Skip to content

terraform-yc-modules/terraform-yc-security-group

BranchesTags

Repository files navigation

Security Groups Terraform module for Yandex.Cloud

Features

  • Create Security Group and rules in your VPC
  • Output Security Group ID for referencing

Usage

Use ingress_rules_with_cidrs to add rules with IP address ranges:

ingress_rules_with_cidrs = [
  {
    description    = "ssh"
    port           = 22
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
  },
  {
    description    = "ICMP"
    protocol       = "ICMP"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port      = 0
    to_port        = 65535
  },
]

Use ingress_rules_with_sg_ids to add rules with other SGs as a traffic source:

ingress_rules_with_sg_ids = [
  {
    protocol          = "ANY"
    description       = "Communication with web SG"
    security_group_id = "12345678"
  },
]

Use self to add rule "self_security_group" for communication within a SG:

self = true

How to configure Terraform for Yandex.Cloud

  • Install YC CLI
  • Add environment variables for terraform auth in Yandex Cloud:
export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)

Requirements

Name Version
terraform >= 1.3.0
yandex >= 0.100

Providers

Name Version
yandex 0.139.0

Modules

No modules.

Resources

Name Type
yandex_vpc_security_group.this resource
yandex_vpc_security_group_rule.egress_rules resource
yandex_vpc_security_group_rule.ingress_nlb_hc_rule resource
yandex_vpc_security_group_rule.ingress_rules_with_cidrs resource
yandex_vpc_security_group_rule.ingress_rules_with_sg_ids resource
yandex_vpc_security_group_rule.ingress_self_rule resource
yandex_client_config.client data source

Inputs

Name Description Type Default Required
description Description of the security group string "Managed by Terraform" no
egress_rules List of egress rules with CIDR blocks as destinations.

Each rule can include:
- description: (Optional) Description of the rule
- protocol: (Optional) Protocol. Allowed values: TCP, UDP, ICMP, ANY. Default: ANY
- port: (Optional) Single port number
- from_port: (Optional) Start of port range. Default: 0
- to_port: (Optional) End of port range. Default: 65535
- v4_cidr_blocks: (Optional) List of IPv4 CIDR blocks. Default: ["0.0.0.0/0"]

Note: Either use 'port' OR 'from_port'/'to_port' pair, not both.

Example:
egress_rules = [
  {
    protocol       = "ANY"
    description    = "To the internet"
    v4_cidr_blocks = ["0.0.0.0/0"]
  },
]
 
list(object({
    description    = optional(string, "")
    protocol       = optional(string, "ANY")
    port           = optional(number)
    from_port      = optional(number, 0)
    to_port        = optional(number, 65535)
    v4_cidr_blocks = optional(list(string), ["0.0.0.0/0"])
  }))
 [] no
folder_id Folder ID where the resources will be created string null no
ingress_rules_with_cidrs List of ingress rules with CIDR blocks as sources.

Each rule can include:
- description: (Optional) Description of the rule
- protocol: (Optional) Protocol. Allowed values: TCP, UDP, ICMP, ANY. Default: ANY
- port: (Optional) Single port number
- from_port: (Optional) Start of port range. Used with to_port
- to_port: (Optional) End of port range. Used with from_port
- v4_cidr_blocks: (Optional) List of IPv4 CIDR blocks

Note: Either use 'port' OR 'from_port'/'to_port' pair, not both.

Example:
ingress_rules_with_cidrs = [
  {
    description    = "ssh"
    port           = 22
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
  },
  {
    description    = "ICMP"
    protocol       = "ICMP"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port      = 0
    to_port        = 65535
  },
]
 
list(object({
    description    = optional(string, "")
    protocol       = optional(string, "ANY")
    port           = optional(number)
    from_port      = optional(number)
    to_port        = optional(number)
    v4_cidr_blocks = optional(list(string), [])
  }))
 [] no
ingress_rules_with_sg_ids List of ingress rules with other security groups as sources.

Each rule can include:
- description: (Optional) Description of the rule
- protocol: (Optional) Protocol. Allowed values: TCP, UDP, ICMP, ANY. Default: ANY
- port: (Optional) Single port number
- from_port: (Optional) Start of port range. Used with to_port
- to_port: (Optional) End of port range. Used with from_port
- security_group_id: (Required) ID of the source security group

Note: Either use 'port' OR 'from_port'/'to_port' pair, not both.

Example:
ingress_rules_with_sg_ids = [
  {
    protocol          = "ANY"
    description       = "Communication with web SG"
    security_group_id = "12345678"
  },
]
 
list(object({
    description       = optional(string, "")
    protocol          = optional(string, "ANY")
    port              = optional(number)
    from_port         = optional(number)
    to_port           = optional(number)
    security_group_id = string
  }))
 [] no
labels Set of key/value label pairs to assign. map(string) null no
name Security group name string n/a yes
network_id Existing network where resources will be created string null no
nlb_hc Allow to communicate with NLB health check servers bool false no
self Allow to communicate inside security group bool true no
self_from_port Allow to communicate within security group with port from number null no
self_port Allow to communicate within security group with port number null no
self_protocol Allow to communicate within security group with protocol string "ANY" no
self_to_port Allow to communicate within security group with port to number null no

Outputs

Name Description
id Security group ID

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

9 stars

Watchers

10 watching

Forks

5 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages