s3 sftp

2025-06-26 12:46:02 +02:00
parent 424a6d92b1
commit 624b174278
6 changed files with 211 additions and 235 deletions
--- a/databases/aws-rds/main.tf
+++ b/databases/aws-rds/main.tf
@@ -50,96 +50,6 @@ locals {
 }


-module "fw-ips" {
-    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
-}
-
-module "security_group_2" {
-  
-  # SGs created here as Ports differ per Engine. Only Azure Firewall IPs added for now.
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.3"
-
-  name        = "${var.provision_id}-SG2"
-  description = "${var.provision_id}-SG2"
-  vpc_id      = local.vpc_id
-
-
-  # ingress
-
-  ingress_cidr_blocks = module.fw-ips.cidr_blocks_others
-  
-
-  ingress_with_cidr_blocks = [
-    {
-      from_port   = local.port
-      to_port     = local.port
-      protocol    = "tcp"
-      description = "RDS"
-
-    },
-  ]
-
-  # egress
-
-  egress_cidr_blocks = module.fw-ips.cidr_blocks_others
-
-  egress_with_cidr_blocks = [
-    {
-      from_port   = local.port
-      to_port     = local.port
-      protocol    = "tcp"
-      description = "RDS"
-
-    },
-  ]
-
-  tags = local.tags
-}
-
-module "security_group" {
-  
-  # SGs created here as Ports differ per Engine. Only Azure Firewall IPs added for now.
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.3"
-
-  name        = "${var.provision_id}-SG"
-  description = "${var.provision_id}-SG"
-  vpc_id      = local.vpc_id
-
-
-  # ingress
-
-  ingress_cidr_blocks = module.fw-ips.cidr_blocks
-  
-
-  ingress_with_cidr_blocks = [
-    {
-      from_port   = local.port
-      to_port     = local.port
-      protocol    = "tcp"
-      description = "RDS"
-
-    },
-  ]
-
-  # egress
-
-  egress_cidr_blocks = module.fw-ips.cidr_blocks
-
-  egress_with_cidr_blocks = [
-    {
-      from_port   = local.port
-      to_port     = local.port
-      protocol    = "tcp"
-      description = "RDS"
-
-    },
-  ]
-
-  tags = local.tags
-}
-
 module "common_rds_instance" {
  source  = "terraform-aws-modules/rds/aws"
  version = "= 6.1.1"
@@ -167,8 +77,8 @@ module "common_rds_instance" {
  multi_az               = false
  subnet_ids             = local.subnet_ids
  vpc_security_group_ids = [
-    module.security_group.security_group_id,
-    module.security_group_2.security_group_id
+    aws_security_group.allow_tls.id,
+    aws_security_group.allow_tls_2.id
  ]
  publicly_accessible    = true

@@ -280,8 +190,8 @@ module "aurora_rds_instance" {
  subnets                = local.subnet_ids
  create_security_group  = false
  vpc_security_group_ids = [
-      module.security_group.security_group_id,
-      module.security_group_2.security_group_id
+      aws_security_group.allow_tls.id,
+      aws_security_group.allow_tls_2.id
  ]
  port                   = local.port
  publicly_accessible    = true
--- a/databases/aws-rds/sec_groups.tf
+++ b/databases/aws-rds/sec_groups.tf
@@ -0,0 +1,69 @@
+module "fw-ips" {
+    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
+}
+
+resource "aws_security_group" "allow_tls" {
+  name        = "${var.provision_id}-SG"
+  description = "${var.provision_id}-SG"
+  vpc_id      = local.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
+  for_each = toset(module.fw-ips.cidr_blocks)
+  
+  security_group_id = aws_security_group.allow_tls.id
+
+  cidr_ipv4         = each.key
+  from_port         = local.port
+  ip_protocol       = "tcp"
+  to_port           = local.port
+  description = "dbport"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4" {
+
+  for_each = toset(module.fw-ips.cidr_blocks)
+
+  security_group_id = aws_security_group.allow_tls.id
+
+  cidr_ipv4   = each.key
+  from_port   = local.port
+  ip_protocol = "tcp"
+  to_port     = local.port
+  description = "dbport"
+}
+
+resource "aws_security_group" "allow_tls_2" {
+  name        = "${var.provision_id}-SG2"
+  description = "${var.provision_id}-SG2"
+  vpc_id      = local.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4_2" {
+  for_each = toset(module.fw-ips.cidr_blocks_others)
+  
+  security_group_id = aws_security_group.allow_tls_2.id
+
+  cidr_ipv4         = each.key
+  from_port         = local.port
+  ip_protocol       = "tcp"
+  to_port           = local.port
+  description = "Others - dbport"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv_2" {
+
+  for_each = toset(module.fw-ips.cidr_blocks_others)
+
+  security_group_id = aws_security_group.allow_tls_2.id
+
+  cidr_ipv4   = each.key
+  from_port   = local.port
+  ip_protocol = "tcp"
+  to_port     = local.port
+  description = "Others - dbport"
+}
--- a/databases/aws-redshift/main.tf
+++ b/databases/aws-redshift/main.tf
@@ -40,76 +40,6 @@ locals {
  }
 }

-module "fw-ips" {
-    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
-}
-
-resource "aws_security_group" "allow_tls" {
-  name        = "${var.provision_id}-SG"
-  description = "${var.provision_id}-SG"
-  vpc_id      = local.vpc_id
-
-  tags = local.tags
-}
-
-resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
-  for_each = toset(module.fw-ips.cidr_blocks)
-  
-  security_group_id = aws_security_group.allow_tls.id
-
-  cidr_ipv4         = each.key
-  from_port         = local.port
-  ip_protocol       = "tcp"
-  to_port           = local.port
-  description = "Redshift"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4" {
-
-  for_each = toset(module.fw-ips.cidr_blocks)
-
-  security_group_id = aws_security_group.allow_tls.id
-
-  cidr_ipv4   = each.key
-  from_port   = local.port
-  ip_protocol = "tcp"
-  to_port     = local.port
-  description = "Redshift"
-}
-
-resource "aws_security_group" "allow_tls_2" {
-  name        = "${var.provision_id}-SG2"
-  description = "${var.provision_id}-SG2"
-  vpc_id      = local.vpc_id
-
-  tags = local.tags
-}
-
-resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4_2" {
-  for_each = toset(module.fw-ips.cidr_blocks_others)
-  
-  security_group_id = aws_security_group.allow_tls_2.id
-
-  cidr_ipv4         = each.key
-  from_port         = local.port
-  ip_protocol       = "tcp"
-  to_port           = local.port
-  description = "Redshift - Others"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv_2" {
-
-  for_each = toset(module.fw-ips.cidr_blocks_others)
-
-  security_group_id = aws_security_group.allow_tls_2.id
-
-  cidr_ipv4   = each.key
-  from_port   = local.port
-  ip_protocol = "tcp"
-  to_port     = local.port
-  description = "Redshift - Others"
-}
-
 module "qmi-s3-bucket" {

  source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//s3-bucket"
--- a/databases/aws-redshift/sec_groups.tf
+++ b/databases/aws-redshift/sec_groups.tf
@@ -0,0 +1,69 @@
+module "fw-ips" {
+    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
+}
+
+resource "aws_security_group" "allow_tls" {
+  name        = "${var.provision_id}-SG"
+  description = "${var.provision_id}-SG"
+  vpc_id      = local.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
+  for_each = toset(module.fw-ips.cidr_blocks)
+  
+  security_group_id = aws_security_group.allow_tls.id
+
+  cidr_ipv4         = each.key
+  from_port         = local.port
+  ip_protocol       = "tcp"
+  to_port           = local.port
+  description = "dbport"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4" {
+
+  for_each = toset(module.fw-ips.cidr_blocks)
+
+  security_group_id = aws_security_group.allow_tls.id
+
+  cidr_ipv4   = each.key
+  from_port   = local.port
+  ip_protocol = "tcp"
+  to_port     = local.port
+  description = "dbport"
+}
+
+resource "aws_security_group" "allow_tls_2" {
+  name        = "${var.provision_id}-SG2"
+  description = "${var.provision_id}-SG2"
+  vpc_id      = local.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4_2" {
+  for_each = toset(module.fw-ips.cidr_blocks_others)
+  
+  security_group_id = aws_security_group.allow_tls_2.id
+
+  cidr_ipv4         = each.key
+  from_port         = local.port
+  ip_protocol       = "tcp"
+  to_port           = local.port
+  description = "Others - dbport"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv_2" {
+
+  for_each = toset(module.fw-ips.cidr_blocks_others)
+
+  security_group_id = aws_security_group.allow_tls_2.id
+
+  cidr_ipv4   = each.key
+  from_port   = local.port
+  ip_protocol = "tcp"
+  to_port     = local.port
+  description = "Others - dbport"
+}
--- a/s3-bucket-sftp/main.tf
+++ b/s3-bucket-sftp/main.tf
@@ -42,10 +42,6 @@ resource "aws_secretsmanager_secret_version" "private_key" {
  secret_string = nonsensitive(tls_private_key.sftp-key.private_key_pem)
 }

