Examples | Patterned Designs Documentation

These examples demonstrate practical, real-world usage patterns for the security-group module. Each example is self-contained and ready to run—simply copy the configuration, customize the values for your environment, and apply.

Getting Started

To run any example, follow these steps:

Authenticate with the registry: terraform login registry.patterneddesigns.ca
Initialize the working directory: terraform init
Review the execution plan: terraform plan
Apply the configuration: terraform apply

Usage Examples

Basic Usage

Web server security group with HTTP access

module "web_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "web-server"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 80
      to_port     = 80
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

Web Server

Security group for web servers with HTTP and HTTPS access

A security group configured for web servers allowing HTTP (port 80) and HTTPS (port 443) traffic from the internet.

module "web_server_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "web-server"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 80
      to_port     = 80
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Allow HTTP from anywhere"
    },
    {
      from_port   = 443
      to_port     = 443
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Allow HTTPS from anywhere"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Allow all outbound traffic"
    }
  ]
}

Outputs

output "web_server_sg_id" {
  value = module.web_server_sg.security_group_id
}

Database Access

Security group for database servers with MySQL and PostgreSQL access

Security groups for database servers allowing access only from application tier security groups.

PostgreSQL Database

module "postgres_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "postgres-database"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 5432
      to_port         = 5432
      protocol        = "tcp"
      security_groups = [module.app_sg.security_group_id]
      description     = "PostgreSQL from application tier"
    }
  ]

  egress_rules = []
}

MySQL Database

module "mysql_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "mysql-database"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 3306
      to_port         = 3306
      protocol        = "tcp"
      security_groups = [module.app_sg.security_group_id]
      description     = "MySQL from application tier"
    }
  ]

  egress_rules = []
}

Multi-Database Access

Allow both MySQL and PostgreSQL from the same application tier:

module "multi_db_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "multi-database"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 3306
      to_port         = 3306
      protocol        = "tcp"
      security_groups = [module.app_sg.security_group_id]
      description     = "MySQL access"
    },
    {
      from_port       = 5432
      to_port         = 5432
      protocol        = "tcp"
      security_groups = [module.app_sg.security_group_id]
      description     = "PostgreSQL access"
    }
  ]

  egress_rules = []
}

SSH Access

Security group for SSH access from specific IP addresses

Security groups restricting SSH access to specific IP addresses or CIDR ranges for secure remote administration.

From Specific IPs

module "ssh_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "ssh-access"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      cidr_blocks = ["203.0.113.10/32", "198.51.100.20/32"]
      description = "SSH from admin IPs"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Allow all outbound"
    }
  ]
}

From Corporate Network

module "corporate_ssh_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "corporate-ssh"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      cidr_blocks = ["10.0.0.0/8"]
      description = "SSH from corporate network"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

Using Prefix Lists

data "aws_ec2_managed_prefix_list" "admin_ips" {
  name = "admin-workstations"
}

module "prefix_ssh_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "prefix-ssh"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 22
      to_port         = 22
      protocol        = "tcp"
      prefix_list_ids = [data.aws_ec2_managed_prefix_list.admin_ips.id]
      description     = "SSH from admin prefix list"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

All Outbound

Security group allowing all outbound traffic

A security group that allows all outbound traffic while controlling inbound access. This is a common pattern for instances that need to reach external services.

Basic All Outbound

module "all_outbound_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "all-outbound"
  vpc_id = module.vpc.vpc_id

  ingress_rules = []

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Allow all outbound traffic"
    }
  ]
}

Inbound Restricted, Outbound Open

module "worker_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "worker-nodes"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 0
      to_port         = 0
      protocol        = "-1"
      security_groups = [module.control_plane_sg.security_group_id]
      description     = "All traffic from control plane"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
      description = "Allow all outbound for external dependencies"
    }
  ]
}

Outbound to Specific Destinations

For more restrictive environments, limit outbound to specific services:

module "restricted_outbound_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "restricted-outbound"
  vpc_id = module.vpc.vpc_id

  ingress_rules = []

  egress_rules = [
    {
      from_port   = 443
      to_port     = 443
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      description = "HTTPS to external services"
    },
    {
      from_port   = 53
      to_port     = 53
      protocol    = "udp"
      cidr_blocks = [module.vpc.vpc_cidr_block]
      description = "DNS within VPC"
    }
  ]
}

Multiple Ingress Sources

Security group with multiple ingress sources for complex access patterns

Security groups that accept traffic from multiple sources including CIDR blocks, security groups, and prefix lists.

Multiple Security Group Sources

module "backend_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "backend-api"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port       = 8080
      to_port         = 8080
      protocol        = "tcp"
      security_groups = [module.web_sg.security_group_id]
      description     = "API from web tier"
    },
    {
      from_port       = 8080
      to_port         = 8080
      protocol        = "tcp"
      security_groups = [module.worker_sg.security_group_id]
      description     = "API from worker nodes"
    },
    {
      from_port       = 8080
      to_port         = 8080
      protocol        = "tcp"
      security_groups = [module.lambda_sg.security_group_id]
      description     = "API from Lambda functions"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

Mixed Source Types

module "mixed_source_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "mixed-access"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 443
      to_port     = 443
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      description = "HTTPS from internet"
    },
    {
      from_port       = 8080
      to_port         = 8080
      protocol        = "tcp"
      security_groups = [module.internal_sg.security_group_id]
      description     = "Internal API access"
    },
    {
      from_port       = 22
      to_port         = 22
      protocol        = "tcp"
      prefix_list_ids = [data.aws_ec2_managed_prefix_list.admin.id]
      description     = "SSH from admin networks"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

Port Range with Multiple CIDRs

module "port_range_sg" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
  version = "1.2.0"

  name   = "ephemeral-ports"
  vpc_id = module.vpc.vpc_id

  ingress_rules = [
    {
      from_port   = 32768
      to_port     = 65535
      protocol    = "tcp"
      cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
      description = "Ephemeral ports from private networks"
    }
  ]

  egress_rules = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}