Creating AWS Security Groups with Dynamic Ingress Rules Using Terraform

Imesh Ruchira — Wed, 10 Jan 2024 12:20:59 +0000

What are Terraform Dynamic Blocks?

In Terraform, dynamic blocks provide a way to generate repetitive configurations dynamically. They are used in resource, data, and provider blocks to handle situations where you need to define multiple nested blocks with similar configurations.

The dynamic block allows you to generate multiple instances of a nested block within a resource or module, based on a list or map variable. This can help you reduce code duplication and make your Terraform configurations more concise and maintainable.

How to Use the Dynamic Blocks

Terraform provides the dynamic block to create repeatable nested blocks within a resource. A dynamic block is similar to the for expression. Where for creates repeatable resources, like Security group rules, dynamic creates nested blocks within a resource, like ports within a security group. A dynamic block iterates over a child resource and generates a nested block for each element of that resource.

Example

The following code shows the configuration of an AWS security group and four open ports. In this example, the ports blocks are written out explicitly, creating repeated code.

provider "aws" {
  region = "us-east-1"  
}

resource "aws_security_group" "example_sg" {
  name        = "example-sg"
  description = "Example Security Group"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  
  }

  ingress {
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  
  }

That same configuration using a dynamic block is shown below. Replacing the four port blocks with a dynamic block removes repeated attributes, leading to cleaner code that is easier to maintain.

provider "aws" {
  region = "us-east-1"  
}

resource "aws_security_group" "example_sg" {
  name        = "example-sg"
  description = "Example Security Group"


  dynamic "ingress" {
    for_each = [80, 443, 8080, 8000]  

    content {
      from_port   = ingress.value
      to_port     = ingress.value
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
    }
  }

The for_each expression in Terraform is a powerful feature that enables the dynamic generation of multiple resources. in this case,
The for_each expression is used to open multiple ports of a security group or configuration block based on the elements of a given collection. It is commonly used to iterate over lists, sets, or maps and create individual ports for each element.

Got a project that needs some Terraform love? I've got you covered! Check out my Terraform configuration at this link:https://github.com/98ruchira/Terraform-AWS-Security-group-with-Dynamic-block/tree/main

How to begin with Terraform: AWS EC2

Imesh Ruchira — Mon, 11 Dec 2023 10:25:16 +0000

In the current article, we will start to examine in detail the creation of a secure EC2 machine in AWS using Terraform, which will create a VPC, subnets, two EC2 machines, route tables, security groups, network address translation (NAT), and internet gateways (IG).

Architecture Diagram for WAS secure EC2

We will work at the us-east-1 region, though you can change it at Terraform to your favorite localization – there is no problem with that.

Inside the AWS region we will create a VPC (virtual private cloud). Then we will create private subnets at the zone – and assign every subnet to a custom route table – this will provide more control in maintaining the security of each private subnet. We will also create public subnets similar as we have it for private networks. We will use Classless Inter-Domain Routing (CIDR) as it is represented at scheme.

Also, those resources have a security group It has allowed 22 ports. Opening port 22 typically refers to allowing incoming and outgoing traffic on the SSH (Secure Shell) protocol and you enable remote access to a server.

And, also those resources have two route tables. first route table associated with the public subnet. In that case I used route table to

After that, we will add a NAT (Network address translation) gateway that will allow us to provide internet access to components inside private subnets. And we will also add an internet gateway to the public subnet to get an internet connection.

Now we have an Internet connection to our EC2 machine, which is in the private subnet so now our EC2 machine is secure.

Got a project that needs some Terraform love? I've got you covered! Check out my Terraform configuration at this link:https://github.com/98ruchira/Terraform-AWS

DEV Community: Imesh Ruchira

Creating AWS Security Groups with Dynamic Ingress Rules Using Terraform

How to begin with Terraform: AWS EC2

Architecture Diagram for WAS secure EC2