feat: Update module to be dynamic

clouddrove · Aug 1, 2023 · 25d893b · 25d893b
1 parent 21bcb00
commit 25d893b
Show file tree

Hide file tree

Showing 5 changed files with 414 additions and 86 deletions.
diff --git a/_example/new_security_group/example.tf b/_example/new_security_group/example.tf
@@ -10,9 +10,8 @@ provider "aws" {
 ####----------------------------------------------------------------------------------
 
 module "vpc" {
-  source  = "clouddrove/vpc/aws"
-  version = "2.0.0"
-
+  source      = "clouddrove/vpc/aws"
+  version     = "2.0.0"
   name        = "vpc"
   environment = "test"
   label_order = ["name", "environment"]
@@ -25,29 +24,20 @@ module "security_group" {
 
   name        = "security-group"
   environment = "test"
-  label_order = ["name", "environment"]
-
-  ## new_enable_security_group #######
-  vpc_id                    = module.vpc.vpc_id
-  new_enable_security_group = true
-  allowed_ip                = ["172.16.0.0/16", "10.0.0.0/16"]
-  allowed_ports             = [22, 27017]
-  security_groups           = []
-
-  #-------------------------------------------------------------------------------
-  ### prefix_list
-  #-------------------------------------------------------------------------------
-  max_entries         = 5
-  prefix_list_enabled = true
-  prefix_list_id      = []
-  entry = [
-    {
-      cidr        = "10.0.0.0/16"
-      description = "VPC CIDR"
+  vpc_id      = module.vpc.vpc_id
+  # allowed_ip                = ["172.16.0.0/16", "10.0.0.0/16"]
+  # allowed_ports             = [22, 27017]
+  # security_groups           = []
+  new_sg_ingress_rules_with_cidr_blocks = [{
+    from_port   = 22
+    protocol    = "-1"
+    to_port     = 22
+    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
     },
     {
-      cidr        = "10.10.0.0/24"
-      description = "VPC CIDR"
-    }
-  ]
+      from_port   = 27017
+      protocol    = "tcp"
+      to_port     = 27017
+      cidr_blocks = ["172.16.0.0/16"]
+  }]
 }
diff --git a/_example/new_security_group/outputs.tf b/_example/new_security_group/outputs.tf
@@ -1,18 +1,18 @@
-output "tags" {
-  value       = module.security_group.tags
-  description = "A mapping of tags to assign to the resource."
-}
+# output "tags" {
+#   value       = module.security_group.tags
+#   description = "A mapping of tags to assign to the resource."
+# }
 
-output "security_group_ids" {
-  value       = module.security_group.security_group_ids
-  description = "A mapping of security group ids."
-}
-output "vpc_cidr_block" {
-  value       = module.vpc.vpc_cidr_block
-  description = "VPC IPV4 CIDR Block."
-}
+# output "security_group_ids" {
+#   value       = module.security_group.security_group_ids
+#   description = "A mapping of security group ids."
+# }
+# output "vpc_cidr_block" {
+#   value       = module.vpc.vpc_cidr_block
+#   description = "VPC IPV4 CIDR Block."
+# }
 
-output "vpc_cidr_block_ipv6" {
-  value       = module.vpc.ipv6_cidr_block
-  description = "VPC IPV4 CIDR Block."
-}
+# output "vpc_cidr_block_ipv6" {
+#   value       = module.vpc.ipv6_cidr_block
+#   description = "VPC IPV4 CIDR Block."
+# }
diff --git a/main.tf b/main.tf
@@ -1,41 +1,251 @@
-#-------------------------------------------------------------------------------
-### prefix_list
-#-------------------------------------------------------------------------------
-module "prefix_list" {
-  source = "./modules/prefix_list"
+# Managed By : CloudDrove 
+# Copyright @ CloudDrove. All Right Reserved.
 
+
+##----------------------------------------------------------------------------- 
+## Labels module callled that will be used for naming and tags.   
+##-----------------------------------------------------------------------------
+module "labels" {
+  source      = "clouddrove/labels/aws"
+  version     = "1.3.0"
   name        = var.name
   environment = var.environment
+  managedby   = var.managedby
   label_order = var.label_order
+  repository  = var.repository
+}
 
-  max_entries         = var.max_entries
-  prefix_list_enabled = var.prefix_list_enabled
-  entry               = var.entry
+##----------------------------------------------------------------------------- 
+## Below resource will deploy new security group in aws.    
+##-----------------------------------------------------------------------------
+resource "aws_security_group" "default" {
+  count       = var.enable && var.new_sg ? 1 : 0
+  name        = module.labels.id
+  vpc_id      = var.vpc_id
+  description = var.sg_description
+  tags        = module.labels.tags
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
-##----------------------------------------------------------------------------------
-## Below module will create SECURITY-GROUP and its components.
-##----------------------------------------------------------------------------------
-module "security_group" {
-  source = "./modules/security_group"
+##----------------------------------------------------------------------------- 
+## Below data resource is to get details of existing security group in your aws environment. 
+## Will be called when you provide existing security group id in 'existing_sg_id' variable. 
+##-----------------------------------------------------------------------------
+data "aws_security_group" "existing" {
+  count  = var.enable && var.existing_sg_id != null ? 1 : 0
+  id     = var.existing_sg_id
+  vpc_id = var.vpc_id
+}
 
