forked from terraform-ibm-modules/terraform-ibm-landing-zone
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity_groups.tf
139 lines (109 loc) · 4.88 KB
/
security_groups.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
##############################################################################
# Security Group Locals
##############################################################################
locals {
security_group_map = module.dynamic_values.security_group_map
security_group_rules_map = module.dynamic_values.security_group_rules_map
}
##############################################################################
##############################################################################
# Security Group
##############################################################################
resource "ibm_is_security_group" "security_group" {
for_each = local.security_group_map
name = each.value.name
resource_group = each.value.resource_group == null ? null : local.resource_groups[each.value.resource_group]
vpc = each.value.vpc_id
tags = var.tags
access_tags = each.value.access_tags
}
##############################################################################
##############################################################################
# Security Group Rules
##############################################################################
resource "ibm_is_security_group_rule" "security_group_rules" {
for_each = local.security_group_rules_map
group = ibm_is_security_group.security_group[each.value.sg_name].id
direction = each.value.direction
remote = each.value.source
##############################################################################
# Dynamicaly create ICMP Block
##############################################################################
dynamic "icmp" {
# Runs a for each loop, if the rule block contains icmp, it looks through the block
# Otherwise the list will be empty
# Only allow creation of icmp rules if all of the keys are not null.
# This allows the use of the optional variable in landing zone patterns
# to convert to a single typed list by adding 'null' as the value.
for_each = (each.value.icmp == null ? [] : length([for value in ["type", "code"] : true if lookup(each.value["icmp"], value, null) == null]) == 2 ? [] : [each.value])
# Conditianally add content if sg has icmp
content {
type = lookup(
each.value["icmp"],
"type",
null
)
code = lookup(
each.value["icmp"],
"code",
null
)
}
}
##############################################################################
##############################################################################
# Dynamically create TCP Block
##############################################################################
dynamic "tcp" {
# Runs a for each loop, if the rule block contains tcp, it looks through the block
# Otherwise the list will be empty
# Only allow creation of tcp rules if all of the keys are not null.
# This allows the use of the optional variable in landing zone patterns
# to convert to a single typed list by adding 'null' as the value.
# the default behavior will be to set 'null' 'port_min' values to 1 if null
# and 'port_max' to 65535 if null
for_each = (each.value.tcp == null ? [] : length([for value in ["port_min", "port_max"] : true if lookup(each.value["tcp"], value, null) == null]) == 2 ? [] : [each.value])
# Conditionally adds content if sg has tcp
content {
port_min = lookup(
each.value["tcp"],
"port_min",
null
)
port_max = lookup(
each.value["tcp"],
"port_max",
null
)
}
}
##############################################################################
##############################################################################
# Dynamically create UDP Block
##############################################################################
dynamic "udp" {
# Runs a for each loop, if the rule block contains udp, it looks through the block
# Otherwise the list will be empty
# Only allow creation of udp rules if all of the keys are not null.
# This allows the use of the optional variable in landing zone patterns
# to convert to a single typed list by adding 'null' as the value.
# the default behavior will be to set 'null' 'port_min' values to 1 if null
# and 'port_max' to 65535 if null
for_each = (each.value.udp == null ? [] : length([for value in ["port_min", "port_max"] : true if lookup(each.value["udp"], value, null) == null]) == 2 ? [] : [each.value])
# Conditionally adds content if sg has tcp
content {
port_min = lookup(
each.value["udp"],
"port_min",
null
)
port_max = lookup(
each.value["udp"],
"port_max",
null
)
}
}
##############################################################################
}
##############################################################################