Skip to content

Latest commit

 

History

History
81 lines (70 loc) · 2.93 KB

README.md

File metadata and controls

81 lines (70 loc) · 2.93 KB
Raw

Network Security Group

The module create security groups for the given rules. Read NSG concepts here

Using this module you can configure an NSG and customise rules for each group. Have a look at variables.tf to check what the module expect.

Limitations

  • IP Protocols are limited only to TCP and UDP
  • Destination or Source are limited to type CIDR_BLOCK (IP address only)
  • All rules are stateful.
  • Port range for rules is not supported (Each rule covers a single port, so you have to create multiple rules for each port)
  • No support for setting the source port (Port is limited to destination of packet)

Rules and IPs

Though when using the module, a list of IPs are passed to a single rule, behind the scene, each IP results in a single rule creation. For example, if you pass one group that has 3 rules, and each rule contains 5 IPs, the total number of rules created by the module for the group is 15 rules.

Example

The usage of this module is simple. You just need to create a map of groups, where each group has map of rules objects.

Creating two security groups with the following rules:

  • Group 1:
    • Rule 1: allow TCP ingress to IPs ["192.168.100.12", "192.168.100.12"] to port 9090
    • Rule 2: allow TCP ingress to IPs ["192.168.100.14", "192.168.100.16"] to port 9091
    • Rule 3: allow TCP egress from IPs ["192.168.100.12", "192.168.100.12"] to port 8000
  • Group 2:
    • Rule 1: allow UDP ingress from IPs ["192.168.200.12", "192.168.200.13"] to port 30091
    • Rule 2: allow TCP ingress from IPs ["192.168.200.12", "192.168.100.12"] to port 9000
module "network_secuirty_groups" {
  source = PATH_TO_MODULE

  vcn_id                  = "ocixxxxxx.xxxxxx.xxxxx"
  compartment_id          = "ocixxxxxx.xxxxxx.xxxxx"
  network_security_groups = {
    "group_1" = {
      "rule_1" = {
        direction = "INGRESS"
        protocol  = "tcp"
        port      = 9090
        ips       = ["192.168.100.12", "192.168.100.12"]
      }
      "rule_2" = {
        direction = "INGRESS"
        protocol  = "tcp"
        port      = 9091
        ips       = ["192.168.100.14", "192.168.100.16"]
      }
      "rule_1" = {
        direction = "EGRESS"
        protocol  = "tcp"
        port      = 8000
        ips       = ["192.168.100.12", "192.168.100.12"]
      }
    }
    
    "group_2" = {
      "rule_1" = {
        direction = "INGRESS"
        protocol  = "udp"
        port      = 30091
        ips       = ["192.168.200.12", "192.168.200.13"]
      }
      "rule_2" = {
        direction = "INGRESS"
        protocol  = "tcp"
        port      = 9000
        ips       = ["192.168.200.12", "192.168.100.12"]
      }
    }

  }
}

Note: The above results in creating total of 6 rules for Group 1 and 4 rules for Group 2