Merge branch 'CD-246' of github.com:clouddrove/terraform-aws-security-group into CD-246

dhyanio · dhyanio · commit 6d4d92993c88 · 2020-10-21T18:14:34.000+05:30
diff --git a/_example/example.tf b/_example/example.tf
@@ -23,5 +23,6 @@ module "security_group" {
   protocol      = "tcp"
   description   = "Instance default security group (only egress access is allowed)."
   allowed_ip    = ["172.16.0.0/16", "10.0.0.0/16"]
+  allowed_ipv6  = ["2405:201:5e00:3684:cd17:9397:5734:a167/128"]
   allowed_ports = [22, 27017]
-}
+}
diff --git a/main.tf b/main.tf
@@ -22,6 +22,7 @@ locals {
   enable_cidr_rules              = var.enable_security_group && (length(var.allowed_ip) > 0)
   enable_source_sec_group_rules  = var.enable_security_group && (length(var.security_groups) > 0)
   ports_source_sec_group_product = setproduct(compact(var.allowed_ports), compact(var.security_groups))
+  enable_cidr_rules_ipv6         = var.enable_security_group && (length(var.allowed_ipv6) > 0)
 }
 
 #Module      : SECURITY GROUP
@@ -52,7 +53,17 @@ resource "aws_security_group_rule" "egress" {
   cidr_blocks       = ["0.0.0.0/0"]
   security_group_id = join("", aws_security_group.default.*.id)
 }
+resource "aws_security_group_rule" "egress_ipv6" {
+  count = var.enable_security_group == true && local.enable_cidr_rules_ipv6 == true ? length(compact(var.allowed_ports)) : 0
 
+  type              = "egress"
+  from_port         = 0
+  to_port           = 65535
+  protocol          = "-1"
+  ipv6_cidr_blocks  = ["::/0"]
+  security_group_id = join("", aws_security_group.default.*.id)
+  prefix_list_ids   = var.prefix_list
+}
 #Module      : SECURITY GROUP RULE FOR INGRESS
 #Description : Provides a security group rule resource. Represents a single ingress
 #              group rule, which can be added to external Security Groups.
@@ -66,6 +77,16 @@ resource "aws_security_group_rule" "ingress" {
   cidr_blocks       = var.allowed_ip
   security_group_id = join("", aws_security_group.default.*.id)
 }
+resource "aws_security_group_rule" "ingress_ipv6" {
+  count = var.enable_security_group == true && local.enable_cidr_rules_ipv6 == true ? length(compact(var.allowed_ports)) : 0
+
+  type              = "ingress"
+  from_port         = element(var.allowed_ports, count.index)
+  to_port           = element(var.allowed_ports, count.index)
+  protocol          = var.protocol
+  ipv6_cidr_blocks  = var.allowed_ipv6
+  security_group_id = join("", aws_security_group.default.*.id)
+}
 
 resource "aws_security_group_rule" "ingress_sg" {
   count = local.enable_source_sec_group_rules == true ? length(local.ports_source_sec_group_product) : 0
diff --git a/variables.tf b/variables.tf
@@ -78,4 +78,14 @@ variable "protocol" {
   type        = string
   default     = "tcp"
   description = "The protocol. If not icmp, tcp, udp, or all use the."
+}
+variable "allowed_ipv6" {
+  type        = list
+  default     = []
+  description = "List of allowed ipv6."
+}
+variable "prefix_list" {
+  type        = list
+  default     = []
+  description = "List of prefix list IDs (for allowing access to VPC endpoints)Only valid with egress"
 }
diff --git a/versions.tf b/versions.tf
@@ -3,7 +3,8 @@ terraform {
   required_version = ">= 0.12.0, < 0.14.0"
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
+      version = "3.10.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,8 @@ terraform {`
`3`	`3`	`required_version = ">= 0.12.0, < 0.14.0"`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`		`- source = "hashicorp/aws"`
	`6`	`+ source = "hashicorp/aws"`
	`7`	`+ version = "3.10.0"`
`7`	`8`	`}`
`8`	`9`	`}`
`9`	`10`	`}`