-  name        = var.name
-  environment = var.environment
-  label_order = var.label_order
+##----------------------------------------------------------------------------- 
+## Below resource will deploy prefix list resource in aws.  
+##-----------------------------------------------------------------------------
+resource "aws_ec2_managed_prefix_list" "prefix_list" {
+  count          = var.enable && var.prefix_list_enabled && length(var.prefix_list_ids) < 1 ? 1 : 0
+  address_family = var.prefix_list_address_family
+  max_entries    = var.max_entries
+  name           = format("%s-prefix-list", module.labels.id)
+  dynamic "entry" {
+    for_each = var.entry
+    content {
+      cidr        = lookup(entry.value, "cidr", null)
+      description = lookup(entry.value, "description", null)
+
+    }
+  }
+}
+
+
+##----------------------------------------------------------------------------- 
+## Below resource will deploy ingress security group rules for new security group created from this module. 
+##-----------------------------------------------------------------------------
+resource "aws_security_group_rule" "new_sg_ingress_with_cidr_blocks" {
+  for_each          = var.enable ? { for rule in var.new_sg_ingress_rules_with_cidr_blocks : rule.from_port => rule } : {}
+  type              = "ingress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  cidr_blocks       = each.value.cidr_blocks
+  security_group_id = aws_security_group.default[0].id
+  ipv6_cidr_blocks  = lookup(each.value, "ipv6_cidr_blocks", null)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "new_sg_ingress_with_self" {
+  for_each          = var.enable ? { for rule in var.new_sg_ingress_rules_with_self : rule.from_port => rule } : {}
+  type              = "ingress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = aws_security_group.default[0].id
+  self              = lookup(each.value, "self", true)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "new_sg_ingress_with_source_sg_id" {
+  for_each                 = var.enable ? { for rule in var.new_sg_ingress_rules_with_source_sg_id : rule.from_port => rule } : {}
+  type                     = "ingress"
+  from_port                = each.value.from_port
+  protocol                 = each.value.protocol
+  to_port                  = each.value.to_port
+  source_security_group_id = each.value.source_security_group_id
+  security_group_id        = aws_security_group.default[0].id
+  description              = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "new_sg_ingress_with_prefix_list" {
+  for_each          = var.enable ? { for rule in var.new_sg_ingress_rules_with_prefix_list : rule.from_port => rule } : {}
+  type              = "ingress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = aws_security_group.default[0].id
+  prefix_list_ids   = length(var.prefix_list_ids) == 0 ? tolist(aws_ec2_managed_prefix_list.prefix_list[0].id) : var.prefix_list_ids
+  description       = lookup(each.value, "description", null)
+}
+
+##----------------------------------------------------------------------------- 
+## Below resource will deploy ingress security group rules for existing security group.  
+##-----------------------------------------------------------------------------
+resource "aws_security_group_rule" "existing_sg_ingress_cidr_blocks" {
+  for_each          = var.enable ? { for rule in var.existing_sg_ingress_rules_with_cidr_blocks : rule.from_port => rule } : {}
+  type              = "ingress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = data.aws_security_group.existing[0].id
+  cidr_blocks       = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks  = lookup(each.value, "ipv6_cidr_blocks", null)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "existing_sg_ingress_with_self" {
+  for_each          = var.enable ? { for rule in var.existing_sg_ingress_rules_with_self : rule.from_port => rule } : {}
+  type              = "ingress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = data.aws_security_group.existing[0].id
+  self              = lookup(each.value, "self", true)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "existing_sg_ingress_with_source_sg_id" {
+  for_each                 = var.enable ? { for rule in var.existing_sg_ingress_rules_with_source_sg_id : rule.from_port => rule } : {}
+  type                     = "ingress"
+  from_port                = each.value.from_port
+  protocol                 = each.value.protocol
+  to_port                  = each.value.to_port
+  source_security_group_id = each.value.source_security_group_id
+  security_group_id        = data.aws_security_group.existing[0].id
+  description              = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "existing_sg_ingress_with_prefix_list" {
+  for_each          = var.enable ? { for rule in var.existing_sg_ingress_rules_with_prefix_list : rule.from_port => rule } : {}
+  type              = "ingress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = data.aws_security_group.existing[0].id
+  prefix_list_ids   = length(var.prefix_list_ids) == 0 ? tolist(aws_ec2_managed_prefix_list.prefix_list[0].id) : var.prefix_list_ids
+  description       = lookup(each.value, "description", null)
+}
+
+##----------------------------------------------------------------------------- 
+## Below resource will deploy egress security group rules for new security group created from this module. 
+##-----------------------------------------------------------------------------
+resource "aws_security_group_rule" "new_sg_egress_with_cidr_blocks" {
+  for_each          = var.enable ? { for rule in var.new_sg_egress_rules_with_cidr_blocks : rule.from_port => rule } : {}
+  type              = "egress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = aws_security_group.default[0].id
+  cidr_blocks       = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks  = lookup(each.value, "ipv6_cidr_blocks", null)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "new_sg_egress_with_self" {
+  for_each          = var.enable ? { for rule in var.new_sg_egress_rules_with_self : rule.from_port => rule } : {}
+  type              = "egress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = aws_security_group.default[0].id
+  self              = lookup(each.value, "self", true)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "new_sg_egress_with_source_sg_id" {
+  for_each                 = var.enable ? { for rule in var.new_sg_egress_rules_with_source_sg_id : rule.from_port => rule } : {}
+  type                     = "egress"
+  from_port                = each.value.from_port
+  protocol                 = each.value.protocol
+  to_port                  = each.value.to_port
+  source_security_group_id = each.value.source_security_group_id
+  security_group_id        = aws_security_group.default[0].id
+  description              = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "new_sg_egress_with_prefix_list" {
+  for_each          = var.enable ? { for rule in var.new_sg_egress_rules_with_prefix_list : rule.from_port => rule } : {}
+  type              = "egress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = aws_security_group.default[0].id
+  prefix_list_ids   = length(var.prefix_list_ids) == 0 ? tolist(aws_ec2_managed_prefix_list.prefix_list[0].id) : var.prefix_list_ids
+  description       = lookup(each.value, "description", null)
+}
+
+##----------------------------------------------------------------------------- 
+## Below resource will deploy egress security group rules for existing security group.  
+##-----------------------------------------------------------------------------
+resource "aws_security_group_rule" "existing_sg_egress_with_cidr_blocks" {
+  for_each          = var.enable ? { for rule in var.existing_sg_egress_rules_with_cidr_blocks : rule.from_port => rule } : {}
+  type              = "egress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = data.aws_security_group.existing[0].id
+  cidr_blocks       = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks  = lookup(each.value, "ipv6_cidr_blocks", null)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "existing_sg_egress_with_self" {
+  for_each          = var.enable ? { for rule in var.existing_sg_egress_rules_with_self : rule.from_port => rule } : {}
+  type              = "egress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = data.aws_security_group.existing[0].id
+  self              = lookup(each.value, "self", true)
+  description       = lookup(each.value, "description", null)
+}
+
+resource "aws_security_group_rule" "existing_sg_egress_with_source_sg_id" {
+  for_each                 = var.enable ? { for rule in var.existing_sg_egress_rules_with_source_sg_id : rule.from_port => rule } : {}
+  type                     = "egress"
+  from_port                = each.value.from_port
+  protocol                 = each.value.protocol
+  to_port                  = each.value.to_port
+  source_security_group_id = each.value.source_security_group_id
+  security_group_id        = data.aws_security_group.existing[0].id
+  description              = lookup(each.value, "source_address_prefix", null)
+}
 
