security (terraform)

Introduction

In AWS, a Security Group is both: an EC2 feature and a VPC feature.

A VPC has:

• Network ACLs

• Security groups

Network ACLs

TBD

Security groups

Note: The "referenced_security_group_id" allows traffic based on the private IP addresses of the resources associated with the specified security group. It does not add rules from the specified security group to the current security group.

# Creates a security group to be associate w/ the opensearch serverless vpc endpoint

resource "aws_security_group" "security_group" {

  count = var.creatable ? 1 : 0

  lifecycle {

    create_before_destroy = true

  }

  description = "OpenSearch Serverless" #Maps to the AWS GroupDescription attribute, for which there is no Update API

  name_prefix = "${local.collection_name}-opensearch-"

  tags = {

    Name = "${local.collection_name} OSS collection"

  }

  vpc_id = var.vpc_id

}

# Allows all outbound traffic (IPv4)

resource "aws_vpc_security_group_egress_rule" "sg_egress_ipv4" {

  count = var.creatable ? 1 : 0

  cidr_ipv4 = "0.0.0.0/0"

  #cidr_ipv6 = "::/0"

  description = "Allow all outbound traffic (IPv4)"

  #from_port # Required unless ip_protocol is set to -1 or icmpv6

  ip_protocol       = "-1"

  security_group_id = aws_security_group.security_group[0].id

  #to_port # Required unless ip_protocol is set to -1 or icmpv6

}

# Allows all outbound traffic (IPv6)

resource "aws_vpc_security_group_egress_rule" "sg_egress_ipv6" {

  count = var.creatable ? 1 : 0

  #cidr_ipv4 = "0.0.0.0/0"

  cidr_ipv6   = "::/0"

  description = "Allow all outbound traffic (IPv6)"

  #from_port # Required unless ip_protocol is set to -1 or icmpv6

  ip_protocol       = "-1"

  security_group_id = aws_security_group.security_group[0].id

  #to_port # Required unless ip_protocol is set to -1 or icmpv6

}

# Allows inbound traffic from within security group

resource "aws_vpc_security_group_ingress_rule" "sg_ingress_within" {

  count = var.creatable ? 1 : 0

  #cidr_ipv4 #(Optional) The source IPv4 CIDR range

  #cidr_ipv6 #(Optional) The source IPv6 CIDR range

  description = "Allows inbound traffic from within security group"

  #from_port # Required unless ip_protocol is set to -1 or icmpv6

  ip_protocol                  = "-1"

  referenced_security_group_id = aws_security_group.security_group[0].id #(Optional) The source security group that is referenced in the rule

  security_group_id            = aws_security_group.security_group[0].id

  #to_port # Required unless ip_protocol is set to -1 or icmpv6

}