Security Group with Rule Presets

aws-security-group — Security Group with Rule Presets

Security groups with named rule presets (https, postgres, redis, ...) using the modern standalone rule resources (aws_vpc_security_group_ingress_rule / _egress_rule) instead of legacy inline blocks — every rule is its own API object with its own ID and tags, so rule changes never trigger whole-group diff churn. create_before_destroy and name-prefixing are wired in so the group can be replaced without breaking attached ENIs.

Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

Usage

module "app_sg" {
  source = "./aws-security-group"

  name        = "app"
  description = "Application tier"
  vpc_id      = module.vpc.vpc_id

  ingress_rules = [
    { preset = "https", cidr_ipv4 = "0.0.0.0/0" },
    { preset = "ssh", cidr_ipv4 = "10.0.0.0/8", description = "SSH from corp" },
    { preset = "postgres", referenced_security_group_id = module.db_sg.security_group_id },
    { from_port = 9000, to_port = 9010, ip_protocol = "tcp", self = true },
  ]

  tags = { Environment = "prod" }
}

Each rule sets a preset or explicit from_port/to_port/ip_protocol, plus exactly one source/destination: cidr_ipv4, cidr_ipv6, prefix_list_id, referenced_security_group_id, or self = true.

Presets

Preset	Port/Proto	Preset	Port/Proto
ssh	22/tcp	mysql	3306/tcp
http	80/tcp	mssql	1433/tcp
https	443/tcp	oracle-db	1521/tcp
http-alt	8080/tcp	redis	6379/tcp
https-alt	8443/tcp	memcached	11211/tcp
dns-tcp / dns-udp	53	mongodb	27017/tcp
ntp	123/udp	rabbitmq	5672/tcp
smtp-tls	587/tcp	kafka	9092/tcp
ldap / ldaps	389/636 tcp	elasticsearch	9200/tcp
nfs	2049/tcp	prometheus	9090/tcp
postgres	5432/tcp	node-exporter	9100/tcp
grafana	3000/tcp	kubernetes-api	6443/tcp
rdp	3389/tcp	winrm-http / winrm-https	5985/5986 tcp
all-icmp	icmp	all-traffic	-1 (all)

Inputs

Name	Type	Default	Description
name	string	—	Group name / Name tag (required)
vpc_id	string	—	VPC ID (required)
description	string	"Managed by Terraform (IaC Bazaar)"	Group description (forces replacement on change)
use_name_prefix	bool	true	Random-suffix the name for safe replacement
ingress_rules	list(object)	[]	Ingress rules (preset or explicit, see above)
egress_rules	list(object)	[]	Egress rules, same shape
allow_all_egress	bool	true	Create allow-all IPv4+IPv6 egress; set false for least-privilege egress
revoke_rules_on_delete	bool	false	Revoke rules before delete (cross-referencing groups)
tags	map(string)	{}	Tags for the group and every rule

Outputs

Name	Description
security_group_id / security_group_arn / security_group_name	Group identifiers
ingress_rule_ids / egress_rule_ids	Rule-index => rule-ID maps
allow_all_egress_rule_ids	IDs of the default egress rules

Notes

• Rules are keyed by list index: reordering ingress_rules re-creates the affected rules. That is a fast, zero-downtime API operation.
• self = true is implemented as referenced_security_group_id pointing at the group itself (the standalone-rule equivalent of legacy self).

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).