forked from robertdebock/terraform-aws-vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity_group.tf
113 lines (103 loc) · 3.87 KB
/
security_group.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Create a security group for the loadbalancer.
resource "aws_security_group" "public" {
description = "Public - Traffic to Vault nodes"
name_prefix = "${var.vault_name}-public-"
tags = local.public_tags
vpc_id = local.vpc_id
lifecycle {
create_before_destroy = true
}
}
# Allow the vault API to be accessed from the internet.
resource "aws_security_group_rule" "api_public" {
cidr_blocks = var.vault_allowed_cidr_blocks
description = "Vault API/UI"
from_port = var.vault_api_port
protocol = "TCP"
security_group_id = aws_security_group.public.id
to_port = var.vault_api_port
type = "ingress"
}
# Allow the redirection from port 80 to `var.vault_api_port` from the internet.
resource "aws_security_group_rule" "api_public_redirect" {
cidr_blocks = var.vault_allowed_cidr_blocks
description = "Vault API/UI redirection"
from_port = 80
protocol = "TCP"
security_group_id = aws_security_group.public.id
to_port = 80
type = "ingress"
}
# Allow specified security groups to have access as well.
resource "aws_security_group_rule" "extra" {
count = length(var.vault_extra_security_group_ids)
description = "User specified security_group"
from_port = var.vault_api_port
protocol = "TCP"
security_group_id = aws_security_group.public.id
source_security_group_id = var.vault_extra_security_group_ids[count.index]
to_port = var.vault_api_port
type = "ingress"
}
# Create a security group for the instances.
resource "aws_security_group" "private" {
description = "Private - Traffic to Vault nodes"
name_prefix = "${var.vault_name}-private-"
tags = local.private_tags
vpc_id = local.vpc_id
lifecycle {
create_before_destroy = true
}
}
# Allow the Vault API to be accessed from clients.
resource "aws_security_group_rule" "api_private" {
description = "Vault API/UI"
from_port = 8200
protocol = "TCP"
security_group_id = aws_security_group.private.id
source_security_group_id = aws_security_group.private.id
to_port = 8200
type = "ingress"
}
# Allow instances to use Raft.
resource "aws_security_group_rule" "raft" {
description = "Vault Raft"
from_port = 8201
protocol = "TCP"
security_group_id = aws_security_group.private.id
source_security_group_id = aws_security_group.private.id
to_port = 8201
type = "ingress"
}
# Allow other clusters to use Raft. (This is an enterprise feature.)
resource "aws_security_group_rule" "clustertocluster" {
count = var.vault_allow_replication ? 1 : 0
cidr_blocks = var.vault_allowed_cidr_blocks_replication
description = "Vault Raft Replication"
from_port = var.vault_replication_port
protocol = "TCP"
security_group_id = aws_security_group.public.id
to_port = var.vault_replication_port
type = "ingress"
}
# Allow access from the bastion host.
resource "aws_security_group_rule" "ssh" {
count = var.vault_allow_ssh ? 1 : 0
cidr_blocks = [local.cidr_block]
description = "SSH from bastion"
from_port = 22
protocol = "TCP"
security_group_id = aws_security_group.private.id
to_port = 22
type = "ingress"
}
# Allow internet from the instances. Required for package installations.
resource "aws_security_group_rule" "internet" {
cidr_blocks = ["0.0.0.0/0"]
description = "Internet"
from_port = 0
protocol = "-1"
security_group_id = aws_security_group.private.id
to_port = 0
type = "egress"
}