 @@ resource "aws_vpc_security_group_ingress_rule" "sg" {
   tags = merge(local.tags, { "Name" : "${var.prefix}-sg" })
 }
 
-# # Security Groups - https://www.terraform.io/docs/providers/aws/r/security_group.html
-# resource "aws_security_group" "sg_b" {
-#   count  = var.security_group_id == null && var.vpc_private_endpoints_enabled ? 1 : 0
-#   name   = "${var.prefix}-sg"
-#   vpc_id = module.vpc.vpc_id
-
-#   description = "Auxiliary security group associated with RDS ENIs and VPC Endpoint ENIs as well as Jump/NFS VM ENIs when they have public IPs"
-# }
-  # Replace with aws_vpc_security_group_egress_rule resource - Done
-
-# resource "aws_vpc_security_group_egress_rule" "sg" {
-
-#   security_group_id = "aws_security_group.sg.id"
-
-#  # egress {
-#     description = "Allow all outbound traffic."
-#     from_port   = 0
-#     to_port     = 0
-#     ip_protocol    = "-1"
-#     cidr_ipv4 = "0.0.0.0/0"
-
-#   }
-  # Replace with aws_vpc_security_group_ingress_rule resource
-#   ingress {
-#     description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints"
-#     from_port   = 443
-#     to_port     = 443
-#     protocol    = "tcp"
-#     cidr_blocks = local.vpc_endpoint_private_access_cidrs
-#   }
-#   tags = merge(local.tags, { "Name" : "${var.prefix}-sg" })
-# }
-
 resource "aws_vpc_security_group_ingress_rule" "vms" {
-  # count = (length(local.vm_public_access_cidrs) > 0
-  #   && var.security_group_id == null
-  #   && ((var.create_jump_public_ip && var.create_jump_vm)
-  #     || (var.create_nfs_public_ip && var.storage_type == "standard")
-  #   )
-  #   ? 1 : 0
-  # )
+
   for_each = var.security_group_id == null && ((var.create_jump_public_ip && var.create_jump_vm)) ? toset(local.vm_public_access_cidrs) : toset([])
 
   security_group_id = local.security_group_id
@@ -120,17 +71,8 @@ resource "aws_vpc_security_group_ingress_rule" "all" {
   referenced_security_group_id = local.security_group_id
 }
 
-# resource "aws_security_group_rule" "all" {
-#   type              = "ingress"
-#   description       = "Allow internal security group communication."
-#   from_port         = 0
-#   to_port           = 0
-#   protocol          = "all"
-#   security_group_id = local.security_group_id
-#   self              = true
-# }
-
 resource "aws_vpc_security_group_ingress_rule" "postgres_internal" {
+
   for_each          = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([])
 
   description       = "Allow Postgress within network"
@@ -141,18 +83,8 @@ resource "aws_vpc_security_group_ingress_rule" "postgres_internal" {
   referenced_security_group_id = local.security_group_id
 }
 
-# resource "aws_security_group_rule" "postgres_internal" {
-#   for_each          = local.postgres_sgr_ports != null ? toset(local.postgres_sgr_ports) : toset([])
-#   type              = "ingress"
-#   description       = "Allow Postgres within network"
-#   from_port         = each.key
-#   to_port           = each.key
-#   protocol          = "tcp"
-#   self              = true
-#   security_group_id = local.security_group_id
-# }
-
 resource "aws_vpc_security_group_ingress_rule" "postgres_external" {
+
   for_each = (length(local.postgres_public_access_cidrs) > 0
     ? local.postgres_sgr_ports != null
     ? local.ingress_pairs
@@ -168,23 +100,6 @@ resource "aws_vpc_security_group_ingress_rule" "postgres_external" {
   security_group_id = local.security_group_id
 }
 
-# resource "aws_security_group_rule" "postgres_external" {
-#   for_each = (length(local.postgres_public_access_cidrs) > 0
-#     ? local.postgres_sgr_ports != null
-#     ? toset(local.postgres_sgr_ports)
-#     : toset([])
-#     : toset([])
-#   )
-#   type              = "ingress"
-#   description       = "Allow Postgres from source"
-#   from_port         = each.key
-#   to_port           = each.key
-#   protocol          = "tcp"
-#   cidr_blocks       = local.postgres_public_access_cidrs
-#   security_group_id = local.security_group_id
-# }
-
-
 resource "aws_security_group" "cluster_security_group" {
 
   count = var.cluster_security_group_id == null ? 1 : 0
@@ -197,8 +112,8 @@ resource "aws_security_group" "cluster_security_group" {
 
 }
 
-  # Replace with aws_vpc_security_group_egress_rule resource
 resource "aws_vpc_security_group_egress_rule" "cluster_security_group" {
+
   count = var.cluster_security_group_id == null ? 1 : 0
 
   description = "Allow all outbound traffic."
@@ -207,8 +122,8 @@ resource "aws_vpc_security_group_egress_rule" "cluster_security_group" {
   security_group_id = local.cluster_security_group_id
   }
 
-  # Replace with aws_vpc_security_group_ingress_rule resource
 resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" {
+
   for_each = var.cluster_security_group_id == null ? toset(local.cluster_endpoint_private_access_cidrs) : toset([])
 
   description       = "Allow additional HTTPS/443 ingress to private EKS cluster API server endpoint per var.cluster_endpoint_private_access_cidrs"
@@ -220,7 +135,6 @@ resource "aws_vpc_security_group_ingress_rule" "cluster_security_group" {
   }
 
 
-  # Replace with aws_vpc_security_group_ingress_rule resource
 resource "aws_vpc_security_group_ingress_rule" "cluster_ingress" {
 
   count = var.cluster_security_group_id == null ? 1 : 0
@@ -234,6 +148,7 @@ resource "aws_vpc_security_group_ingress_rule" "cluster_ingress" {
 }
 
 resource "aws_security_group" "workers_security_group" {
+
   count = var.workers_security_group_id == null ? 1 : 0
 
   description = "Security group for all nodes in the cluster."
@@ -246,6 +161,7 @@ resource "aws_security_group" "workers_security_group" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "workers_security_group" {
+
   count = var.workers_security_group_id == null ? 1 : 0
 
   cidr_ipv4 = "0.0.0.0/0"