Merge pull request #63 from schubergphilis/improve-egress

feature: allow referencing ipv6 and other security groups in the `security_group_egress_rules` variable
schubergphilis · Oct 5, 2023 · 22958d7 · 22958d7
2 parents 2b49a50 + 3d212b8
commit 22958d7
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ No modules.
 | <a name="input_s3_bucket"></a> [s3\_bucket](#input\_s3\_bucket) | The S3 bucket location containing the function's deployment package | `string` | `null` | no |
 | <a name="input_s3_key"></a> [s3\_key](#input\_s3\_key) | The S3 key of an object containing the function's deployment package | `string` | `null` | no |
 | <a name="input_s3_object_version"></a> [s3\_object\_version](#input\_s3\_object\_version) | The object version containing the function's deployment package | `string` | `null` | no |
-| <a name="input_security_group_egress_rules"></a> [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security Group egress rules | <pre>list(object({<br>    cidr_ipv4   = string<br>    description = string<br>    from_port   = optional(number, 0)<br>    ip_protocol = optional(string, "-1")<br>    to_port     = optional(number, 0)<br>  }))</pre> | `[]` | no |
+| <a name="input_security_group_egress_rules"></a> [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security Group egress rules | <pre>list(object({<br>    cidr_ipv4                    = optional(string)<br>    cidr_ipv6                    = optional(string)<br>    description                  = string<br>    from_port                    = optional(number, 0)<br>    ip_protocol                  = optional(string, "-1")<br>    prefix_list_id               = optional(string)<br>    referenced_security_group_id = optional(string)<br>    to_port                      = optional(number, 0)<br>  }))</pre> | `[]` | no |
 | <a name="input_source_code_hash"></a> [source\_code\_hash](#input\_source\_code\_hash) | Optional source code hash | `string` | `null` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The subnet ids where this lambda needs to run | `list(string)` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the bucket | `map(string)` | `{}` | no |

diff --git a/main.tf b/main.tf
@@ -85,14 +85,17 @@ resource "aws_security_group" "default" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "default" {
-  for_each = var.subnet_ids != null && length(var.security_group_egress_rules) != 0 ? { for v in var.security_group_egress_rules : v.cidr_ipv4 => v } : {}
-
-  cidr_ipv4         = each.value.cidr_ipv4
-  description       = each.value.description
-  from_port         = each.value.from_port
-  ip_protocol       = each.value.ip_protocol
-  security_group_id = aws_security_group.default[0].id
-  to_port           = each.value.to_port
+  for_each = var.subnet_ids != null && length(var.security_group_egress_rules) != 0 ? { for v in var.security_group_egress_rules : v.description => v } : {}
+
+  cidr_ipv4                    = each.value.cidr_ipv4
+  cidr_ipv6                    = each.value.cidr_ipv6
+  description                  = each.value.description
+  from_port                    = each.value.from_port
+  ip_protocol                  = each.value.ip_protocol
+  prefix_list_id               = each.value.prefix_list_id
+  referenced_security_group_id = each.value.referenced_security_group_id
+  security_group_id            = aws_security_group.default[0].id
+  to_port                      = each.value.to_port
 }
 
 data "archive_file" "dummy" {

diff --git a/variables.tf b/variables.tf
@@ -178,14 +178,22 @@ variable "s3_object_version" {
 
 variable "security_group_egress_rules" {
   type = list(object({
-    cidr_ipv4   = string
-    description = string
-    from_port   = optional(number, 0)
-    ip_protocol = optional(string, "-1")
-    to_port     = optional(number, 0)
+    cidr_ipv4                    = optional(string)
+    cidr_ipv6                    = optional(string)
+    description                  = string
+    from_port                    = optional(number, 0)
+    ip_protocol                  = optional(string, "-1")
+    prefix_list_id               = optional(string)
+    referenced_security_group_id = optional(string)
+    to_port                      = optional(number, 0)
   }))
   default     = []
   description = "Security Group egress rules"
+
+  validation {
+    condition     = alltrue([for o in var.security_group_egress_rules : (o.cidr_ipv4 != null || o.cidr_ipv6 != null || o.prefix_list_id != null || o.referenced_security_group_id != null)])
+    error_message = "Although \"cidr_ipv4\", \"cidr_ipv6\", \"prefix_list_id\", and \"referenced_security_group_id\" are all marked as optional, you must provide one of them in order to configure the destination of the traffic."
+  }
 }
 
 variable "source_code_hash" {