-module "fw-ips" {
-    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
-}
-
 locals {

  port                 = "22"
@@ -146,73 +142,6 @@ resource "aws_transfer_server" "sftp" {
  tags = local.tags
 }

-resource "aws_security_group" "allow_tls" {
-  name        = "${var.provision_id}-SG"
-  description = "${var.provision_id}-SG-SFTP"
-  vpc_id      = var.vpc_id
-
-  tags = local.tags
-}
-
-resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
-  for_each = toset(module.fw-ips.cidr_blocks)
-  
-  security_group_id = aws_security_group.allow_tls.id
-
-  cidr_ipv4         = each.key
-  from_port         = local.port
-  ip_protocol       = "tcp"
-  to_port           = local.port
-  description = "Allow SFTP Inbound"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4" {
-
-  for_each = toset(module.fw-ips.cidr_blocks)
-
-  security_group_id = aws_security_group.allow_tls.id
-
-  cidr_ipv4   = each.key
-  from_port   = local.port
-  ip_protocol = "tcp"
-  to_port     = local.port
-  description = "Allow SFTP outbound"
-}
-
-resource "aws_security_group" "allow_tls_2" {
-  name        = "${var.provision_id}-SG2"
-  description = "${var.provision_id}-SG2-SFTP"
-  vpc_id      = var.vpc_id
-
-  tags = local.tags
-}
-
-resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4_2" {
-  for_each = toset(module.fw-ips.cidr_blocks_others)
-  
-  security_group_id = aws_security_group.allow_tls_2.id
-
-  cidr_ipv4         = each.key
-  from_port         = local.port
-  ip_protocol       = "tcp"
-  to_port           = local.port
-  description = "Others - Allow SFTP Inbound"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4_2" {
-
-  for_each = toset(module.fw-ips.cidr_blocks_others)
-
-  security_group_id = aws_security_group.allow_tls_2.id
-
-  cidr_ipv4   = each.key
-  from_port   = local.port
-  ip_protocol = "tcp"
-  to_port     = local.port
-  description = "Others - Allow SFTP outbound"
-}
-
-
 resource "aws_iam_role" "user" {
  for_each           = var.sftp_users
  name               = "${var.provision_id}-sftp-user-${each.key}"
--- a/s3-bucket-sftp/sec_groups.tf
+++ b/s3-bucket-sftp/sec_groups.tf
@@ -0,0 +1,69 @@
+module "fw-ips" {
+    source = "git::https://gitlab.com/qmi/qmi-cloud-tf-modules.git//databases/firewall_ips"
+}
+
+resource "aws_security_group" "allow_tls" {
+  name        = "${var.provision_id}-SG"
+  description = "${var.provision_id}-SG"
+  vpc_id      = var.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4" {
+  for_each = toset(module.fw-ips.cidr_blocks)
+  
+  security_group_id = aws_security_group.allow_tls.id
+
+  cidr_ipv4         = each.key
+  from_port         = local.port
+  ip_protocol       = "tcp"
+  to_port           = local.port
+  description = "dbport"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv4" {
+
+  for_each = toset(module.fw-ips.cidr_blocks)
+
+  security_group_id = aws_security_group.allow_tls.id
+
+  cidr_ipv4   = each.key
+  from_port   = local.port
+  ip_protocol = "tcp"
+  to_port     = local.port
+  description = "dbport"
+}
+
+resource "aws_security_group" "allow_tls_2" {
+  name        = "${var.provision_id}-SG2"
+  description = "${var.provision_id}-SG2"
+  vpc_id      = var.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_tls_ipv4_2" {
+  for_each = toset(module.fw-ips.cidr_blocks_others)
+  
+  security_group_id = aws_security_group.allow_tls_2.id
+
+  cidr_ipv4         = each.key
+  from_port         = local.port
+  ip_protocol       = "tcp"
+  to_port           = local.port
+  description = "Others - dbport"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_ipv_2" {
+
+  for_each = toset(module.fw-ips.cidr_blocks_others)
+
+  security_group_id = aws_security_group.allow_tls_2.id
+
+  cidr_ipv4   = each.key
+  from_port   = local.port
+  ip_protocol = "tcp"
+  to_port     = local.port
+  description = "Others - dbport"
+}