ensure we set open nets correctly

provisioning.tf

@@ -24,7 +24,7 @@ data "template_file" "ansible_inventory" {
     vpc_name = "${var.vpc-name}"
     ncount   = "${count.index}"
   }
-  depends_on = ["aws_instance.re", "aws_eip_association.re-eip-assoc"]
+  depends_on = ["aws_instance.re", "aws_eip_association.re-eip-assoc", "aws_volume_attachment.re-ephemeral"]
 }
 
 data "template_file" "ssh_config" {
@@ -32,7 +32,7 @@ data "template_file" "ssh_config" {
   vars = {
     vpc_name = "${var.vpc-name}"
   }
-  depends_on = ["aws_instance.re", "aws_eip_association.re-eip-assoc"]
+  depends_on = ["aws_instance.re", "aws_eip_association.re-eip-assoc", "aws_volume_attachment.re-ephemeral"]
 }
 
 ###############################################################################

security.tf

@@ -3,167 +3,24 @@ resource "aws_security_group" "re" {
   description = "Redis Enterprise Security Group"
   vpc_id      = "${var.vpc-id}"
   tags        = merge({ Name = "RedisEnterprise-${var.vpc-name}" }, var.common-tags)
-  ###############################################################################
-  #                         Ingress
-  ###############################################################################
-  # SSH Internal
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # SSH External
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = var.open-nets
-  }
-
-  ###############################################################################
-  #                         Redis Enterprise Specific
-  # https://docs.redislabs.com/latest/rs/administering/designing-production/networking/port-configurations
-  ###############################################################################
-
-  # 	For connectivity checking between nodes
-  ingress {
-    from_port   = -1
-    to_port     = -1
-    protocol    = "icmp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # Internal cluster usage
-  ingress {
-    from_port   = 3333
-    to_port     = 3339
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  ingress {
-    from_port   = 36379
-    to_port     = 36380
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # For application to access the RS Discovery Service
-  ingress {
-    from_port   = 8001
-    to_port     = 8001
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # For secure (https) access to the management web UI
-  ingress {
-    from_port   = 8443
-    to_port     = 8443
-    protocol    = "tcp"
-    cidr_blocks = var.open-nets
-  }
-
-  # For nginx <->cnm_http/cm communications on the same host only. Ports are bound to loopback adapter.
-  ingress {
-    from_port   = 8444
-    to_port     = 8444
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-  ingress {
-    from_port   = 9080
-    to_port     = 9080
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # For CRDB management
-  ingress {
-    from_port   = 9081
-    to_port     = 9081
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # For metrics exported and managed by nginx
-  ingress {
-    from_port   = 8070
-    to_port     = 8071
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # Used to expose the REST API, including cluster management and node bootstrap
-  ingress {
-    from_port   = 8080
-    to_port     = 8080
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-  ingress {
-    from_port   = 9443
-    to_port     = 9443
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # For exposing databases externally
-  ingress {
-    from_port   = 10000
-    to_port     = 19999
-    protocol    = "tcp"
-    cidr_blocks = var.open-nets
-  }
-
-  # For internal communications with database shards
-  ingress {
-    from_port   = 20000
-    to_port     = 29999
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  # For accessing DNS/mDNS functionality in the cluster
-  ingress {
-    from_port   = 53
-    to_port     = 53
-    protocol    = "udp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  ingress {
-    from_port   = 5353
-    to_port     = 5353
-    protocol    = "udp"
-    cidr_blocks = [var.vpc-cidr]
-  }
-
-  ###############################################################################
-  #                         Egress
-  ###############################################################################
-
-  egress {
-    from_port   = 0
-    to_port     = 65535
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = -1
-    to_port     = -1
-    protocol    = "icmp"
-    cidr_blocks = [var.vpc-cidr]
-  }
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 65535
-    protocol    = "udp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_security_group_rule" "variable_rule" {
+  count             = length(var.netrules)
+  type              = "${lookup(var.netrules[count.index], "type")}"
+  from_port         = "${lookup(var.netrules[count.index], "from_port")}"
+  to_port           = "${lookup(var.netrules[count.index], "to_port")}"
+  protocol          = "${lookup(var.netrules[count.index], "protocol")}"
+  cidr_blocks       = "${lookup(var.netrules[count.index], "cidr")}"
+  security_group_id = "${aws_security_group.re.id}"
+}
 
+resource "aws_security_group_rule" "open_nets" {
+  type              = "ingress"
+  from_port         = "0"
+  to_port           = "65535"
+  protocol          = "all"
+  cidr_blocks       = var.open-nets
+  security_group_id = "${aws_security_group.re.id}"
 }
+

variables.tf

@@ -15,6 +15,7 @@ variable "common-tags" {
 variable "open-nets" {
   type        = list
   description = "CIDRs that will have access to everything"
+  default = []
 }
 
 variable "vpc-cidr" {
@@ -53,3 +54,30 @@ variable "re-volume-size" {
   description = "The size of the two volumes to attach"
   default     = "150"
 }
+
+variable "netrules" {
+  type = list
+  default = [
+    {
+      type = "ingress"
+      from_port = "22"
+      to_port   = "22"
+      protocol  = "tcp"
+      cidr      = ["10.0.0.0/8"]
+    },
+    {
+      type = "egress"
+      from_port = "0"
+      to_port   = "65535"
+      protocol  = "tcp"
+      cidr      = ["0.0.0.0/0"]
+    },
+    {
+      type = "egress"
+      from_port = "0"
+      to_port   = "65535"
+      protocol  = "udp"
+      cidr      = ["0.0.0.0/0"]
+    }
+    ]
+  }