security (terraform)
Introduction
In AWS, a Security Group is both: an EC2 feature and a VPC feature.
A VPC has:
Network ACLs
Security groups
Network ACLs
TBD
Security groups
Note: The "referenced_security_group_id" allows traffic based on the private IP addresses of the resources associated with the specified security group. It does not add rules from the specified security group to the current security group.
# Creates a security group to be associate w/ the opensearch serverless vpc endpoint
resource "aws_security_group" "security_group" {
count = var.creatable ? 1 : 0
lifecycle {
create_before_destroy = true
}
description = "OpenSearch Serverless" #Maps to the AWS GroupDescription attribute, for which there is no Update API
name_prefix = "${local.collection_name}-opensearch-"
tags = {
Name = "${local.collection_name} OSS collection"
}
vpc_id = var.vpc_id
}
# Allows all outbound traffic (IPv4)
resource "aws_vpc_security_group_egress_rule" "sg_egress_ipv4" {
count = var.creatable ? 1 : 0
cidr_ipv4 = "0.0.0.0/0"
#cidr_ipv6 = "::/0"
description = "Allow all outbound traffic (IPv4)"
#from_port # Required unless ip_protocol is set to -1 or icmpv6
ip_protocol = "-1"
security_group_id = aws_security_group.security_group[0].id
#to_port # Required unless ip_protocol is set to -1 or icmpv6
}
# Allows all outbound traffic (IPv6)
resource "aws_vpc_security_group_egress_rule" "sg_egress_ipv6" {
count = var.creatable ? 1 : 0
#cidr_ipv4 = "0.0.0.0/0"
cidr_ipv6 = "::/0"
description = "Allow all outbound traffic (IPv6)"
#from_port # Required unless ip_protocol is set to -1 or icmpv6
ip_protocol = "-1"
security_group_id = aws_security_group.security_group[0].id
#to_port # Required unless ip_protocol is set to -1 or icmpv6
}
# Allows inbound traffic from within security group
resource "aws_vpc_security_group_ingress_rule" "sg_ingress_within" {
count = var.creatable ? 1 : 0
#cidr_ipv4 #(Optional) The source IPv4 CIDR range
#cidr_ipv6 #(Optional) The source IPv6 CIDR range
description = "Allows inbound traffic from within security group"
#from_port # Required unless ip_protocol is set to -1 or icmpv6
ip_protocol = "-1"
referenced_security_group_id = aws_security_group.security_group[0].id #(Optional) The source security group that is referenced in the rule
security_group_id = aws_security_group.security_group[0].id
#to_port # Required unless ip_protocol is set to -1 or icmpv6
}