From 7e35afad269aeed8e5155bedb63750c9eac0f95a Mon Sep 17 00:00:00 2001 From: Bart Van Bos Date: Thu, 16 Apr 2020 09:32:05 +0200 Subject: [PATCH] feat: Added support of kubernetes api server - 6443-tcp (#166) --- modules/README.md | 1 + modules/kubernetes-api/README.md | 102 ++++++++ modules/kubernetes-api/auto_values.tf | 79 ++++++ modules/kubernetes-api/main.tf | 114 +++++++++ modules/kubernetes-api/outputs.tf | 24 ++ modules/kubernetes-api/variables.tf | 342 ++++++++++++++++++++++++++ rules.tf | 7 + 7 files changed, 669 insertions(+) create mode 100644 modules/kubernetes-api/README.md create mode 100644 modules/kubernetes-api/auto_values.tf create mode 100644 modules/kubernetes-api/main.tf create mode 100644 modules/kubernetes-api/outputs.tf create mode 100644 modules/kubernetes-api/variables.tf diff --git a/modules/README.md b/modules/README.md index 7ae9f6ba..fb8ca00a 100644 --- a/modules/README.md +++ b/modules/README.md @@ -15,6 +15,7 @@ List of Security Groups implemented as Terraform modules * [ipsec-4500](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ipsec-4500) * [ipsec-500](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ipsec-500) * [kafka](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/kafka) +* [kubernetes-api](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/kubernetes-api) * [ldaps](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ldaps) * [memcached](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/memcached) * [mongodb](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/mongodb) diff --git a/modules/kubernetes-api/README.md b/modules/kubernetes-api/README.md new file mode 100644 index 00000000..6f70a8fd --- /dev/null +++ b/modules/kubernetes-api/README.md @@ -0,0 +1,102 @@ +# kubernetes-api - AWS EC2-VPC Security Group Terraform module + +## Usage + +```hcl +module "kubernetes_api_security_group" { + source = "terraform-aws-modules/security-group/aws//modules/kubernetes-api" + version = "~> 3.0" + + # omitted... +} +``` + +All automatic values **kubernetes-api module** is using are available [here](https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/modules/kubernetes-api/auto_values.tf). + + +## Providers + +No provider. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:-----:| +| auto\_computed\_egress\_rules | List of computed egress rules to add automatically | `list(string)` | `[]` | no | +| auto\_computed\_egress\_with\_self | List of maps defining computed egress rules with self to add automatically | `list(map(string))` | `[]` | no | +| auto\_computed\_ingress\_rules | List of ingress rules to add automatically | `list(string)` | `[]` | no | +| auto\_computed\_ingress\_with\_self | List of maps defining computed ingress rules with self to add automatically | `list(map(string))` | `[]` | no | +| auto\_egress\_rules | List of egress rules to add automatically | `list(string)` | 
[
  "all-all"
]
| no | +| auto\_egress\_with\_self | List of maps defining egress rules with self to add automatically | `list(map(string))` | `[]` | no | +| auto\_ingress\_rules | List of ingress rules to add automatically | `list(string)` | 
[
  "kubernetes-api-tcp"
]
| no | +| auto\_ingress\_with\_self | List of maps defining ingress rules with self to add automatically | `list(map(string))` | 
[
  {
    "rule": "all-all"
  }
]
| no | +| auto\_number\_of\_computed\_egress\_rules | Number of computed egress rules to create by name | `number` | `0` | no | +| auto\_number\_of\_computed\_egress\_with\_self | Number of computed egress rules to create where 'self' is defined | `number` | `0` | no | +| auto\_number\_of\_computed\_ingress\_rules | Number of computed ingress rules to create by name | `number` | `0` | no | +| auto\_number\_of\_computed\_ingress\_with\_self | Number of computed ingress rules to create where 'self' is defined | `number` | `0` | no | +| computed\_egress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all computed egress rules | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| computed\_egress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all computed egress rules | `list(string)` | 
[
  "::/0"
]
