From c404459262c5083500f07d92b026fdc08118f60a Mon Sep 17 00:00:00 2001 From: Omar Khawaja Date: Wed, 8 Jul 2020 14:09:57 -0400 Subject: [PATCH 1/2] update config to specify inbound CIDRs --- README.md | 20 ++++++++++---------- main.tf | 1 + modules/consul_cluster/security_groups.tf | 9 +++++++++ modules/consul_cluster/variables.tf | 5 +++++ variables.tf | 5 +++++ 5 files changed, 30 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 2161201..f537e51 100644 --- a/README.md +++ b/README.md @@ -23,16 +23,16 @@ provider "random" { } module "consul_cluster" { - source = "hashicorp/consul-oss/aws" - version = "0.1.0" - - vpc_id = "" - owner = "" - consul_version = "" - name_prefix = "" - key_name = "" - consul_servers = 5 - consul_clients = 3 + source = "hashicorp/consul-oss/aws" + version = "0.1.0" + allowed_inbound_cidrs = [""] + vpc_id = "" + owner = "" + consul_version = "" + name_prefix = "" + key_name = "" + consul_servers = 5 + consul_clients = 3 } ``` diff --git a/main.tf b/main.tf index bfb67f8..25b8944 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,7 @@ module "consul_cluster" { source = "./modules/consul_cluster" + allowed_inbound_cidrs = var.allowed_inbound_cidrs instance_type = var.instance_type consul_version = var.consul_version consul_cluster_version = var.consul_cluster_version diff --git a/modules/consul_cluster/security_groups.tf b/modules/consul_cluster/security_groups.tf index 95ff3e5..4a6abde 100644 --- a/modules/consul_cluster/security_groups.tf +++ b/modules/consul_cluster/security_groups.tf @@ -5,6 +5,15 @@ resource "aws_security_group" "consul" { vpc_id = var.vpc_id } +resource "aws_security_group_rule" "consul_ssh" { + security_group_id = aws_security_group.consul.id + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.allowed_inbound_cidrs +} + # rule to allow egress from 443 to 443 externally resource "aws_security_group_rule" "consul_external_egress_https" { security_group_id = aws_security_group.consul.id diff --git a/modules/consul_cluster/variables.tf b/modules/consul_cluster/variables.tf index d6e3fcd..261971c 100644 --- a/modules/consul_cluster/variables.tf +++ b/modules/consul_cluster/variables.tf @@ -1,3 +1,8 @@ +variable "allowed_inbound_cidrs" { + type = list(string) + description = "List of CIDR blocks to permit inbound Consul access from" +} + variable "bootstrap" { type = bool default = true diff --git a/variables.tf b/variables.tf index d6e3fcd..261971c 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,8 @@ +variable "allowed_inbound_cidrs" { + type = list(string) + description = "List of CIDR blocks to permit inbound Consul access from" +} + variable "bootstrap" { type = bool default = true From b7ed6dd1add7e0caceea3a6ce1059ac1fecc6140 Mon Sep 17 00:00:00 2001 From: "chloe (@cotarg)" Date: Wed, 8 Jul 2020 11:41:53 -0700 Subject: [PATCH 2/2] cut changelog for 0.1.2 --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93bb229..cecdc10 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.1.2 (July 08, 2020) + +IMPROVEMENTS: + +* security: added security group rule for inbound on port 22 and variable for approved CIDR blocks + ## 0.1.1 (July 02, 2020) IMPROVEMENTS: