issues
search
cloudposse
/
terraform-aws-ec2-client-vpn
https://cloudposse.com/accelerate
Apache License 2.0
45
stars
28
forks
source link
Add sg 4.x best practices and egress-all sg rule added
#22
Closed
nitrocode
closed
2 years ago
nitrocode
commented
2 years ago
what
Add sg 4.x best practices (separate inputs, deprecation, allow additional rules)
Added egress-all rule to sg
why
More flexibility
Sane defaults
references
Followed best practices from
https://github.com/cloudposse/terraform-aws-efs
commands
terraform plan
```hcl # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[0] will be updated in-place ~ resource "aws_ec2_client_vpn_network_association" "default" { id = "cvpn-assoc-snip" ~ security_groups = [ - "sg-snip", - "sg-snip", ] -> (known after apply) # (5 unchanged attributes hidden) } # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[1] will be updated in-place ~ resource "aws_ec2_client_vpn_network_association" "default" { id = "cvpn-assoc-snip" ~ security_groups = [ - "sg-snip", - "sg-snip", ] -> (known after apply) # (5 unchanged attributes hidden) } # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[2] will be updated in-place ~ resource "aws_ec2_client_vpn_network_association" "default" { id = "cvpn-assoc-snip" ~ security_groups = [ - "sg-snip", - "sg-snip", ] -> (known after apply) # (5 unchanged attributes hidden) } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group.cbd[0] will be created + resource "aws_security_group" "cbd" { + arn = (known after apply) + description = "Managed by Terraform" + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = (known after apply) + name_prefix = "snip-ec2-client-vpn-" + owner_id = (known after apply) + revoke_rules_on_delete = false + tags = { + "Environment" = "use2" + "Name" = "snip-ec2-client-vpn" + "Namespace" = "snip" + "Stage" = "snip" + "Tenant" = "snip" } + tags_all = { + "Environment" = "use2" + "Name" = "snip-ec2-client-vpn" + "Namespace" = "snip" + "Stage" = "snip" + "Tenant" = "snip" } + vpc_id = "vpc-snip" + timeouts { + create = "10m" + delete = "15m" } } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group.default[0] will be destroyed - resource "aws_security_group" "default" { - arn = "arn:aws:ec2:us-east-2:snip:security-group/sg-snip" -> null - description = "Managed by Terraform" -> null - egress = [] -> null - id = "sg-snip" -> null - ingress = [ - { - cidr_blocks = [] - description = "Allow self access only by default" - from_port = 0 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "-1" - security_groups = [] - self = true - to_port = 0 }, ] -> null - name = "snip-ec2-client-vpn" -> null - owner_id = "snip" -> null - revoke_rules_on_delete = false -> null - tags = { - "Environment" = "use2" - "Name" = "snip-ec2-client-vpn" - "Namespace" = "snip" - "Stage" = "snip" - "Tenant" = "snip" } -> null - tags_all = { - "Environment" = "use2" - "Name" = "snip-ec2-client-vpn" - "Namespace" = "snip" - "Stage" = "snip" - "Tenant" = "snip" } -> null - vpc_id = "vpc-snip" -> null - timeouts { - create = "10m" -> null - delete = "15m" -> null } } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["_allow_all_egress_"] will be created + resource "aws_security_group_rule" "keyed" { + cidr_blocks = [ + "0.0.0.0/0", ] + description = "Allow all egress" + from_port = 0 + id = (known after apply) + ipv6_cidr_blocks = [ + "::/0", ] + prefix_list_ids = [] + protocol = "-1" + security_group_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 0 + type = "egress" } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["_m[0]#vpn-self#self"] will be created + resource "aws_security_group_rule" "keyed" { + description = "Allow all ingress to listed security groups" + from_port = 0 + id = (known after apply) + prefix_list_ids = [] + protocol = "-1" + security_group_id = (known after apply) + self = true + source_security_group_id = (known after apply) + to_port = 0 + type = "ingress" } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["vpn-self"] will be destroyed - resource "aws_security_group_rule" "keyed" { - cidr_blocks = [] -> null - description = "Allow self access only by default" -> null - from_port = 0 -> null - id = "sgrule-3220596061" -> null - ipv6_cidr_blocks = [] -> null - prefix_list_ids = [] -> null - protocol = "-1" -> null - security_group_id = "sg-snip" -> null - self = true -> null - source_security_group_id = "sg-snip" -> null - to_port = 0 -> null - type = "ingress" -> null } Plan: 3 to add, 3 to change, 2 to destroy. ```
nitrocode
commented
2 years ago
/test all
nitrocode
commented
2 years ago nitrocode
commented
2 years ago
what
why
references
commands
terraform plan
```hcl # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[0] will be updated in-place ~ resource "aws_ec2_client_vpn_network_association" "default" { id = "cvpn-assoc-snip" ~ security_groups = [ - "sg-snip", - "sg-snip", ] -> (known after apply) # (5 unchanged attributes hidden) } # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[1] will be updated in-place ~ resource "aws_ec2_client_vpn_network_association" "default" { id = "cvpn-assoc-snip" ~ security_groups = [ - "sg-snip", - "sg-snip", ] -> (known after apply) # (5 unchanged attributes hidden) } # module.ec2_client_vpn.aws_ec2_client_vpn_network_association.default[2] will be updated in-place ~ resource "aws_ec2_client_vpn_network_association" "default" { id = "cvpn-assoc-snip" ~ security_groups = [ - "sg-snip", - "sg-snip", ] -> (known after apply) # (5 unchanged attributes hidden) } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group.cbd[0] will be created + resource "aws_security_group" "cbd" { + arn = (known after apply) + description = "Managed by Terraform" + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = (known after apply) + name_prefix = "snip-ec2-client-vpn-" + owner_id = (known after apply) + revoke_rules_on_delete = false + tags = { + "Environment" = "use2" + "Name" = "snip-ec2-client-vpn" + "Namespace" = "snip" + "Stage" = "snip" + "Tenant" = "snip" } + tags_all = { + "Environment" = "use2" + "Name" = "snip-ec2-client-vpn" + "Namespace" = "snip" + "Stage" = "snip" + "Tenant" = "snip" } + vpc_id = "vpc-snip" + timeouts { + create = "10m" + delete = "15m" } } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group.default[0] will be destroyed - resource "aws_security_group" "default" { - arn = "arn:aws:ec2:us-east-2:snip:security-group/sg-snip" -> null - description = "Managed by Terraform" -> null - egress = [] -> null - id = "sg-snip" -> null - ingress = [ - { - cidr_blocks = [] - description = "Allow self access only by default" - from_port = 0 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "-1" - security_groups = [] - self = true - to_port = 0 }, ] -> null - name = "snip-ec2-client-vpn" -> null - owner_id = "snip" -> null - revoke_rules_on_delete = false -> null - tags = { - "Environment" = "use2" - "Name" = "snip-ec2-client-vpn" - "Namespace" = "snip" - "Stage" = "snip" - "Tenant" = "snip" } -> null - tags_all = { - "Environment" = "use2" - "Name" = "snip-ec2-client-vpn" - "Namespace" = "snip" - "Stage" = "snip" - "Tenant" = "snip" } -> null - vpc_id = "vpc-snip" -> null - timeouts { - create = "10m" -> null - delete = "15m" -> null } } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["_allow_all_egress_"] will be created + resource "aws_security_group_rule" "keyed" { + cidr_blocks = [ + "0.0.0.0/0", ] + description = "Allow all egress" + from_port = 0 + id = (known after apply) + ipv6_cidr_blocks = [ + "::/0", ] + prefix_list_ids = [] + protocol = "-1" + security_group_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 0 + type = "egress" } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["_m[0]#vpn-self#self"] will be created + resource "aws_security_group_rule" "keyed" { + description = "Allow all ingress to listed security groups" + from_port = 0 + id = (known after apply) + prefix_list_ids = [] + protocol = "-1" + security_group_id = (known after apply) + self = true + source_security_group_id = (known after apply) + to_port = 0 + type = "ingress" } # module.ec2_client_vpn.module.vpn_security_group.aws_security_group_rule.keyed["vpn-self"] will be destroyed - resource "aws_security_group_rule" "keyed" { - cidr_blocks = [] -> null - description = "Allow self access only by default" -> null - from_port = 0 -> null - id = "sgrule-3220596061" -> null - ipv6_cidr_blocks = [] -> null - prefix_list_ids = [] -> null - protocol = "-1" -> null - security_group_id = "sg-snip" -> null - self = true -> null - source_security_group_id = "sg-snip" -> null - to_port = 0 -> null - type = "ingress" -> null } Plan: 3 to add, 3 to change, 2 to destroy. ```