Merge pull request #16 from hashicorp/cotarg/expose-ui-port

update security group rules to expose UI
hashicorp · Jul 10, 2020 · ad8662a · ad8662a
2 parents eaf888a + 24c6870
commit ad8662a
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.1.3 (July 10, 2020)
+
+IMPROVEMENTS:
+
+* security: added security group rule to expose UI to allowed CIDR blocks
+* documentation: explained new `allowed_inbound_cidrs`
+* variables: renamed var to `acl_bootstrap_bool` to clarify purpose of variable
+
 ## 0.1.2 (July 08, 2020)
 
 IMPROVEMENTS:

diff --git a/README.md b/README.md
@@ -36,7 +36,9 @@ module "consul_cluster" {
 }
 ```
 
-Note: Currently the random provider is required for this module's functionality.
+Notes: 
+1. Currently the random provider is required for this module's functionality.
+2. `allowed_inbound_cidrs` must be supplied for this module's functionality; these CIDRs will be allowed for SSH and UI access.
 
 - Run `terraform init` and `terraform apply`
 

diff --git a/modules/consul_cluster/scripts/install_hashitools_consul_client.sh.tpl b/modules/consul_cluster/scripts/install_hashitools_consul_client.sh.tpl
@@ -20,7 +20,7 @@ datacenter          = "${datacenter}"
 server              = false
 data_dir            = "/opt/consul/data"
 advertise_addr      = "$${LOCAL_IPV4}"
-client_addr         = "127.0.0.1"
+client_addr         = "0.0.0.0"
 log_level           = "INFO"
 ui                  = true
 encrypt             = "${gossip_key}"

diff --git a/modules/consul_cluster/scripts/install_hashitools_consul_server.sh.tpl b/modules/consul_cluster/scripts/install_hashitools_consul_server.sh.tpl
@@ -25,7 +25,7 @@ server              = true
 bootstrap_expect    = ${bootstrap_expect}
 data_dir            = "/opt/consul/data"
 advertise_addr      = "$${LOCAL_IPV4}"
-client_addr         = "127.0.0.1"
+client_addr         = "0.0.0.0"
 log_level           = "INFO"
 ui                  = true
 

diff --git a/modules/consul_cluster/security_groups.tf b/modules/consul_cluster/security_groups.tf
@@ -94,6 +94,16 @@ resource "aws_security_group_rule" "consul_api_tcp" {
   source_security_group_id = aws_security_group.consul.id
 }
 
+// This rule exposes the Consul API for traffic from the same CIDR block as approved SSH.
+resource "aws_security_group_rule" "consul_ui_ingress" {
+  security_group_id = aws_security_group.consul.id
+  type              = "ingress"
+  from_port         = 8500
+  to_port           = 8500
+  protocol          = "tcp"
+  cidr_blocks       = var.allowed_inbound_cidrs
+}
+
 // This rule allows Consul DNS.
 resource "aws_security_group_rule" "consul_dns_tcp" {
   security_group_id        = aws_security_group.consul.id