rds-mysql: add prefix list capability

CHANGELOG.md

@@ -97,3 +97,7 @@
     - change the data resources for ingress and egress SG list to not try to look them up to get names if they
       include a /, like for ACCOUNT/SGID for a referenced SG
     - use the actual passed value in the name if it is a referenced SG
+
+* 2.10.0 -- 2026-03-03
+  - rds-mysql: add prefix list capability
+

common/README.md

@@ -2,14 +2,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.9.0"
+  _module_version = "2.10.0"
 }

common/versions.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.10.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
     }
   }
 }

rds-mysql/README.md

@@ -13,23 +13,42 @@ module "mysql" {
   vpc_id = var.vpc_id
   ## optional
   # name = "m-mysql-db"
+  # ingress_prefix_list_names = [ "rds-postgres.edl.project" ]
+  # egress_prefix_list_names = [ ]
 
   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
   # tags = { }
 }
 ```
 
+## ingress\_networks
+This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres.
+There is a default set of CIDR blocks provided if this field is not populated.  This is comprised of the
+Census networks:
+* 148.129.0.0/16: Census class B
+* 172.16.0.0/12: Census private class B
+* 192.168.0.0/16: Census private class C
+* 10.0.0.0/8: Census private class A
+
+Passing a null or empty list to this field will ignore the ingress setting on these networks.
+
+## ingress\_prefix\_list\_names
+In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists
+will be looked up and the resultant IDs used in the security group for inbound port access to RDS
+Postgres.  This will fail if the prefix list does not exist.
+
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
@@ -40,6 +59,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -49,14 +70,16 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `"MySQL Security Group"` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_egress_prefix_list_names"></a> [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
-| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `"m-mysql-db"` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MySQL"` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | <pre>{<br>  "CostAllocation": "csvd:infrastructure",<br>  "Environment": "csvd-infrastructure"<br>}</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | <pre>{<br/>  "CostAllocation": "csvd:infrastructure",<br/>  "Environment": "csvd-infrastructure"<br/>}</pre> | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes |

rds-mysql/data.prefix_lists.tf

@@ -0,0 +1 @@
+../common//data.prefix_lists.tf

rds-mysql/main.tf

@@ -14,11 +14,29 @@
 *   vpc_id = var.vpc_id
 *   ## optional
 *   # name = "m-mysql-db"
+*   # ingress_prefix_list_names = [ "rds-postgres.edl.project" ]
+*   # egress_prefix_list_names = [ ]
 *
 *   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
 *   # tags = { }
 * }
 * ```
+*
+* ## ingress_networks
+* This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres.
+* There is a default set of CIDR blocks provided if this field is not populated.  This is comprised of the
+* Census networks:
+* * 148.129.0.0/16: Census class B
+* * 172.16.0.0/12: Census private class B
+* * 192.168.0.0/16: Census private class C
+* * 10.0.0.0/8: Census private class A
+*
+* Passing a null or empty list to this field will ignore the ingress setting on these networks.
+*
+* ## ingress_prefix_list_names
+* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists
+* will be looked up and the resultant IDs used in the security group for inbound port access to RDS
+* Postgres.  This will fail if the prefix list does not exist.
 */
 
 data "aws_vpc" "this_vpc" {
@@ -50,6 +68,19 @@ resource "aws_security_group" "this_security_group" {
   description = var.description
   vpc_id      = var.vpc_id
 
+  # ingress with prefix lists
+  dynamic "ingress" {
+    for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : toset([])
+    iterator = p
+    content {
+      description     = "${local.short_description}: ${p.value["description"]}"
+      from_port       = p.value["from"]
+      to_port         = p.value["to"]
+      protocol        = p.value["proto"]
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id]
+    }
+  }
+
   # ingresss external port list (list + vpc if enabaled)
   dynamic "ingress" {
     for_each = local.port_map["external"]
@@ -111,6 +142,19 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+  # egress with prefix lists
+  dynamic "egress" {
+    for_each = length(var.egress_prefix_list_names) > 0 ? { 1 = 1 } : {}
+    iterator = p
+    content {
+      description     = "${local.short_description}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id]
+    }
+  }
+
   tags = merge(
     var.tags,
     {

rds-mysql/variables.prefix_lists.tf

@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf

rds-mysql/version.tf

@@ -0,0 +1 @@
+../common//version.tf