The AWS Security Group module creates:
- A standard AWS security group
- An AWS security group configured with a network interface attachment to connect to an existing network interface
The following modules should already have been applied and configured prior to the deployment steps:
-
AWS Account Setup: https://github.com/Coalfire-CF/terraform-aws-account-setup
-
Any resources requiring security groups
- Security Group with ingress and egress rules
- Network Interface Associations (optional)
Simple main.tf example:
module "example_sg" {
source = "github.com/Coalfire-CF/terraform-aws-securitygroup?ref=v1.0.1" # Path to security group module
name = "security_group_module_example_simple" # Name assigned inside the module
tags = local.global_tags
vpc_id = aws_vpc.main.id # Associate SG with the created VPC
ingress_rules = { # Ingress rules allowing inbound HTTPS and SSH traffic
"allow_https" = {
ip_protocol = "tcp"
from_port = "443"
to_port = "443"
cidr_ipv4 = aws_vpc.main.cidr_block # Allow HTTPS from within the VPC CIDR
}
"allow_ssh" = {
ip_protocol = "tcp"
from_port = "22"
to_port = "22"
cidr_ipv4 = aws_vpc.main.cidr_block # Allow SSH from within the VPC CIDR
}
}
egress_rules = { # Egress rules allowing all outbound traffic
"allow_all_egress" = {
ip_protocol = "-1"
cidr_ipv4 = "0.0.0.0/0" # Allow all outbound traffic to anywhere
description = "Allow all egress"
}
}
}Network Association main.tf example:
module "example_sg" {
source = "github.com/Coalfire-CF/terraform-aws-securitygroup?ref=v1.0.1" # Path to security group module
name = "security_group_module_example_network_assoc" # Name assigned inside the module
vpc_id = aws_vpc.main.id # Associate SG with the created VPC
tags = local.global_tags
ingress_rules = { # Ingress rules allowing inbound HTTPS and SSH traffic
"allow_https" = {
ip_protocol = "tcp"
from_port = "443"
to_port = "443"
cidr_ipv4 = aws_vpc.main.cidr_block # Allow HTTPS from within the VPC CIDR
}
"allow_ssh" = {
ip_protocol = "tcp"
from_port = "22"
to_port = "22"
cidr_ipv4 = aws_vpc.main.cidr_block # Allow SSH from within the VPC CIDR
}
}
egress_rules = { # Egress rules allowing all outbound traffic
"allow_all_egress" = {
ip_protocol = "-1"
cidr_ipv4 = "0.0.0.0/0" # Allow all outbound traffic to anywhere
description = "Allow all egress"
}
}
network_interface_resource_associations = [
aws_instance.instance1.primary_network_interface_id,
aws_instance.instance2.primary_network_interface_id
]
}Below you will find the required steps to establish a secure connection to the AWS cloud environment used for the build.
IAM user authentication:
- Download and install the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
- Log into the AWS Console and create AWS CLI Credentials (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)
- Configure the named profile used for the project, such as 'aws configure --profile example-mgmt'
SSO-based authentication (via IAM Identity Center SSO):
- Login to the AWS IAM Identity Center console, select the permission set for MGMT, and select the 'Access Keys' link.
- Choose the 'IAM Identity Center credentials' method to get the SSO Start URL and SSO Region values.
- Run the setup command 'aws configure sso --profile example-mgmt' and follow the prompts.
- Verify you can run AWS commands successfully, for example 'aws s3 ls --profile example-mgmt'.
- Run 'export AWS_PROFILE=example-mgmt' in your terminal to use the specific profile and avoid having to use '--profile' option.-
Navigate to the Terraform project and create a parent directory in the upper level code, for example:
../aws/terraform/{REGION}/management-account/example
If multi-account management plane:
../aws/terraform/{REGION}/{ACCOUNT_TYPE}-mgmt-account/example
-
Create a new branch. The branch name should provide a high level overview of what you're working on.
-
Create a properly defined main.tf file via the template found under 'Usage' while adjusting tfvars as needed. Note that many provided variables are outputs from other modules. Example parent directory:
├── security_group/ │ ├── README.md │ ├── example.auto.tfvars │ ├── locals.tf │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ ├── variables.tf │ ├── ...
-
Change directories to the
security_groupdirectory. -
Ensure that the
prefix.auto.tfvarsvariables are correct (especially the profile) -
Customize code to meet requirements, e.g. add/remove inbound rules, add/remove outbound rules
-
From the
security_groupdirectory run, initialize the Terraform working directory:terraform init
-
Standardized formatting in code:
terraform fmt
-
Optional: Ensure proper syntax and "spell check" your code:
terraform validate
-
Create an execution plan and verify everything looks correct:
terraform plan
-
Apply the configuration:
terraform apply
| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_network_interface_sg_attachment.this | resource |
| aws_security_group.this | resource |
| aws_vpc_security_group_egress_rule.this | resource |
| aws_vpc_security_group_ingress_rule.this | resource |
| aws_network_interface.interfaces | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| description | This overwrites the default generated description for the security group | string |
"Managed by Terraform" |
no |
| egress_rules | The list of rules for egress traffic. Required fields for each rule are 'protocol', 'from_port', 'to_port', and at least one of 'cidr_blocks', 'ipv6_cidr_blocks', 'security_groups', 'self', or 'prefix_list_sg'. Optional fields are 'description' and those not used from the previous list | map(object({ |
{} |
no |
| ingress_rules | The list of rules for ingress traffic. Required fields for each rule are 'protocol', 'from_port', 'to_port', and at least one of 'cidr_blocks', 'ipv6_cidr_blocks', 'security_groups', 'self', or 'prefix_list_sg'. Optional fields are 'description' and those not used from the previous list | map(object({ |
{} |
no |
| name | The name of the created security group. Conflicts with 'sg_name_prefix' | string |
n/a | yes |
| network_interface_resource_associations | The IDs of already existing network interfaces to be associated with the created security group. If used, do not declare sg in the creation of those resources | list(string) |
[] |
no |
| sg_name_prefix | The prefix to be used while generating a unique name for the security group. Conflicts with 'sg_name' | string |
n/a | yes |
| tags | Additional tags (e.g. map(BusinessUnit,XYZ). |
map(any) |
{} |
no |
| vpc_id | The ID of the VPC that the security group will be associated with | string |
null |
no |
| Name | Description |
|---|---|
| associated_network_interfaces | The ARNs of the network interfaces associated to the security group by this module |
| id | The id of the created security group |
Copyright © 2023 Coalfire Systems Inc.