| no | +| computed\_egress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all computed egress rules | `list(string)` | `[]` | no | +| computed\_egress\_rules | List of computed egress rules to create by name | `list(string)` | `[]` | no | +| computed\_egress\_with\_cidr\_blocks | List of computed egress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| computed\_egress\_with\_ipv6\_cidr\_blocks | List of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| computed\_egress\_with\_self | List of computed egress rules to create where 'self' is defined | `list(map(string))` | `[]` | no | +| computed\_egress\_with\_source\_security\_group\_id | List of computed egress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no | +| computed\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all computed ingress rules | `list(string)` | `[]` | no | +| computed\_ingress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all computed ingress rules | `list(string)` | `[]` | no | +| computed\_ingress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all computed ingress rules | `list(string)` | `[]` | no | +| computed\_ingress\_rules | List of computed ingress rules to create by name | `list(string)` | `[]` | no | +| computed\_ingress\_with\_cidr\_blocks | List of computed ingress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| computed\_ingress\_with\_ipv6\_cidr\_blocks | List of computed ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| computed\_ingress\_with\_self | List of computed ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no | +| computed\_ingress\_with\_source\_security\_group\_id | List of computed ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no | +| create | Whether to create security group and all rules | `bool` | `true` | no | +| description | Description of security group | `string` | `"Security Group managed by Terraform"` | no | +| egress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all egress rules | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| egress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all egress rules | `list(string)` | 
[
  "::/0"
]
| no | +| egress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules | `list(string)` | `[]` | no | +| egress\_rules | List of egress rules to create by name | `list(string)` | `[]` | no | +| egress\_with\_cidr\_blocks | List of egress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| egress\_with\_ipv6\_cidr\_blocks | List of egress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| egress\_with\_self | List of egress rules to create where 'self' is defined | `list(map(string))` | `[]` | no | +| egress\_with\_source\_security\_group\_id | List of egress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no | +| ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules | `list(string)` | `[]` | no | +| ingress\_ipv6\_cidr\_blocks | List of IPv6 CIDR ranges to use on all ingress rules | `list(string)` | `[]` | no | +| ingress\_prefix\_list\_ids | List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules | `list(string)` | `[]` | no | +| ingress\_rules | List of ingress rules to create by name | `list(string)` | `[]` | no | +| ingress\_with\_cidr\_blocks | List of ingress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| ingress\_with\_ipv6\_cidr\_blocks | List of ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no | +| ingress\_with\_self | List of ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no | +| ingress\_with\_source\_security\_group\_id | List of ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no | +| name | Name of security group | `string` | n/a | yes | +| number\_of\_computed\_egress\_cidr\_blocks | Number of IPv4 CIDR ranges to use on all computed egress rules | `number` | `0` | no | +| number\_of\_computed\_egress\_ipv6\_cidr\_blocks | Number of IPv6 CIDR ranges to use on all computed egress rules | `number` | `0` | no | +| number\_of\_computed\_egress\_prefix\_list\_ids | Number of prefix list IDs (for allowing access to VPC endpoints) to use on all computed egress rules | `number` | `0` | no | +| number\_of\_computed\_egress\_rules | Number of computed egress rules to create by name | `number` | `0` | no | +| number\_of\_computed\_egress\_with\_cidr\_blocks | Number of computed egress rules to create where 'cidr\_blocks' is used | `number` | `0` | no | +| number\_of\_computed\_egress\_with\_ipv6\_cidr\_blocks | Number of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no | +| number\_of\_computed\_egress\_with\_self | Number of computed egress rules to create where 'self' is defined | `number` | `0` | no | +| number\_of\_computed\_egress\_with\_source\_security\_group\_id | Number of computed egress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no | +| number\_of\_computed\_ingress\_cidr\_blocks | Number of IPv4 CIDR ranges to use on all computed ingress rules | `number` | `0` | no | +| number\_of\_computed\_ingress\_ipv6\_cidr\_blocks | Number of IPv6 CIDR ranges to use on all computed ingress rules | `number` | `0` | no | +| number\_of\_computed\_ingress\_prefix\_list\_ids | Number of prefix list IDs (for allowing access to VPC endpoints) to use on all computed ingress rules | `number` | `0` | no | +| number\_of\_computed\_ingress\_rules | Number of computed ingress rules to create by name | `number` | `0` | no | +| number\_of\_computed\_ingress\_with\_cidr\_blocks | Number of computed ingress rules to create where 'cidr\_blocks' is used | `number` | `0` | no | +| number\_of\_computed\_ingress\_with\_ipv6\_cidr\_blocks | Number of computed ingress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no | +| number\_of\_computed\_ingress\_with\_self | Number of computed ingress rules to create where 'self' is defined | `number` | `0` | no | +| number\_of\_computed\_ingress\_with\_source\_security\_group\_id | Number of computed ingress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no | +| tags | A mapping of tags to assign to security group | `map(string)` | `{}` | no | +| use\_name\_prefix | Whether to use name\_prefix or fixed name. Should be true to able to update security group name after initial creation | `bool` | `true` | no | +| vpc\_id | ID of the VPC where to create security group | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| this\_security\_group\_description | The description of the security group | +| this\_security\_group\_id | The ID of the security group | +| this\_security\_group\_name | The name of the security group | +| this\_security\_group\_owner\_id | The owner ID | +| this\_security\_group\_vpc\_id | The VPC ID | + + diff --git a/modules/kubernetes-api/auto_values.tf b/modules/kubernetes-api/auto_values.tf new file mode 100644 index 00000000..d3944f43 --- /dev/null +++ b/modules/kubernetes-api/auto_values.tf @@ -0,0 +1,79 @@ +# This file was generated from values defined in rules.tf using update_groups.sh. +################################### +# DO NOT CHANGE THIS FILE MANUALLY +################################### + +variable "auto_ingress_rules" { + description = "List of ingress rules to add automatically" + type = list(string) + default = ["kubernetes-api-tcp"] +} + +variable "auto_ingress_with_self" { + description = "List of maps defining ingress rules with self to add automatically" + type = list(map(string)) + default = [{ "rule" = "all-all" }] +} + +variable "auto_egress_rules" { + description = "List of egress rules to add automatically" + type = list(string) + default = ["all-all"] +} + +variable "auto_egress_with_self" { + description = "List of maps defining egress rules with self to add automatically" + type = list(map(string)) + default = [] +} + +# Computed +variable "auto_computed_ingress_rules" { + description = "List of ingress rules to add automatically" + type = list(string) + default = [] +} + +variable "auto_computed_ingress_with_self" { + description = "List of maps defining computed ingress rules with self to add automatically" + type = list(map(string)) + default = [] +} + +variable "auto_computed_egress_rules" { + description = "List of computed egress rules to add automatically" + type = list(string) + default = [] +} + +variable "auto_computed_egress_with_self" { + description = "List of maps defining computed egress rules with self to add automatically" + type = list(map(string)) + default = [] +} + +# Number of computed rules +variable "auto_number_of_computed_ingress_rules" { + description = "Number of computed ingress rules to create by name" + type = number + default = 0 +} + +variable "auto_number_of_computed_ingress_with_self" { + description = "Number of computed ingress rules to create where 'self' is defined" + type = number + default = 0 +} + +variable "auto_number_of_computed_egress_rules" { + description = "Number of computed egress rules to create by name" + type = number + default = 0 +} + +variable "auto_number_of_computed_egress_with_self" { + description = "Number of computed egress rules to create where 'self' is defined" + type = number + default = 0 +} + diff --git a/modules/kubernetes-api/main.tf b/modules/kubernetes-api/main.tf new file mode 100644 index 00000000..2c85546f --- /dev/null +++ b/modules/kubernetes-api/main.tf @@ -0,0 +1,114 @@ +module "sg" { + source = "../../" + + create = var.create + name = var.name + use_name_prefix = var.use_name_prefix + description = var.description + vpc_id = var.vpc_id + tags = var.tags + + ########## + # Ingress + ########## + # Rules by names - open for default CIDR + ingress_rules = sort(compact(distinct(concat(var.auto_ingress_rules, var.ingress_rules, [""])))) + + # Open for self + ingress_with_self = concat(var.auto_ingress_with_self, var.ingress_with_self) + + # Open to IPv4 cidr blocks + ingress_with_cidr_blocks = var.ingress_with_cidr_blocks + + # Open to IPv6 cidr blocks + ingress_with_ipv6_cidr_blocks = var.ingress_with_ipv6_cidr_blocks + + # Open for security group id + ingress_with_source_security_group_id = var.ingress_with_source_security_group_id + + # Default ingress CIDR blocks + ingress_cidr_blocks = var.ingress_cidr_blocks + ingress_ipv6_cidr_blocks = var.ingress_ipv6_cidr_blocks + + # Default prefix list ids + ingress_prefix_list_ids = var.ingress_prefix_list_ids + + ################### + # Computed Ingress + ################### + # Rules by names - open for default CIDR + computed_ingress_rules = sort(compact(distinct(concat(var.auto_computed_ingress_rules, var.computed_ingress_rules, [""])))) + + # Open for self + computed_ingress_with_self = concat(var.auto_computed_ingress_with_self, var.computed_ingress_with_self) + + # Open to IPv4 cidr blocks + computed_ingress_with_cidr_blocks = var.computed_ingress_with_cidr_blocks + + # Open to IPv6 cidr blocks + computed_ingress_with_ipv6_cidr_blocks = var.computed_ingress_with_ipv6_cidr_blocks + + # Open for security group id + computed_ingress_with_source_security_group_id = var.computed_ingress_with_source_security_group_id + + ############################# + # Number of computed ingress + ############################# + number_of_computed_ingress_rules = var.auto_number_of_computed_ingress_rules + var.number_of_computed_ingress_rules + number_of_computed_ingress_with_self = var.auto_number_of_computed_ingress_with_self + var.number_of_computed_ingress_with_self + number_of_computed_ingress_with_cidr_blocks = var.number_of_computed_ingress_with_cidr_blocks + number_of_computed_ingress_with_ipv6_cidr_blocks = var.number_of_computed_ingress_with_ipv6_cidr_blocks + number_of_computed_ingress_with_source_security_group_id = var.number_of_computed_ingress_with_source_security_group_id + + ######### + # Egress + ######### + # Rules by names - open for default CIDR + egress_rules = sort(compact(distinct(concat(var.auto_egress_rules, var.egress_rules, [""])))) + + # Open for self + egress_with_self = concat(var.auto_egress_with_self, var.egress_with_self) + + # Open to IPv4 cidr blocks + egress_with_cidr_blocks = var.egress_with_cidr_blocks + + # Open to IPv6 cidr blocks + egress_with_ipv6_cidr_blocks = var.egress_with_ipv6_cidr_blocks + + # Open for security group id + egress_with_source_security_group_id = var.egress_with_source_security_group_id + + # Default egress CIDR blocks + egress_cidr_blocks = var.egress_cidr_blocks + egress_ipv6_cidr_blocks = var.egress_ipv6_cidr_blocks + + # Default prefix list ids + egress_prefix_list_ids = var.egress_prefix_list_ids + + ################## + # Computed Egress + ################## + # Rules by names - open for default CIDR + computed_egress_rules = sort(compact(distinct(concat(var.auto_computed_egress_rules, var.computed_egress_rules, [""])))) + + # Open for self + computed_egress_with_self = concat(var.auto_computed_egress_with_self, var.computed_egress_with_self) + + # Open to IPv4 cidr blocks + computed_egress_with_cidr_blocks = var.computed_egress_with_cidr_blocks + + # Open to IPv6 cidr blocks + computed_egress_with_ipv6_cidr_blocks = var.computed_egress_with_ipv6_cidr_blocks + + # Open for security group id + computed_egress_with_source_security_group_id = var.computed_egress_with_source_security_group_id + + ############################# + # Number of computed egress + ############################# + number_of_computed_egress_rules = var.auto_number_of_computed_egress_rules + var.number_of_computed_egress_rules + number_of_computed_egress_with_self = var.auto_number_of_computed_egress_with_self + var.number_of_computed_egress_with_self + number_of_computed_egress_with_cidr_blocks = var.number_of_computed_egress_with_cidr_blocks + number_of_computed_egress_with_ipv6_cidr_blocks = var.number_of_computed_egress_with_ipv6_cidr_blocks + number_of_computed_egress_with_source_security_group_id = var.number_of_computed_egress_with_source_security_group_id +} diff --git a/modules/kubernetes-api/outputs.tf b/modules/kubernetes-api/outputs.tf new file mode 100644 index 00000000..3d7ad67f --- /dev/null +++ b/modules/kubernetes-api/outputs.tf @@ -0,0 +1,24 @@ +output "this_security_group_id" { + description = "The ID of the security group" + value = module.sg.this_security_group_id +} + +output "this_security_group_vpc_id" { + description = "The VPC ID" + value = module.sg.this_security_group_vpc_id +} + +output "this_security_group_owner_id" { + description = "The owner ID" + value = module.sg.this_security_group_owner_id +} + +output "this_security_group_name" { + description = "The name of the security group" + value = module.sg.this_security_group_name +} + +output "this_security_group_description" { + description = "The description of the security group" + value = module.sg.this_security_group_description +} diff --git a/modules/kubernetes-api/variables.tf b/modules/kubernetes-api/variables.tf new file mode 100644 index 00000000..354b9e37 --- /dev/null +++ b/modules/kubernetes-api/variables.tf @@ -0,0 +1,342 @@ +################# +# Security group +################# +variable "create" { + description = "Whether to create security group and all rules" + type = bool + default = true +} + +variable "vpc_id" { + description = "ID of the VPC where to create security group" + type = string +} + +variable "name" { + description = "Name of security group" + type = string +} + +variable "use_name_prefix" { + description = "Whether to use name_prefix or fixed name. Should be true to able to update security group name after initial creation" + type = bool + default = true +} + +variable "description" { + description = "Description of security group" + type = string + default = "Security Group managed by Terraform" +} + +variable "tags" { + description = "A mapping of tags to assign to security group" + type = map(string) + default = {} +} + +########## +# Ingress +########## +variable "ingress_rules" { + description = "List of ingress rules to create by name" + type = list(string) + default = [] +} + +variable "ingress_with_self" { + description = "List of ingress rules to create where 'self' is defined" + type = list(map(string)) + default = [] +} + +variable "ingress_with_cidr_blocks" { + description = "List of ingress rules to create where 'cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "ingress_with_ipv6_cidr_blocks" { + description = "List of ingress rules to create where 'ipv6_cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "ingress_with_source_security_group_id" { + description = "List of ingress rules to create where 'source_security_group_id' is used" + type = list(map(string)) + default = [] +} + +variable "ingress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all ingress rules" + type = list(string) + default = [] +} + +variable "ingress_ipv6_cidr_blocks" { + description = "List of IPv6 CIDR ranges to use on all ingress rules" + type = list(string) + default = [] +} + +variable "ingress_prefix_list_ids" { + description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules" + type = list(string) + default = [] +} + +################### +# Computed Ingress +################### +variable "computed_ingress_rules" { + description = "List of computed ingress rules to create by name" + type = list(string) + default = [] +} + +variable "computed_ingress_with_self" { + description = "List of computed ingress rules to create where 'self' is defined" + type = list(map(string)) + default = [] +} + +variable "computed_ingress_with_cidr_blocks" { + description = "List of computed ingress rules to create where 'cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "computed_ingress_with_ipv6_cidr_blocks" { + description = "List of computed ingress rules to create where 'ipv6_cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "computed_ingress_with_source_security_group_id" { + description = "List of computed ingress rules to create where 'source_security_group_id' is used" + type = list(map(string)) + default = [] +} + +variable "computed_ingress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all computed ingress rules" + type = list(string) + default = [] +} + +variable "computed_ingress_ipv6_cidr_blocks" { + description = "List of IPv6 CIDR ranges to use on all computed ingress rules" + type = list(string) + default = [] +} + +variable "computed_ingress_prefix_list_ids" { + description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all computed ingress rules" + type = list(string) + default = [] +} + +################################### +# Number of computed ingress rules +################################### +variable "number_of_computed_ingress_rules" { + description = "Number of computed ingress rules to create by name" + type = number + default = 0 +} + +variable "number_of_computed_ingress_with_self" { + description = "Number of computed ingress rules to create where 'self' is defined" + type = number + default = 0 +} + +variable "number_of_computed_ingress_with_cidr_blocks" { + description = "Number of computed ingress rules to create where 'cidr_blocks' is used" + type = number + default = 0 +} + +variable "number_of_computed_ingress_with_ipv6_cidr_blocks" { + description = "Number of computed ingress rules to create where 'ipv6_cidr_blocks' is used" + type = number + default = 0 +} + +variable "number_of_computed_ingress_with_source_security_group_id" { + description = "Number of computed ingress rules to create where 'source_security_group_id' is used" + type = number + default = 0 +} + +variable "number_of_computed_ingress_cidr_blocks" { + description = "Number of IPv4 CIDR ranges to use on all computed ingress rules" + type = number + default = 0 +} + +variable "number_of_computed_ingress_ipv6_cidr_blocks" { + description = "Number of IPv6 CIDR ranges to use on all computed ingress rules" + type = number + default = 0 +} + +variable "number_of_computed_ingress_prefix_list_ids" { + description = "Number of prefix list IDs (for allowing access to VPC endpoints) to use on all computed ingress rules" + type = number + default = 0 +} + +######### +# Egress +######### +variable "egress_rules" { + description = "List of egress