forked from hashicorp-modules/consul-client-ports-aws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
135 lines (113 loc) · 4.31 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
terraform {
required_version = ">= 0.11.5"
}
# https://www.consul.io/docs/agent/options.html#ports
resource "aws_security_group" "consul_client" {
count = "${var.create ? 1 : 0}"
name_prefix = "${var.name}-"
description = "Security Group for ${var.name} Consul"
vpc_id = "${var.vpc_id}"
tags = "${merge(var.tags, map("Name", format("%s", var.name)))}"
}
# Serf LAN (Default 8301) - TCP. This is used to handle gossip in the LAN. Required by all agents on TCP and UDP.
resource "aws_security_group_rule" "serf_lan_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "tcp"
from_port = 8301
to_port = 8301
cidr_blocks = ["${var.cidr_blocks}"]
}
# Serf LAN (Default 8301) - UDP. This is used to handle gossip in the LAN. Required by all agents on TCP and UDP.
resource "aws_security_group_rule" "serf_lan_udp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "udp"
from_port = 8301
to_port = 8301
cidr_blocks = ["${var.cidr_blocks}"]
}
#Consul Connect Default ports - TCP
resource "aws_security_group_rule" "server_connect_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "tcp"
from_port = 20000
to_port = 20255
cidr_blocks = ["${var.cidr_blocks}"]
}
# CLI RPC (Default 8400) - TCP. This is used by all agents to handle RPC from the CLI on TCP only.
# This is deprecated in Consul 0.8 and later - all CLI commands were changed to use the
# HTTP API and the RPC interface was completely removed.
resource "aws_security_group_rule" "cli_rpc_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "tcp"
from_port = 8400
to_port = 8400
cidr_blocks = ["${var.cidr_blocks}"]
}
# HTTP API (Default 8500) - TCP. This is used by agents to talk to the HTTP API on TCP only.
resource "aws_security_group_rule" "http_api_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "tcp"
from_port = 8500
to_port = 8500
cidr_blocks = ["${var.cidr_blocks}"]
}
# HTTPS API (Default 8501) - TCP. This is used by agents to talk to the HTTPS API on TCP only.
resource "aws_security_group_rule" "https_api_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "tcp"
from_port = 8501
to_port = 8501
cidr_blocks = ["${var.cidr_blocks}"]
}
# DNS Interface (Default 8600) - TCP. Used to resolve DNS queries on TCP and UDP.
resource "aws_security_group_rule" "dns_interface_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "tcp"
from_port = 8600
to_port = 8600
cidr_blocks = ["${var.cidr_blocks}"]
}
# DNS Interface (Default 8600) - UDP. Used to resolve DNS queries on TCP and UDP.
resource "aws_security_group_rule" "dns_interface_udp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "ingress"
protocol = "udp"
from_port = 8600
to_port = 8600
cidr_blocks = ["${var.cidr_blocks}"]
}
# All outbound traffic - TCP.
resource "aws_security_group_rule" "outbound_tcp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "egress"
protocol = "tcp"
from_port = 0
to_port = 65535
cidr_blocks = ["0.0.0.0/0"]
}
# All outbound traffic - UDP.
resource "aws_security_group_rule" "outbound_udp" {
count = "${var.create ? 1 : 0}"
security_group_id = "${aws_security_group.consul_client.id}"
type = "egress"
protocol = "udp"
from_port = 0
to_port = 65535
cidr_blocks = ["0.0.0.0/0"]
}