Awesome

AWS EC2-VPC Security Group Terraform module

Terraform module which creates EC2 security group within VPC on AWS.

Features

This module aims to implement ALL combinations of arguments supported by AWS and latest stable version of Terraform:

• IPv4/IPv6 CIDR blocks
• VPC endpoint prefix lists (use data source aws_prefix_list)
• Access from source security groups
• Access from self
• Named rules (see the rules here)
• Named groups of rules with ingress (inbound) and egress (outbound) ports open for common scenarios (eg, ssh, http-80, mysql, see the whole list here)
• Conditionally create security group and/or all required security group rules.

Ingress and egress rules can be configured in a variety of ways. See inputs section for all supported arguments and complete example for the complete use-case.

If there is a missing feature or a bug - open an issue.

Terraform versions

For Terraform 0.13 or later use any version from v4.5.0 of this module or newer.

For Terraform 0.12 use any version from v3.* to v4.4.0.

If you are using Terraform 0.11 you can use versions v2.*.

Usage

There are two ways to create security groups using this module:

1. Specifying predefined rules (HTTP, SSH, etc)
2. Specifying custom rules

Security group with predefined rules

module "web_server_sg" {
  source = "terraform-aws-modules/security-group/aws//modules/http-80"

  name        = "web-server"
  description = "Security group for web-server with HTTP ports open within VPC"
  vpc_id      = "vpc-12345678"

  ingress_cidr_blocks = ["10.10.0.0/16"]
}

Security group with custom rules

module "vote_service_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "user-service"
  description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
  vpc_id      = "vpc-12345678"

  ingress_cidr_blocks      = ["10.10.0.0/16"]
  ingress_rules            = ["https-443-tcp"]
  ingress_with_cidr_blocks = [
    {
      from_port   = 8080
      to_port     = 8090
      protocol    = "tcp"
      description = "User-service ports"
      cidr_blocks = "10.10.0.0/16"
    },
    {
      rule        = "postgresql-tcp"
      cidr_blocks = "0.0.0.0/0"
    },
  ]
}

Note about "value of 'count' cannot be computed"

Terraform 0.11 has a limitation which does not allow computed values inside count attribute on resources (issues: #16712, #18015, ...)

Computed values are values provided as outputs from module. Non-computed values are all others - static values, values referenced as variable and from data-sources.

When you need to specify computed value inside security group rule argument you need to specify it using an argument which starts with computed_ and provide a number of elements in the argument which starts with number_of_computed_. See these examples:

module "http_sg" {
  source = "terraform-aws-modules/security-group/aws"
  # omitted for brevity
}

module "db_computed_source_sg" {
  # omitted for brevity

  vpc_id = "vpc-12345678" # these are valid values also - `module.vpc.vpc_id` and `local.vpc_id`

  computed_ingress_with_source_security_group_id = [
    {
      rule                     = "mysql-tcp"
      source_security_group_id = module.http_sg.security_group_id
    }
  ]
  number_of_computed_ingress_with_source_security_group_id = 1
}

module "db_computed_sg" {
  # omitted for brevity

  ingress_cidr_blocks = ["10.10.0.0/16", data.aws_security_group.default.id]

  computed_ingress_cidr_blocks           = [module.vpc.vpc_cidr_block]
  number_of_computed_ingress_cidr_blocks = 1
}

module "db_computed_merged_sg" {
  # omitted for brevity

  computed_ingress_cidr_blocks           = ["10.10.0.0/16", module.vpc.vpc_cidr_block]
  number_of_computed_ingress_cidr_blocks = 2
}

Note that db_computed_sg and db_computed_merged_sg are equal, because it is possible to put both computed and non-computed values in arguments starting with computed_.

Conditional creation

Sometimes you need a way to conditionally create a security group. If you're using Terraform < 0.13 which lacks module support for count, you can instead specify the argument create.

# This security group will not be created
module "vote_service_sg" {
  source = "terraform-aws-modules/security-group/aws"

  create = false
  # ... omitted
}

Examples

• Complete Security Group example shows all available parameters to configure security group.
• Security Group "Rules Only" example shows how to manage just rules of a security group that is created outside.
• HTTP Security Group example shows more applicable security groups for common web-servers.
• Disable creation of Security Group example shows how to disable creation of security group.
• Dynamic values inside Security Group rules example shows how to specify values inside security group rules (data-sources and variables are allowed).
• Computed values inside Security Group rules example shows how to specify computed values inside security group rules (solution for value of 'count' cannot be computed problem).

How to add/update rules/groups?

Rules and groups are defined in rules.tf. Run update_groups.sh when content of that file has changed to recreate content of all automatic modules.

Known issues

No issue is creating limit on this module.

Requirements

Providers

Modules

No modules.

Resources

Inputs

Outputs

Authors

Module managed by Anton Babenko.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

• Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
• Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
• Putin khuylo!