update with all necessary variables

security.tf

@@ -5,13 +5,23 @@ resource "aws_security_group" "re" {
   tags        = merge({ Name = "RedisEnterprise-${var.vpc-name}" }, var.common-tags)
 }
 
-resource "aws_security_group_rule" "variable_rule" {
-  count             = length(var.netrules)
-  type              = "${lookup(var.netrules[count.index], "type")}"
-  from_port         = "${lookup(var.netrules[count.index], "from_port")}"
-  to_port           = "${lookup(var.netrules[count.index], "to_port")}"
-  protocol          = "${lookup(var.netrules[count.index], "protocol")}"
-  cidr_blocks       = "${lookup(var.netrules[count.index], "cidr")}"
+resource "aws_security_group_rule" "internal_rules" {
+  count             = length(var.internal-rules)
+  type              = "${lookup(var.internal-rules[count.index], "type")}"
+  from_port         = "${lookup(var.internal-rules[count.index], "from_port")}"
+  to_port           = "${lookup(var.internal-rules[count.index], "to_port")}"
+  protocol          = "${lookup(var.internal-rules[count.index], "protocol")}"
+  cidr_blocks       = [var.vpc-cidr]
+  security_group_id = "${aws_security_group.re.id}"
+}
+
+resource "aws_security_group_rule" "external_rules" {
+  count             = length(var.external-rules)
+  type              = "${lookup(var.external-rules[count.index], "type")}"
+  from_port         = "${lookup(var.external-rules[count.index], "from_port")}"
+  to_port           = "${lookup(var.external-rules[count.index], "to_port")}"
+  protocol          = "${lookup(var.external-rules[count.index], "protocol")}"
+  cidr_blocks       = "${lookup(var.external-rules[count.index], "cidr")}"
   security_group_id = "${aws_security_group.re.id}"
 }
 
@@ -23,4 +33,3 @@ resource "aws_security_group_rule" "open_nets" {
   cidr_blocks       = var.open-nets
   security_group_id = "${aws_security_group.re.id}"
 }
-

variables.tf

@@ -71,7 +71,8 @@ variable "flash-iops" {
   default     = "100"
   }
 
-variable "netrules" {
+variable "internal-rules" {
+  description = "Security rules to allow for connectivity within the VPC"
   type = list
   default = [
     {
@@ -79,7 +80,147 @@ variable "netrules" {
       from_port = "22"
       to_port   = "22"
       protocol  = "tcp"
-      cidr      = ["10.0.0.0/8"]
+      comment   = "SSH from VPC"
+    },
+    {
+      type = "ingress"
+      from_port = "1968"
+      to_port   = "1968"
+      protocol  = "tcp"
+      comment   = "Proxy traffic (Internal use)"
+    },
+    {
+      type = "ingress"
+      from_port = "3333"
+      to_port   = "3339"
+      protocol  = "tcp"
+      comment   = "Cluster traffic (Internal use)"
+    },
+    {
+      type = "ingress"
+      from_port = "36379"
+      to_port   = "36380"
+      protocol  = "tcp"
+      comment   = "Cluster traffic (Internal use)"
+    },
+    {
+      type = "ingress"
+      from_port = "8001"
+      to_port   = "8001"
+      protocol  = "tcp"
+      comment   = "Traffic from application to RS Discovery Service"
+    },
+    {
+      type = "ingress"
+      from_port = "8443"
+      to_port   = "8443"
+      protocol  = "tcp"
+      comment   = "Secure (HTTPS) access to the management web UI"
+    },
+    {
+      type = "ingress"
+      from_port = "8444"
+      to_port   = "8444"
+      protocol  = "tcp"
+      comment   = "nginx <-> cnm_http/cm traffic (Internal use)"
+    },
+    {
+      type = "ingress"
+      from_port = "9080"
+      to_port   = "9080"
+      protocol  = "tcp"
+      comment   = "nginx <-> cnm_http/cm traffic (Internal use)"
+    },
+    {
+      type = "ingress"
+      from_port = "9081"
+      to_port   = "9081"
+      protocol  = "tcp"
+      comment   = "For CRDB management (Internal use)"
+    },
+    {
+      type = "ingress"
+      from_port = "8070"
+      to_port   = "8071"
+      protocol  = "tcp"
+      comment   = "Prometheus metrics exporter"
+    },
+    {
+      type = "ingress"
+      from_port = "9443"
+      to_port   = "9443"
+      protocol  = "tcp"
+      comment   = "REST API traffic, including cluster management and node bootstrap"
+    },
+    {
+      type = "ingress"
+      from_port = "10000"
+      to_port   = "19999"
+      protocol  = "tcp"
+      comment   = "Database traffic - if manually creating db ports pare down"
+    },
+    {
+      type = "ingress"
+      from_port = "20000"
+      to_port   = "29999"
+      protocol  = "tcp"
+      comment   = "Database shards traffic - if manually creating db ports pare down"
+    },
+    {
+      type = "ingress"
+      from_port = "53"
+      to_port   = "53"
+      protocol  = "udp"
+      comment   = "DNS Traffic"
+    },
+    {
+      type = "ingress"
+      from_port = "5353"
+      to_port   = "5353"
+      protocol  = "udp"
+      comment   = "DNS Traffic"
+    },
+    {
+      type = "ingress"
+      from_port = "-1"
+      to_port   = "-1"
+      protocol  = "icmp"
+      comment   = "Ping for connectivity checks between nodes"
+    },
+    {
+      type = "egress"
+      from_port = "-1"
+      to_port   = "-1"
+      protocol  = "icmp"
+      comment   = "Ping for connectivity checks between nodes"
+    },
+    {
+      type = "egress"
+      from_port = "0"
+      to_port   = "65535"
+      protocol  = "tcp"
+      comment   = "Let TCP out to the VPC"
+    },
+    {
+      type = "egress"
+      from_port = "0"
+      to_port   = "65535"
+      protocol  = "udp"
+      comment   = "Let UDP out to the VPC"
+    },
+    ]
+  }
+
+variable "external-rules" {
+  description = "Security rules to allow for connectivity external to the VPC"
+  type = list
+  default = [
+    {
+      type = "ingress"
+      from_port = "53"
+      to_port   = "53"
+      protocol  = "udp"
+      cidr      = ["0.0.0.0/0"]
     },
     {
       type = "egress"
@@ -97,3 +238,4 @@ variable "netrules" {
     }
     ]
   }
+