|
|
@@ -3,167 +3,24 @@ resource "aws_security_group" "re" {
|
|
|
description = "Redis Enterprise Security Group"
|
|
|
vpc_id = "${var.vpc-id}"
|
|
|
tags = merge({ Name = "RedisEnterprise-${var.vpc-name}" }, var.common-tags)
|
|
|
- ###############################################################################
|
|
|
- # Ingress
|
|
|
- ###############################################################################
|
|
|
- # SSH Internal
|
|
|
- ingress {
|
|
|
- from_port = 22
|
|
|
- to_port = 22
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # SSH External
|
|
|
- ingress {
|
|
|
- from_port = 22
|
|
|
- to_port = 22
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = var.open-nets
|
|
|
- }
|
|
|
-
|
|
|
- ###############################################################################
|
|
|
- # Redis Enterprise Specific
|
|
|
- # https://docs.redislabs.com/latest/rs/administering/designing-production/networking/port-configurations
|
|
|
- ###############################################################################
|
|
|
-
|
|
|
- # For connectivity checking between nodes
|
|
|
- ingress {
|
|
|
- from_port = -1
|
|
|
- to_port = -1
|
|
|
- protocol = "icmp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # Internal cluster usage
|
|
|
- ingress {
|
|
|
- from_port = 3333
|
|
|
- to_port = 3339
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- ingress {
|
|
|
- from_port = 36379
|
|
|
- to_port = 36380
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # For application to access the RS Discovery Service
|
|
|
- ingress {
|
|
|
- from_port = 8001
|
|
|
- to_port = 8001
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # For secure (https) access to the management web UI
|
|
|
- ingress {
|
|
|
- from_port = 8443
|
|
|
- to_port = 8443
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = var.open-nets
|
|
|
- }
|
|
|
-
|
|
|
- # For nginx <->cnm_http/cm communications on the same host only. Ports are bound to loopback adapter.
|
|
|
- ingress {
|
|
|
- from_port = 8444
|
|
|
- to_port = 8444
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
- ingress {
|
|
|
- from_port = 9080
|
|
|
- to_port = 9080
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # For CRDB management
|
|
|
- ingress {
|
|
|
- from_port = 9081
|
|
|
- to_port = 9081
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # For metrics exported and managed by nginx
|
|
|
- ingress {
|
|
|
- from_port = 8070
|
|
|
- to_port = 8071
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # Used to expose the REST API, including cluster management and node bootstrap
|
|
|
- ingress {
|
|
|
- from_port = 8080
|
|
|
- to_port = 8080
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
- ingress {
|
|
|
- from_port = 9443
|
|
|
- to_port = 9443
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # For exposing databases externally
|
|
|
- ingress {
|
|
|
- from_port = 10000
|
|
|
- to_port = 19999
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = var.open-nets
|
|
|
- }
|
|
|
-
|
|
|
- # For internal communications with database shards
|
|
|
- ingress {
|
|
|
- from_port = 20000
|
|
|
- to_port = 29999
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- # For accessing DNS/mDNS functionality in the cluster
|
|
|
- ingress {
|
|
|
- from_port = 53
|
|
|
- to_port = 53
|
|
|
- protocol = "udp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- ingress {
|
|
|
- from_port = 5353
|
|
|
- to_port = 5353
|
|
|
- protocol = "udp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
-
|
|
|
- ###############################################################################
|
|
|
- # Egress
|
|
|
- ###############################################################################
|
|
|
-
|
|
|
- egress {
|
|
|
- from_port = 0
|
|
|
- to_port = 65535
|
|
|
- protocol = "tcp"
|
|
|
- cidr_blocks = ["0.0.0.0/0"]
|
|
|
- }
|
|
|
-
|
|
|
- egress {
|
|
|
- from_port = -1
|
|
|
- to_port = -1
|
|
|
- protocol = "icmp"
|
|
|
- cidr_blocks = [var.vpc-cidr]
|
|
|
- }
|
|
|
+}
|
|
|
|
|
|
- egress {
|
|
|
- from_port = 0
|
|
|
- to_port = 65535
|
|
|
- protocol = "udp"
|
|
|
- cidr_blocks = ["0.0.0.0/0"]
|
|
|
- }
|
|
|
+resource "aws_security_group_rule" "variable_rule" {
|
|
|
+ count = length(var.netrules)
|
|
|
+ type = "${lookup(var.netrules[count.index], "type")}"
|
|
|
+ from_port = "${lookup(var.netrules[count.index], "from_port")}"
|
|
|
+ to_port = "${lookup(var.netrules[count.index], "to_port")}"
|
|
|
+ protocol = "${lookup(var.netrules[count.index], "protocol")}"
|
|
|
+ cidr_blocks = "${lookup(var.netrules[count.index], "cidr")}"
|
|
|
+ security_group_id = "${aws_security_group.re.id}"
|
|
|
+}
|
|
|
|
|
|
+resource "aws_security_group_rule" "open_nets" {
|
|
|
+ type = "ingress"
|
|
|
+ from_port = "0"
|
|
|
+ to_port = "65535"
|
|
|
+ protocol = "all"
|
|
|
+ cidr_blocks = var.open-nets
|
|
|
+ security_group_id = "${aws_security_group.re.id}"
|
|
|
}
|
|
|
+
|
Chris Mague