In AWS, a Security Group is both: an EC2 feature and a VPC feature.
A VPC has:
Network ACLs
Security groups
TBD
Note: The "referenced_security_group_id" allows traffic based on the private IP addresses of the resources associated with the specified security group. It does not add rules from the specified security group to the current security group.
## SG for controlling ingress to the database mydb
resource "aws_security_group" "sg_db_mydb" {
lifecycle {
create_before_destroy = true
}
#description = #(Optional, Forces new resource) Defaults to Managed by Terraform
name_prefix = "${local.env}-${local.ci}-rds-mydb-"
#revoke_rules_on_delete = true
tags = {
Name = "${local.env}-${local.ci}-rds-mydb"
}
vpc_id = var.vpc_id
}
# mydb ingress
resource "aws_vpc_security_group_ingress_rule" "mydb_inbound" {
#cidr_ipv4 #(Optional) The source IPv4 CIDR range
#cidr_ipv6 #(Optional) The source IPv6 CIDR range
description = "Allows inbound traffic from the referenced SG"
from_port= 5432 #(Optional) The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type
ip_protocol = "tcp" #Use -1 to specify all protocols
#prefix_list_id= #(Optional) The ID of the source prefix list
referenced_security_group_id = aws_security_group.sg_db_gsm.id #(Optional) The source security group that is referenced in the rule #TODO whatever needed
security_group_id = aws_security_group.sg_db_mydb.id
#tags= #(Optional) A map of tags to assign to the resource
to_port = 5432 # (Optional) The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code.
}
Outbound traffic might be needed for: updates & patches and replication & clustering?
# (IPv4) mydb egress
resource "aws_vpc_security_group_egress_rule" "mydb_outbound4" {
security_group_id = aws_security_group.sg_db_mydb.id
description = "Allow all outbound traffic (IPv4)"
cidr_ipv4 = "0.0.0.0/0"
#from_port = 0
ip_protocol = "-1"
#to_port = 0
tags = { Name = "Out IPv4" }
}
# (IPv6) mydb egress
resource "aws_vpc_security_group_egress_rule" "mydb_outbound6" {
security_group_id = aws_security_group.sg_db_mydb.id
description = "Allow all outbound traffic (IPv6)"
cidr_ipv6 = "::/0"
#from_port = 0
ip_protocol = "-1"
#to_port = 0
tags = { Name = "Out IPv6" }
}
# Creates a security group to be associate w/ the opensearch serverless vpc endpoint
resource "aws_security_group" "security_group" {
count = var.creatable ? 1 : 0
lifecycle {
create_before_destroy = true
}
description = "OpenSearch Serverless" #Maps to the AWS GroupDescription attribute, for which there is no Update API
name_prefix = "${local.collection_name}-opensearch-"
tags = {
Name = "${local.collection_name} OSS collection"
}
vpc_id = var.vpc_id
}
# Allows all outbound traffic (IPv4)
resource "aws_vpc_security_group_egress_rule" "sg_egress_ipv4" {
count = var.creatable ? 1 : 0
cidr_ipv4 = "0.0.0.0/0"
#cidr_ipv6 = "::/0"
description = "Allow all outbound traffic (IPv4)"
#from_port # Required unless ip_protocol is set to -1 or icmpv6
ip_protocol = "-1"
security_group_id = aws_security_group.security_group[0].id
#to_port # Required unless ip_protocol is set to -1 or icmpv6
}
# Allows all outbound traffic (IPv6)
resource "aws_vpc_security_group_egress_rule" "sg_egress_ipv6" {
count = var.creatable ? 1 : 0
#cidr_ipv4 = "0.0.0.0/0"
cidr_ipv6 = "::/0"
description = "Allow all outbound traffic (IPv6)"
#from_port # Required unless ip_protocol is set to -1 or icmpv6
ip_protocol = "-1"
security_group_id = aws_security_group.security_group[0].id
#to_port # Required unless ip_protocol is set to -1 or icmpv6
}
# Allows inbound traffic from within security group
resource "aws_vpc_security_group_ingress_rule" "sg_ingress_within" {
count = var.creatable ? 1 : 0
#cidr_ipv4 #(Optional) The source IPv4 CIDR range
#cidr_ipv6 #(Optional) The source IPv6 CIDR range
description = "Allows inbound traffic from within security group"
#from_port # Required unless ip_protocol is set to -1 or icmpv6
ip_protocol = "-1"
referenced_security_group_id = aws_security_group.security_group[0].id #(Optional) The source security group that is referenced in the rule
security_group_id = aws_security_group.security_group[0].id
#to_port # Required unless ip_protocol is set to -1 or icmpv6
}