Merge pull request #15 from hashicorp/sg-port-22

update config to specify inbound CIDRs
hashicorp · Jul 8, 2020 · e948e70 · e948e70
2 parents c3951a9 + b7ed6dd
commit e948e70
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.1.2 (July 08, 2020)
+
+IMPROVEMENTS:
+
+* security: added security group rule for inbound on port 22 and variable for approved CIDR blocks
+
 ## 0.1.1 (July 02, 2020)
 
 IMPROVEMENTS:

diff --git a/README.md b/README.md
@@ -23,16 +23,16 @@ provider "random" {
 }
 
 module "consul_cluster" {
-  source         = "hashicorp/consul-oss/aws"
-  version        = "0.1.0"
-
-  vpc_id         = "<your VPC id>"
-  owner          = "<owner name/tag>"
-  consul_version = "<version of Consul>"
-  name_prefix    = "<name prefix you would like attached to your environment>"
-  key_name       = "<your SSH key name>"
-  consul_servers = 5
-  consul_clients = 3
+  source                = "hashicorp/consul-oss/aws"
+  version               = "0.1.0"
+  allowed_inbound_cidrs = ["<list of inbound CIDRs>"]
+  vpc_id                = "<your VPC id>"
+  owner                 = "<owner name/tag>"
+  consul_version        = "<version of Consul>"
+  name_prefix           = "<name prefix you would like attached to your environment>"
+  key_name              = "<your SSH key name>"
+  consul_servers        = 5
+  consul_clients        = 3
 }
 ```
 

diff --git a/main.tf b/main.tf
@@ -1,6 +1,7 @@
 module "consul_cluster" {
   source = "./modules/consul_cluster"
 
+  allowed_inbound_cidrs  = var.allowed_inbound_cidrs
   instance_type          = var.instance_type
   consul_version         = var.consul_version
   consul_cluster_version = var.consul_cluster_version

diff --git a/modules/consul_cluster/security_groups.tf b/modules/consul_cluster/security_groups.tf
@@ -5,6 +5,15 @@ resource "aws_security_group" "consul" {
   vpc_id      = var.vpc_id
 }
 
+resource "aws_security_group_rule" "consul_ssh" {
+  security_group_id = aws_security_group.consul.id
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = var.allowed_inbound_cidrs
+}
+
 # rule to allow egress from 443 to 443 externally
 resource "aws_security_group_rule" "consul_external_egress_https" {
   security_group_id = aws_security_group.consul.id

diff --git a/modules/consul_cluster/variables.tf b/modules/consul_cluster/variables.tf
@@ -1,3 +1,8 @@
+variable "allowed_inbound_cidrs" {
+  type        = list(string)
+  description = "List of CIDR blocks to permit inbound Consul access from"
+}
+
 variable "bootstrap" {
   type        = bool
   default     = true

diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,8 @@
+variable "allowed_inbound_cidrs" {
+  type        = list(string)
+  description = "List of CIDR blocks to permit inbound Consul access from"
+}
+
 variable "bootstrap" {
   type        = bool
   default     = true