feat: Add rules for Wazuh (#243)

Author: kv5h

README.md

@@ -49,6 +49,7 @@ List of Security Groups implemented as Terraform modules
 * [squid](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/squid)
 * [ssh](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/ssh)
 * [storm](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/storm)
+* [wazuh](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/wazuh)
 * [web](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/web)
 * [winrm](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/winrm)
 * [zipkin](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/modules/zipkin)

modules/README.md

@@ -0,0 +1,78 @@
+# This file was generated from values defined in rules.tf using update_groups.sh.
+###################################
+# DO NOT CHANGE THIS FILE MANUALLY
+###################################
+
+variable "auto_ingress_rules" {
+  description = "List of ingress rules to add automatically"
+  type        = list(string)
+  default     = ["wazuh-server-agent-connection-tcp", "wazuh-server-agent-connection-udp", "wazuh-server-agent-enrollment", "wazuh-server-agent-cluster-daemon", "wazuh-server-syslog-collector-tcp", "wazuh-server-syslog-collector-udp", "wazuh-server-restful-api", "wazuh-indexer-restful-api", "wazuh-dashboard"]
+}
+
+variable "auto_ingress_with_self" {
+  description = "List of maps defining ingress rules with self to add automatically"
+  type        = list(map(string))
+  default     = [{ "rule" = "all-all" }]
+}
+
+variable "auto_egress_rules" {
+  description = "List of egress rules to add automatically"
+  type        = list(string)
+  default     = ["all-all"]
+}
+
+variable "auto_egress_with_self" {
+  description = "List of maps defining egress rules with self to add automatically"
+  type        = list(map(string))
+  default     = []
+}
+
+# Computed
+variable "auto_computed_ingress_rules" {
+  description = "List of ingress rules to add automatically"
+  type        = list(string)
+  default     = []
+}
+
+variable "auto_computed_ingress_with_self" {
+  description = "List of maps defining computed ingress rules with self to add automatically"
+  type        = list(map(string))
+  default     = []
+}
+
+variable "auto_computed_egress_rules" {
+  description = "List of computed egress rules to add automatically"
+  type        = list(string)
+  default     = []
+}
+
+variable "auto_computed_egress_with_self" {
+  description = "List of maps defining computed egress rules with self to add automatically"
+  type        = list(map(string))
+  default     = []
+}
+
+# Number of computed rules
+variable "auto_number_of_computed_ingress_rules" {
+  description = "Number of computed ingress rules to create by name"
+  type        = number
+  default     = 0
+}
+
+variable "auto_number_of_computed_ingress_with_self" {
+  description = "Number of computed ingress rules to create where 'self' is defined"
+  type        = number
+  default     = 0
+}
+
+variable "auto_number_of_computed_egress_rules" {
+  description = "Number of computed egress rules to create by name"
+  type        = number
+  default     = 0
+}
+
+variable "auto_number_of_computed_egress_with_self" {
+  description = "Number of computed egress rules to create where 'self' is defined"
+  type        = number
+  default     = 0
+}

modules/wazuh/README.md

@@ -0,0 +1,115 @@
+module "sg" {
+  source = "../../"
+
+  create                 = var.create
+  name                   = var.name
+  use_name_prefix        = var.use_name_prefix
+  description            = var.description
+  vpc_id                 = var.vpc_id
+  revoke_rules_on_delete = var.revoke_rules_on_delete
+  tags                   = var.tags
+
+  ##########
+  # Ingress
+  ##########
+  # Rules by names - open for default CIDR
+  ingress_rules = sort(compact(distinct(concat(var.auto_ingress_rules, var.ingress_rules, [""]))))
+
+  # Open for self
+  ingress_with_self = concat(var.auto_ingress_with_self, var.ingress_with_self)
+
+  # Open to IPv4 cidr blocks
+  ingress_with_cidr_blocks = var.ingress_with_cidr_blocks
+
+  # Open to IPv6 cidr blocks
+  ingress_with_ipv6_cidr_blocks = var.ingress_with_ipv6_cidr_blocks
+
+  # Open for security group id
+  ingress_with_source_security_group_id = var.ingress_with_source_security_group_id
+
+  # Default ingress CIDR blocks
+  ingress_cidr_blocks      = var.ingress_cidr_blocks
+  ingress_ipv6_cidr_blocks = var.ingress_ipv6_cidr_blocks
+
+  # Default prefix list ids
+  ingress_prefix_list_ids = var.ingress_prefix_list_ids
+
+  ###################
+  # Computed Ingress
+  ###################
+  # Rules by names - open for default CIDR
+  computed_ingress_rules = sort(compact(distinct(concat(var.auto_computed_ingress_rules, var.computed_ingress_rules, [""]))))
+
+  # Open for self
+  computed_ingress_with_self = concat(var.auto_computed_ingress_with_self, var.computed_ingress_with_self)
+
+  # Open to IPv4 cidr blocks
+  computed_ingress_with_cidr_blocks = var.computed_ingress_with_cidr_blocks
+
+  # Open to IPv6 cidr blocks
+  computed_ingress_with_ipv6_cidr_blocks = var.computed_ingress_with_ipv6_cidr_blocks
+
+  # Open for security group id
+  computed_ingress_with_source_security_group_id = var.computed_ingress_with_source_security_group_id
+
+  #############################
+  # Number of computed ingress
+  #############################
+  number_of_computed_ingress_rules                         = var.auto_number_of_computed_ingress_rules + var.number_of_computed_ingress_rules
+  number_of_computed_ingress_with_self                     = var.auto_number_of_computed_ingress_with_self + var.number_of_computed_ingress_with_self
+  number_of_computed_ingress_with_cidr_blocks              = var.number_of_computed_ingress_with_cidr_blocks
+  number_of_computed_ingress_with_ipv6_cidr_blocks         = var.number_of_computed_ingress_with_ipv6_cidr_blocks
+  number_of_computed_ingress_with_source_security_group_id = var.number_of_computed_ingress_with_source_security_group_id
+
+  #########
+  # Egress
+  #########
+  # Rules by names - open for default CIDR
+  egress_rules = sort(compact(distinct(concat(var.auto_egress_rules, var.egress_rules, [""]))))
+
+  # Open for self
+  egress_with_self = concat(var.auto_egress_with_self, var.egress_with_self)
+
+  # Open to IPv4 cidr blocks
+  egress_with_cidr_blocks = var.egress_with_cidr_blocks
+
+  # Open to IPv6 cidr blocks
+  egress_with_ipv6_cidr_blocks = var.egress_with_ipv6_cidr_blocks
+
+  # Open for security group id
+  egress_with_source_security_group_id = var.egress_with_source_security_group_id
+
+  # Default egress CIDR blocks
+  egress_cidr_blocks      = var.egress_cidr_blocks
+  egress_ipv6_cidr_blocks = var.egress_ipv6_cidr_blocks
+
+  # Default prefix list ids
+  egress_prefix_list_ids = var.egress_prefix_list_ids
+
+  ##################
+  # Computed Egress
+  ##################
+  # Rules by names - open for default CIDR
+  computed_egress_rules = sort(compact(distinct(concat(var.auto_computed_egress_rules, var.computed_egress_rules, [""]))))
+
+  # Open for self
+  computed_egress_with_self = concat(var.auto_computed_egress_with_self, var.computed_egress_with_self)
+
+  # Open to IPv4 cidr blocks
+  computed_egress_with_cidr_blocks = var.computed_egress_with_cidr_blocks
+
+  # Open to IPv6 cidr blocks
+  computed_egress_with_ipv6_cidr_blocks = var.computed_egress_with_ipv6_cidr_blocks
+
+  # Open for security group id
+  computed_egress_with_source_security_group_id = var.computed_egress_with_source_security_group_id
+
+  #############################
+  # Number of computed egress
+  #############################
+  number_of_computed_egress_rules                         = var.auto_number_of_computed_egress_rules + var.number_of_computed_egress_rules
+  number_of_computed_egress_with_self                     = var.auto_number_of_computed_egress_with_self + var.number_of_computed_egress_with_self
+  number_of_computed_egress_with_cidr_blocks              = var.number_of_computed_egress_with_cidr_blocks
+  number_of_computed_egress_with_ipv6_cidr_blocks         = var.number_of_computed_egress_with_ipv6_cidr_blocks
+  number_of_computed_egress_with_source_security_group_id = var.number_of_computed_egress_with_source_security_group_id
+}

modules/wazuh/auto_values.tf

@@ -0,0 +1,24 @@
+output "security_group_id" {
+  description = "The ID of the security group"
+  value       = module.sg.security_group_id
+}
+
+output "security_group_vpc_id" {
+  description = "The VPC ID"
+  value       = module.sg.security_group_vpc_id
+}
+
+output "security_group_owner_id" {
+  description = "The owner ID"
+  value       = module.sg.security_group_owner_id
+}
+
+output "security_group_name" {
+  description = "The name of the security group"
+  value       = module.sg.security_group_name
+}
+
+output "security_group_description" {
+  description = "The description of the security group"
+  value       = module.sg.security_group_description
+}