Merge branch 'CD-246' of github.com:clouddrove/terraform-aws-security-group into CD-246

dhyanio · dhyanio · commit 49127921aa64 · 2020-10-02T16:15:53.000+05:30
diff --git a/README.yaml b/README.yaml
@@ -16,7 +16,7 @@ github_repo: clouddrove/terraform-aws-security-group
 # Badges to display
 badges:
   - name: "Terraform"
-    image: "https://img.shields.io/badge/Terraform-v0.12-green"
+    image: "https://img.shields.io/badge/terraform-v0.13-green"
     url: "https://www.terraform.io"
   - name: "Licence"
     image: "https://img.shields.io/badge/License-MIT-blue.svg"
@@ -44,6 +44,7 @@ usage : |-
       label_order   = ["environment", "application", "name"]
       vpc_id        = "vpc-xxxxxxxxx"
       allowed_ip    = ["172.16.0.0/16", "10.0.0.0/16"]
+      allowed_ipv6  = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]
       allowed_ports = [22, 27017]
     }
   ```
diff --git a/_example/example.tf b/_example/example.tf
@@ -25,5 +25,6 @@ module "security_group" {
   protocol      = "tcp"
   description   = "Instance default security group (only egress access is allowed)."
   allowed_ip    = ["172.16.0.0/16", "10.0.0.0/16"]
+  allowed_ipv6  = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]
   allowed_ports = [22, 27017]
 }
diff --git a/_example/outputs.tf b/_example/outputs.tf
@@ -6,4 +6,13 @@ output "tags" {
 output "security_group_ids" {
   value       = module.security_group.security_group_ids
   description = "A mapping of security group ids."
+}
+output "vpc_cidr_block" {
+  value       = module.vpc.vpc_cidr_block
+  description = "VPC IPV4 CIDR Block."
+}
+
+output "vpc_cidr_block_ipv6" {
+  value       = module.vpc.ipv6_cidr_block
+  description = "VPC IPV4 CIDR Block."
 }
diff --git a/main.tf b/main.tf
@@ -15,6 +15,7 @@ module "labels" {
   environment = var.environment
   managedby   = var.managedby
   label_order = var.label_order
+  enabled     = var.enable_security_group
 }
 
 locals {
@@ -49,8 +50,18 @@ resource "aws_security_group_rule" "egress" {
   from_port         = 0
   to_port           = 65535
   protocol          = "-1"
-  cidr_blocks       = var.choose_cidr_type == "ipv4" ? ["0.0.0.0/0"] : []
-  ipv6_cidr_blocks  = var.choose_cidr_type == "ipv6" ? ["2001:db8:1234:1a00::/64"] : []
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = join("", aws_security_group.default.*.id)
+  prefix_list_ids   = var.prefix_list
+}
+resource "aws_security_group_rule" "egress_ipv6" {
+  count = var.enable_security_group == true ? 1 : 0
+
+  type              = "egress"
+  from_port         = 0
+  to_port           = 65535
+  protocol          = "-1"
+  ipv6_cidr_blocks  = ["::/0"]
   security_group_id = join("", aws_security_group.default.*.id)
   prefix_list_ids   = var.prefix_list
 }
@@ -65,8 +76,17 @@ resource "aws_security_group_rule" "ingress" {
   from_port         = element(var.allowed_ports, count.index)
   to_port           = element(var.allowed_ports, count.index)
   protocol          = var.protocol
-  cidr_blocks       = var.choose_cidr_type == "ipv4" ? var.allowed_ip : []
-  ipv6_cidr_blocks  = var.choose_cidr_type == "ipv6" ? var.allowed_ip : []
+  cidr_blocks       = var.allowed_ip
+  security_group_id = join("", aws_security_group.default.*.id)
+}
+resource "aws_security_group_rule" "ingress_ipv6" {
+  count = local.enable_cidr_rules == true ? length(compact(var.allowed_ports)) : 0
+
+  type              = "ingress"
+  from_port         = element(var.allowed_ports, count.index)
+  to_port           = element(var.allowed_ports, count.index)
+  protocol          = var.protocol
+  ipv6_cidr_blocks  = var.allowed_ipv6
   security_group_id = join("", aws_security_group.default.*.id)
 }
 
diff --git a/variables.tf b/variables.tf
@@ -67,7 +67,11 @@ variable "allowed_ip" {
   default     = []
   description = "List of allowed ip."
 }
-
+variable "allowed_ipv6" {
+  type        = list
+  default     = []
+  description = "List of allowed ipv6."
+}
 variable "security_groups" {
   type        = list(string)
   default     = []
@@ -79,11 +83,6 @@ variable "protocol" {
   default     = "tcp"
   description = "The protocol. If not icmp, tcp, udp, or all use the."
 }
-variable "choose_cidr_type" {
-  type        = string
-  default     = "ipv6"
-  description = "Choose cidr block ipv4 vs ipv6(eg: 2001:db8:1234:1a00::/64) cidr block"
-}
 variable "prefix_list" {
   type        = list
   default     = []

Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,6 @@ module "security_group" {`
`25`	`25`	`protocol = "tcp"`
`26`	`26`	`description = "Instance default security group (only egress access is allowed)."`
`27`	`27`	`allowed_ip = ["172.16.0.0/16", "10.0.0.0/16"]`
	`28`	`+ allowed_ipv6 = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]`
`28`	`29`	`allowed_ports = [22, 27017]`
`29`	`30`	`}`