Logstash Security Group Rules Module
This folder contains a Terraform module that defines the Security Group rules used by a Logstash cluster to control the traffic that is allowed to go in and out of the cluster. These rules are defined in a separate module so that you can add them to any existing Security Group.
Quick start
Let's say you want to deploy Logstash using the logstash-cluster module:
module "logstash_cluster" {
# TODO: replace <VERSION> with the latest version from the releases page: https://github.com/gruntwork-io/terraform-aws-elk/releases
source = "github.com/gruntwork-io/terraform-aws-elk//modules/logstash-cluster?ref=<VERSION>"
# ... (other params omitted) ...
}
You can attach the Security Group rules to this cluster as follows:
module "security_group_rules" {
# TODO: replace <VERSION> with the latest version from the releases page: https://github.com/gruntwork-io/terraform-aws-elk/releases
source = "github.com/gruntwork-io/terraform-aws-elk//modules/logstash-security-group-rules?ref=<VERSION>"
security_group_id = module.logstash_cluster.security_group_id
beats_port_cidr_blocks = ["0.0.0.0/0"]
beats_port_security_groups = ["sg-abcd1234"]
num_beats_port_security_groups = 1
# ... (other params omitted) ...
}
Note the following parameters:
source: Use this parameter to specify the URL of this module. The double slash (//) is intentional and required. Terraform uses it to specify subfolders within a Git repo (see module sources). Therefparameter specifies a specific Git tag in this repo. That way, instead of using the latest version of this module from themasterbranch, which will change every time you run Terraform, you're using a fixed version of the repo.security_group_id: Use this parameter to specify the ID of the security group to which the rules in this module should be added.beats_port_cidr_blocks,beats_port_security_groups,num_beats_port_security_groups: This shows an example of how to configure which IP address ranges and Security Groups are allowed to connect to thebeats(e.g.Filebeat) port that port.
You can find the other parameters in vars.tf.
Check out the examples folder for working sample code.
Reference
- Inputs
- Outputs
Required
beats_portnumberThe port to use for BEATS requests. E.g. Filebeat
collectd_portnumberThe port to use for CollectD requests.
security_group_idstringThe ID of the Security Group to which all the rules should be attached.
Optional
beats_port_cidr_blockslist(string)The list of IP address ranges in CIDR notation from which to allow connections to the beats_port.
[]beats_port_security_groupslist(string)The list of Security Group IDs from which to allow connections to the beats_port. If you update this variable, make sure to update num_beats_port_security_groups too!
[]collectd_port_cidr_blockslist(string)The list of IP address ranges in CIDR notation from which to allow connections to the collectd_port.
[]collectd_port_security_groupslist(string)The list of Security Group IDs from which to allow connections to the collectd_port. If you update this variable, make sure to update num_collectd_port_security_groups too!
[]The number of security group IDs in beats_port_security_groups. We should be able to compute this automatically, but due to a Terraform limitation, if there are any dynamic resources in beats_port_security_groups, then we won't be able to: https://github.com/hashicorp/terraform/pull/11482
0The number of security group IDs in collectd_port_security_groups. We should be able to compute this automatically, but due to a Terraform limitation, if there are any dynamic resources in collectd_port_security_groups, then we won't be able to: https://github.com/hashicorp/terraform/pull/11482
0