rules to create by name" + type = list(string) + default = [] +} + +variable "egress_with_self" { + description = "List of egress rules to create where 'self' is defined" + type = list(map(string)) + default = [] +} + +variable "egress_with_cidr_blocks" { + description = "List of egress rules to create where 'cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "egress_with_ipv6_cidr_blocks" { + description = "List of egress rules to create where 'ipv6_cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "egress_with_source_security_group_id" { + description = "List of egress rules to create where 'source_security_group_id' is used" + type = list(map(string)) + default = [] +} + +variable "egress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all egress rules" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_ipv6_cidr_blocks" { + description = "List of IPv6 CIDR ranges to use on all egress rules" + type = list(string) + default = ["::/0"] +} + +variable "egress_prefix_list_ids" { + description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules" + type = list(string) + default = [] +} + +################## +# Computed Egress +################## +variable "computed_egress_rules" { + description = "List of computed egress rules to create by name" + type = list(string) + default = [] +} + +variable "computed_egress_with_self" { + description = "List of computed egress rules to create where 'self' is defined" + type = list(map(string)) + default = [] +} + +variable "computed_egress_with_cidr_blocks" { + description = "List of computed egress rules to create where 'cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "computed_egress_with_ipv6_cidr_blocks" { + description = "List of computed egress rules to create where 'ipv6_cidr_blocks' is used" + type = list(map(string)) + default = [] +} + +variable "computed_egress_with_source_security_group_id" { + description = "List of computed egress rules to create where 'source_security_group_id' is used" + type = list(map(string)) + default = [] +} + +variable "computed_egress_cidr_blocks" { + description = "List of IPv4 CIDR ranges to use on all computed egress rules" + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "computed_egress_ipv6_cidr_blocks" { + description = "List of IPv6 CIDR ranges to use on all computed egress rules" + type = list(string) + default = ["::/0"] +} + +variable "computed_egress_prefix_list_ids" { + description = "List of prefix list IDs (for allowing access to VPC endpoints) to use on all computed egress rules" + type = list(string) + default = [] +} + +################################## +# Number of computed egress rules +################################## +variable "number_of_computed_egress_rules" { + description = "Number of computed egress rules to create by name" + type = number + default = 0 +} + +variable "number_of_computed_egress_with_self" { + description = "Number of computed egress rules to create where 'self' is defined" + type = number + default = 0 +} + +variable "number_of_computed_egress_with_cidr_blocks" { + description = "Number of computed egress rules to create where 'cidr_blocks' is used" + type = number + default = 0 +} + +variable "number_of_computed_egress_with_ipv6_cidr_blocks" { + description = "Number of computed egress rules to create where 'ipv6_cidr_blocks' is used" + type = number + default = 0 +} + +variable "number_of_computed_egress_with_source_security_group_id" { + description = "Number of computed egress rules to create where 'source_security_group_id' is used" + type = number + default = 0 +} + +variable "number_of_computed_egress_cidr_blocks" { + description = "Number of IPv4 CIDR ranges to use on all computed egress rules" + type = number + default = 0 +} + +variable "number_of_computed_egress_ipv6_cidr_blocks" { + description = "Number of IPv6 CIDR ranges to use on all computed egress rules" + type = number + default = 0 +} + +variable "number_of_computed_egress_prefix_list_ids" { + description = "Number of prefix list IDs (for allowing access to VPC endpoints) to use on all computed egress rules" + type = number + default = 0 +} diff --git a/rules.tf b/rules.tf index 19ea0342..52e0f2f8 100644 --- a/rules.tf +++ b/rules.tf @@ -56,6 +56,8 @@ variable "rules" { ipsec-4500-udp = [4500, 4500, "udp", "IPSEC NAT-T"] # Kafka kafka-broker-tcp = [9092, 9092, "tcp", "Kafka broker 0.8.2+"] + # Kubernetes + kubernetes-api-tcp = [6443, 6443, "tcp", "Kubernetes API Server"] # LDAPS ldaps-tcp = [636, 636, "tcp", "LDAPS"] # Memcached @@ -213,6 +215,11 @@ variable "auto_groups" { ingress_with_self = ["all-all"] egress_rules = ["all-all"] } + kubernetes-api = { + ingress_rules = ["kubernetes-api-tcp"] + ingress_with_self = ["all-all"] + egress_rules = ["all-all"] + } ldaps = { ingress_rules = ["ldaps-tcp"] ingress_with_self = ["all-all"]