AWS best practice to not use the default VPC
This module define configuration for standard security group rules in AWS. The list of pre-defined rules:
- Prometheus/AlertManager/Node Exporter
- ClamAV
- DNS TCP/UDP
- HTTP 80/8080
- HTTPS 443/8443/9443
- Grafana
- PostgreSQL
- Redis
- SSH
- All Ingress
- All Egress
from typing import Optional, Union
import pulumi_aws as aws
import pulumi
from dataclasses import dataclass
__all__ = [
"security_group_rule",
"DefaultRule"
]
from pulumi_aws.ec2 import ProtocolType
@dataclass
class DefaultRuleConfig:
from_port: Optional[pulumi.Input[int]]
to_port: Optional[pulumi.Input[int]]
protocol: Optional[pulumi.Input[Union[str, 'ProtocolType']]]
protocol_name: Optional[pulumi.Input[str]]
type: Optional[pulumi.Input[str]] = None
class DefaultRule:
AlertManager = DefaultRuleConfig(from_port=9093, to_port=9093, protocol="tcp",
type="ingress", protocol_name="Prometheus Alert Manager")
ClamAV = DefaultRuleConfig(from_port=3310, to_port=3310, protocol="tcp",
type="ingress", protocol_name="Clam AntiVirus")
DnsTcp = DefaultRuleConfig(from_port=53, to_port=53, protocol="tcp",
type="ingress", protocol_name="DNS TCP")
DnsUdp = DefaultRuleConfig(from_port=53, to_port=53, protocol="udp",
type="ingress", protocol_name="DNS UDP")
Grafana = DefaultRuleConfig(from_port=3000, to_port=3000, protocol="tcp",
type="ingress", protocol_name="Grafana Dashboard")
Http = DefaultRuleConfig(from_port=80, to_port=80, protocol="tcp",
type="ingress", protocol_name="HTTP")
Http_8080 = DefaultRuleConfig(from_port=8080, to_port=8080, protocol="tcp",
type="ingress", protocol_name="HTTP")
Https = DefaultRuleConfig(from_port=443, to_port=443, protocol="tcp",
type="ingress", protocol_name="HTTPS")
Https_8443 = DefaultRuleConfig(from_port=8443, to_port=8443, protocol="tcp",
type="ingress", protocol_name="HTTPS")
Https_9443 = DefaultRuleConfig(from_port=9443, to_port=9443, protocol="tcp",
type="ingress", protocol_name="HTTPS")
NodeExporter = DefaultRuleConfig(from_port=9100, to_port=9100, protocol="tcp",
type="ingress", protocol_name="Prometheus Node Exporter")
PostgreSQL = DefaultRuleConfig(from_port=5432, to_port=5432, protocol="tcp",
type="ingress", protocol_name="PostgreSQL")
Prometheus = DefaultRuleConfig(from_port=9090, to_port=9090, protocol="tcp",
type="ingress", protocol_name="Prometheus")
Redis = DefaultRuleConfig(from_port=6379, to_port=6379, protocol="tcp",
type="ingress", protocol_name="Redis")
Ssh = DefaultRuleConfig(from_port=22, to_port=22, protocol="tcp",
type="ingress", protocol_name="SSH")
AllIngress = DefaultRuleConfig(from_port=0, to_port=0, protocol=ProtocolType.ALL,
type="ingress", protocol_name="All incoming traffic")
AllEgress = DefaultRuleConfig(from_port=0, to_port=0, protocol=ProtocolType.ALL,
type="egress", protocol_name="All outgoing traffic")
def security_group_rule(
resource_name: str,
rule_config: DefaultRuleConfig,
security_group_id: Optional[pulumi.Input[str]],
description: Optional[pulumi.Input[str]] = None,
cidr_blocks: Optional[pulumi.Input[str]] = None,
ipv6_cidr_blocks: Optional[pulumi.Input[str]] = None,
prefix_list_ids: Optional[pulumi.Input[str]] = None,
self: Optional[pulumi.Input[bool]] = None,
source_security_group_id: Optional[pulumi.Input[str]] = None,
):
if description is None:
description = f"{rule_config.type.capitalize()} {rule_config.protocol_name}"
return aws.ec2.SecurityGroupRule(
resource_name=resource_name,
description=description,
ipv6_cidr_blocks=[ipv6_cidr_blocks] if ipv6_cidr_blocks is not None else None,
from_port=rule_config.from_port,
to_port=rule_config.to_port,
type=rule_config.type,
cidr_blocks=[cidr_blocks] if cidr_blocks is not None else None,
protocol=rule_config.protocol,
prefix_list_ids=prefix_list_ids,
security_group_id=security_group_id,
self=self,
source_security_group_id=source_security_group_id,
opts=pulumi.ResourceOptions(
delete_before_replace=True
)
)