professional-service-best-practices/terraform-modules
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: consolidate security-group and security-group-rule

Browse source
This commit is contained in:
Maximilian_Schlenz 2025-07-07 09:16:42 +02:00
parent 3a722642b5
commit 7b16b3e7d5
11 changed files with 150 additions and 169 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
.terraform*
terraform.tfstate*
.env

38
example/main.tf
View file

@ -1,32 +1,10 @@
module "icmp_group" {
source = "../security-group"
project_id = var.project_id
name = "icmp"
}
module "security_groups" {
source = "../security-group"
module "ssh_group" {
source = "../security-group"
project_id = var.project_id
name = "ssh"
}
for_each = var.security_groups
module "icmp_ingress" {
source = "../security-group-rule"
project_id = var.project_id
security_group_id = module.icmp_group.id
rules = var.icmp_ingress_rules
}
module "icmp_egress" {
source = "../security-group-rule"
project_id = var.project_id
security_group_id = module.icmp_group.id
rules = var.icmp_egress_rules
}
module "ssh_ingress" {
source = "../security-group-rule"
project_id = var.project_id
security_group_id = module.ssh_group.id
rules = var.ssh_ingress_rules
}
project_id = var.project_id
name = each.value.name
description = each.value.description
rules = each.value.rules
}

103
example/terraform.tfvars
View file

@ -2,55 +2,58 @@ region = "eu01"
service_account_token = ""
project_id = ""
# icmp_ingress_rules = [
# {
# direction = "ingress"
# description = "ICMP RULE 1"
# ip_range = "0.0.0.0/0"
# protocol = {
# name = "icmp"
# }
# icmp_parameters = {
# type = 8,
# code = 0
# }
# },
# {
# direction = "ingress"
# description = "ICMP RULE 2"
# ip_range = "1.2.3.4/0"
# protocol = {
# name = "icmp"
# }
# icmp_parameters = {
# type = 8,
# code = 0
# }
# }
# ]
security_groups = {
ssh_ingress_group = {
name = "ssh-ingress-group"
description = "ALLOW SSH ingress"
rules = [
{
description = "SSH RULE 1"
direction = "ingress"
ether_type = "IPv4"
ip_range = "0.0.0.0/0"
protocol = {
name = "tcp"
}
port_range = {
min = 22
max = 22
}
},
]
},
# ssh_ingress_rules = [
# {
# direction = "ingress"
# description = "SSH RULE 1"
# ip_range = "10.1.10.1/24"
# port_range = {
# min = 22,
# max = 22
# }
# protocol = {
# name = "tcp"
# }
# }
# ]
web_traffic_group = {
name = "web-traffic-group"
description = "ALLOW WEB TRAFFIC ingress"
rules = [
{
description = "ALLOW ALL 80"
direction = "ingress"
ether_type = "IPv4"
ip_range = "0.0.0.0/0"
protocol = {
name = "tcp"
}
port_range = {
min = 80
max = 80
}
},
{
description = "ALLOW ALL 443"
direction = "ingress"
ether_type = "IPv4"
ip_range = "0.0.0.0/0"
protocol = {
name = "tcp"
}
port_range = {
min = 443
max = 443
}
},
]
},
# icmp_egress_rules = [
# {
# direction = "egress"
# description = "ICMP EGRESS RULE 1"
# ip_range = "0.0.0.0/0"
# protocol = {
# name = "icmp"
# }
# }
# ]
}

33
example/variables.tf
View file

@ -15,14 +15,29 @@ variable "service_account_token" {
type = string
}
variable "icmp_ingress_rules" {
type = any
}
variable "icmp_egress_rules" {
type = any
}
variable "ssh_ingress_rules" {
type = any
variable "security_groups" {
type = map(object({
name = optional(string)
description = optional(string)
rules = list(object({
direction = string
description = optional(string)
ether_type = optional(string)
icmp_parameters = optional(object({
type = optional(number)
code = optional(number)
}))
ip_range = optional(string)
port_range = optional(object({
min = number
max = number
}))
protocol = optional(object({
name = optional(string)
number = optional(number)
}))
remote_security_group_id = optional(string)
}))
}))
}

