From 138093cf0b22d134670e5de10ec9a79746e48e3c Mon Sep 17 00:00:00 2001 From: "chloe (@cotarg)" Date: Fri, 10 Jul 2020 10:21:26 -0700 Subject: [PATCH 1/3] update security groups to expose UI to approved cidrs, documentation update to match --- README.md | 4 +++- modules/consul_cluster/security_groups.tf | 10 ++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f537e51..59843d0 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,9 @@ module "consul_cluster" { } ``` -Note: Currently the random provider is required for this module's functionality. +Notes: +1. Currently the random provider is required for this module's functionality. +2. `allowed_inbound_cidrs` must be supplied for this module's functionality; these CIDRs will be allowed for SSH and UI access. - Run `terraform init` and `terraform apply` diff --git a/modules/consul_cluster/security_groups.tf b/modules/consul_cluster/security_groups.tf index 4a6abde..ba19577 100644 --- a/modules/consul_cluster/security_groups.tf +++ b/modules/consul_cluster/security_groups.tf @@ -94,6 +94,16 @@ resource "aws_security_group_rule" "consul_api_tcp" { source_security_group_id = aws_security_group.consul.id } +// This rule exposes the Consul API for traffic from the same CIDR block as approved SSH. +resource "aws_security_group_rule" "consul_ui_ingress" { + security_group_id = aws_security_group.consul.id + type = "ingress" + from_port = 8500 + to_port = 8500 + protocol = "tcp" + cidr_blocks = var.allowed_inbound_cidrs +} + // This rule allows Consul DNS. resource "aws_security_group_rule" "consul_dns_tcp" { security_group_id = aws_security_group.consul.id From cdbf820eb3055d3dfdd8a8bec0f3334fad04a2ab Mon Sep 17 00:00:00 2001 From: "chloe (@cotarg)" Date: Fri, 10 Jul 2020 11:24:28 -0700 Subject: [PATCH 2/3] fix client_addr to allow UI --- .../scripts/install_hashitools_consul_client.sh.tpl | 2 +- .../scripts/install_hashitools_consul_server.sh.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/consul_cluster/scripts/install_hashitools_consul_client.sh.tpl b/modules/consul_cluster/scripts/install_hashitools_consul_client.sh.tpl index e027c53..1371eda 100644 --- a/modules/consul_cluster/scripts/install_hashitools_consul_client.sh.tpl +++ b/modules/consul_cluster/scripts/install_hashitools_consul_client.sh.tpl @@ -20,7 +20,7 @@ datacenter = "${datacenter}" server = false data_dir = "/opt/consul/data" advertise_addr = "$${LOCAL_IPV4}" -client_addr = "127.0.0.1" +client_addr = "0.0.0.0" log_level = "INFO" ui = true encrypt = "${gossip_key}" diff --git a/modules/consul_cluster/scripts/install_hashitools_consul_server.sh.tpl b/modules/consul_cluster/scripts/install_hashitools_consul_server.sh.tpl index 489081d..4558f10 100644 --- a/modules/consul_cluster/scripts/install_hashitools_consul_server.sh.tpl +++ b/modules/consul_cluster/scripts/install_hashitools_consul_server.sh.tpl @@ -25,7 +25,7 @@ server = true bootstrap_expect = ${bootstrap_expect} data_dir = "/opt/consul/data" advertise_addr = "$${LOCAL_IPV4}" -client_addr = "127.0.0.1" +client_addr = "0.0.0.0" log_level = "INFO" ui = true From 24c68707fff357c56d566f1d09a236c85de75c16 Mon Sep 17 00:00:00 2001 From: "chloe (@cotarg)" Date: Fri, 10 Jul 2020 13:04:12 -0700 Subject: [PATCH 3/3] updated CHANGELOG --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cecdc10..e6f0b58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.3 (July 10, 2020) + +IMPROVEMENTS: + +* security: added security group rule to expose UI to allowed CIDR blocks +* documentation: explained new `allowed_inbound_cidrs` +* variables: renamed var to `acl_bootstrap_bool` to clarify purpose of variable + ## 0.1.2 (July 08, 2020) IMPROVEMENTS: