Skip to main content
ELK AWS Module 0.11.1

Logstash Security Group Rules Module

View SourceRelease Notes

This folder contains a Terraform module that defines the Security Group rules used by a Logstash cluster to control the traffic that is allowed to go in and out of the cluster. These rules are defined in a separate module so that you can add them to any existing Security Group.

Quick start

Let's say you want to deploy Logstash using the logstash-cluster module:

module "logstash_cluster" {
  # TODO: replace <VERSION> with the latest version from the releases page: https://github.com/gruntwork-io/terraform-aws-elk/releases
  source = "github.com/gruntwork-io/terraform-aws-elk//modules/logstash-cluster?ref=<VERSION>"

  # ... (other params omitted) ...
}

You can attach the Security Group rules to this cluster as follows:

module "security_group_rules" {
  # TODO: replace <VERSION> with the latest version from the releases page: https://github.com/gruntwork-io/terraform-aws-elk/releases
  source = "github.com/gruntwork-io/terraform-aws-elk//modules/logstash-security-group-rules?ref=<VERSION>"

  security_group_id = module.logstash_cluster.security_group_id

  beats_port_cidr_blocks         = ["0.0.0.0/0"]
  beats_port_security_groups     = ["sg-abcd1234"]
  num_beats_port_security_groups = 1

  # ... (other params omitted) ...
}

Note the following parameters:

  • source: Use this parameter to specify the URL of this module. The double slash (//) is intentional and required. Terraform uses it to specify subfolders within a Git repo (see module sources). The ref parameter specifies a specific Git tag in this repo. That way, instead of using the latest version of this module from the master branch, which will change every time you run Terraform, you're using a fixed version of the repo.

  • security_group_id: Use this parameter to specify the ID of the security group to which the rules in this module should be added.

  • beats_port_cidr_blocks, beats_port_security_groups, num_beats_port_security_groups: This shows an example of how to configure which IP address ranges and Security Groups are allowed to connect to the beats (e.g. Filebeat) port that port.

You can find the other parameters in vars.tf.

Check out the examples folder for working sample code.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S LOGSTASH-SECURITY-GROUP-RULES MODULE
# ------------------------------------------------------------------------------------------------------

module "logstash_security_group_rules" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-elk.git//modules/logstash-security-group-rules?ref=v0.11.1"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The port to use for BEATS requests. E.g. Filebeat
  beats_port = <INPUT REQUIRED>

  # The port to use for CollectD requests.
  collectd_port = <INPUT REQUIRED>

  # The ID of the Security Group to which all the rules should be attached.
  security_group_id = <INPUT REQUIRED>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The list of IP address ranges in CIDR notation from which to allow connections
  # to the beats_port.
  beats_port_cidr_blocks = []

  # The list of Security Group IDs from which to allow connections to the
  # beats_port. If you update this variable, make sure to update
  # var.num_beats_port_security_groups too!
  beats_port_security_groups = []

  # The list of IP address ranges in CIDR notation from which to allow connections
  # to the collectd_port.
  collectd_port_cidr_blocks = []

  # The list of Security Group IDs from which to allow connections to the
  # collectd_port. If you update this variable, make sure to update
  # var.num_collectd_port_security_groups too!
  collectd_port_security_groups = []

  # The number of security group IDs in var.beats_port_security_groups. We should be
  # able to compute this automatically, but due to a Terraform limitation, if there
  # are any dynamic resources in var.beats_port_security_groups, then we won't be
  # able to: https://github.com/hashicorp/terraform/pull/11482
  num_beats_port_security_groups = 0

  # The number of security group IDs in var.collectd_port_security_groups. We should
  # be able to compute this automatically, but due to a Terraform limitation, if
  # there are any dynamic resources in var.collectd_port_security_groups, then we
  # won't be able to: https://github.com/hashicorp/terraform/pull/11482
  num_collectd_port_security_groups = 0

}

Reference

Required

beats_portnumberrequired

The port to use for BEATS requests. E.g. Filebeat

collectd_portnumberrequired

The port to use for CollectD requests.

security_group_idstringrequired

The ID of the Security Group to which all the rules should be attached.

Optional

beats_port_cidr_blockslist(string)optional

The list of IP address ranges in CIDR notation from which to allow connections to the beats_port.

[]
beats_port_security_groupslist(string)optional

The list of Security Group IDs from which to allow connections to the beats_port. If you update this variable, make sure to update num_beats_port_security_groups too!

[]
collectd_port_cidr_blockslist(string)optional

The list of IP address ranges in CIDR notation from which to allow connections to the collectd_port.

[]
collectd_port_security_groupslist(string)optional

The list of Security Group IDs from which to allow connections to the collectd_port. If you update this variable, make sure to update num_collectd_port_security_groups too!

[]

The number of security group IDs in beats_port_security_groups. We should be able to compute this automatically, but due to a Terraform limitation, if there are any dynamic resources in beats_port_security_groups, then we won't be able to: https://github.com/hashicorp/terraform/pull/11482

0

The number of security group IDs in collectd_port_security_groups. We should be able to compute this automatically, but due to a Terraform limitation, if there are any dynamic resources in collectd_port_security_groups, then we won't be able to: https://github.com/hashicorp/terraform/pull/11482

0