19
security-group-rule/main.tf
View file

@ -1,19 +0,0 @@
locals {
rule_count = length(var.rules)
}
resource "stackit_security_group_rule" "this" {
count = local.rule_count
project_id = var.project_id
security_group_id = var.security_group_id
direction = var.rules[count.index].direction
description = var.rules[count.index].description
ether_type = var.rules[count.index].ether_type
icmp_parameters = var.rules[count.index].icmp_parameters
ip_range = var.rules[count.index].ip_range
port_range = var.rules[count.index].port_range
protocol = var.rules[count.index].protocol
remote_security_group_id = var.rules[count.index].remote_security_group_id
}

3
security-group-rule/output.tf
View file

@ -1,3 +0,0 @@
output "rule_ids" {
value = stackit_security_group_rule.this[*].id
}

9
security-group-rule/providers.tf
View file

@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.9.0"
required_providers {
stackit = {
source = "stackitcloud/stackit"
version = "0.56.0"
}
}
}

39
security-group-rule/variables.tf
View file

@ -1,39 +0,0 @@
variable "project_id" {
type = string
}
variable "security_group_id" {
type = string
}
variable "rules" {
type = list(object({
direction = string
description = optional(string)
ether_type = optional(string)
icmp_parameters = optional(object({
type = optional(number)
code = optional(number)
}))
ip_range = optional(string)
port_range = optional(object({
min = number
max = number
}))
protocol = optional(object({
name = optional(string)
number = optional(number)
}))
remote_security_group_id = optional(string)
}))
default = []
validation {
condition = alltrue([
for rule in var.rules : contains(["ingress", "egress"], rule.direction)
# ... need more validations
])
error_message = "Direction must be either \"ingress\" or \"egress\"."
}
}

22
security-group/main.tf
View file

@ -1,5 +1,25 @@
locals {
rule_count = length(var.rules)
}
resource "stackit_security_group" "this" {
project_id = var.project_id
name = var.name
description = var.description == null ? var.name : var.description
description = var.description
}
resource "stackit_security_group_rule" "rule" {
count = local.rule_count
direction = var.rules[count.index].direction
project_id = var.project_id
security_group_id = stackit_security_group.this.id
description = var.rules[count.index].description
ether_type = var.rules[count.index].ether_type
icmp_parameters = var.rules[count.index].icmp_parameters
ip_range = var.rules[count.index].ip_range
port_range = var.rules[count.index].port_range
protocol = var.rules[count.index].protocol
remote_security_group_id = var.rules[count.index].remote_security_group_id
}

9
security-group/output.tf
View file

@ -1,7 +1,8 @@
output "id" {
value = stackit_security_group.this.security_group_id
output "security_group_id" {
value = stackit_security_group.this.security_group_id
description = "ID of the security group"
}
output "name" {
value = stackit_security_group.this.name
output "rule_ids" {
value = stackit_security_group_rule.rule[*].id
}

43
security-group/variables.tf
View file

@ -1,12 +1,45 @@
variable "project_id" {
type = string
type = string
description = "The ID of the project where the security group will be created."
}
variable "name" {
type = string
type = string
description = "Name of the security group."
}
variable "description" {
type = string
default = null
}
type = string
default = ""
description = "Description of the security group. If not provided, it defaults to an empty string."
}
variable "rules" {
description = "List of rules to attach to this security-group"
type = list(object({
direction = string
description = optional(string)
ether_type = optional(string)
icmp_parameters = optional(object({
type = optional(number)
code = optional(number)
}))
ip_range = optional(string)
port_range = optional(object({
min = number
max = number
}))
protocol = optional(object({
name = optional(string)
}))
remote_security_group_id = optional(string)
}))
default = []
validation {
condition = alltrue([
for rule in var.rules : contains(["ingress", "egress"], rule.direction)
# ... need more validations
])
error_message = "Direction must be either \"ingress\" or \"egress\"."
}
}