-  enable_security_group  = var.new_enable_security_group
-  vpc_id                 = var.vpc_id
-  allowed_ip             = var.allowed_ip
-  allowed_ports          = var.allowed_ports
-  security_groups        = var.security_groups
-  allowed_ipv6           = var.allowed_ipv6
-  egress_rule            = var.egress_rule
-  egress_allowed_ip      = var.egress_allowed_ip
-  egress_allowed_ports   = var.egress_allowed_ports
-  egress_protocol        = var.egress_protocol
-  egress_prefix_list_ids = var.egress_prefix_list_ids
-  egress_security_groups = var.egress_security_groups
-  is_external            = var.is_external
-  existing_sg_id         = var.existing_sg_id
-  prefix_list_ids        = length(var.prefix_list_id) < 1 ? module.prefix_list.prefix_id : var.prefix_list_id
+resource "aws_security_group_rule" "existing_sg_egress_with_prefix_list" {
+  for_each          = var.enable ? { for rule in var.existing_sg_egress_rules_with_prefix_list : rule.from_port => rule } : {}
+  type              = "egress"
+  from_port         = each.value.from_port
+  protocol          = each.value.protocol
+  to_port           = each.value.to_port
+  security_group_id = data.aws_security_group.existing[0].id
+  prefix_list_ids   = length(var.prefix_list_ids) == 0 ? tolist(aws_ec2_managed_prefix_list.prefix_list[0].id) : var.prefix_list_ids
+  description       = lookup(each.value, "source_address_prefix", null)
 }