setup security groups

.gitignore

@@ -0,0 +1,5 @@
+.terraform/*
+test/.terraform/*
+Gemfile.lock
+ansible/*.retry
+ansible/roles/*

.terraform-version

@@ -0,0 +1 @@
+0.12.0-beta2

main.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = "${var.region}"
+  profile = "${var.profile}"
+}

security.tf

@@ -0,0 +1,168 @@
+resource "aws_security_group" "re" {
+  name        = "RedisEnterprise"
+  description = "Redis Enterprise Security Group"
+  vpc_id      = "${var.vpc-id}"
+  ###############################################################################
+  #                         Ingress
+  ###############################################################################
+  # SSH Internal
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # SSH External
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.open-nets
+  }
+
+  ###############################################################################
+  #                         Redis Enterprise Specific
+  # https://docs.redislabs.com/latest/rs/administering/designing-production/networking/port-configurations
+  ###############################################################################
+
+  # 	For connectivity checking between nodes
+  ingress {
+    from_port   = -1
+    to_port     = -1
+    protocol    = "icmp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # Internal cluster usage
+  ingress {
+    from_port   = 3333
+    to_port     = 3339
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  ingress {
+    from_port   = 36379
+    to_port     = 36380
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For application to access the RS Discovery Service
+  ingress {
+    from_port   = 8001
+    to_port     = 8001
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For secure (https) access to the management web UI
+  ingress {
+    from_port   = 8443
+    to_port     = 8443
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For nginx <->cnm_http/cm communications on the same host only. Ports are bound to loopback adapter.
+  ingress {
+    from_port   = 8444
+    to_port     = 8444
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+  ingress {
+    from_port   = 9080
+    to_port     = 9080
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For CRDB management
+  ingress {
+    from_port   = 9081
+    to_port     = 9081
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For metrics exported and managed by nginx
+  ingress {
+    from_port   = 8070
+    to_port     = 8071
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # Used to expose the REST API, including cluster management and node bootstrap
+  ingress {
+    from_port   = 8080
+    to_port     = 8080
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+  ingress {
+    from_port   = 9443
+    to_port     = 9443
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For exposing databases externally
+  ingress {
+    from_port   = 10000
+    to_port     = 19999
+    protocol    = "tcp"
+    cidr_blocks = var.open-nets
+  }
+
+  # For internal communications with database shards
+  ingress {
+    from_port   = 20000
+    to_port     = 29999
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  # For accessing DNS/mDNS functionality in the cluster
+  ingress {
+    from_port   = 53
+    to_port     = 53
+    protocol    = "udp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  ingress {
+    from_port   = 5353
+    to_port     = 5353
+    protocol    = "udp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  ###############################################################################
+  #                         Egress
+  ###############################################################################
+
+  egress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = -1
+    to_port     = -1
+    protocol    = "icmp"
+    cidr_blocks = [var.vpc-cidr]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "udp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+}

test/main.tf

@@ -0,0 +1,17 @@
+provider "aws" {
+  region  = "us-east-1"
+  profile = "redislabs"
+}
+
+module "mymodule" {
+  source   = "../"
+  profile  = "redislabs"
+  region   = "us-east-1"
+  open-nets = ["192.168.0.127/32"]
+  vpc-cidr = "10.0.0.0/16"
+  vpc-id = "vpc-12345678"
+  common-tags = {
+    "Owner"   = "maguec"
+    "Project" = "example"
+  }
+}

variables.tf

@@ -0,0 +1,26 @@
+
+variable "profile" {
+  description = "The AWS profile to use"
+}
+
+variable "region" {
+  description = "The AWS region to run in"
+}
+
+variable "common-tags" {
+  type        = map(string)
+  description = "Tags that go everywhere"
+}
+
+variable "open-nets" {
+  type        = list
+  description = "CIDRs that will have access to everything"
+}
+
+variable "vpc-cidr" {
+  description = "The CIDR of the VPC"
+}
+
+variable "vpc-id" {
+  description = "The ID of the VPC"
+}