From 091efce959845dcc93981910c19cbc4df3c6829e Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 3 Mar 2026 15:52:49 -0500 Subject: [PATCH] rds-mysql: add prefix list capability --- CHANGELOG.md | 4 +++ common/README.md | 6 ++-- common/version.tf | 2 +- common/versions.tf | 4 +-- rds-mysql/README.md | 33 ++++++++++++++++++---- rds-mysql/data.prefix_lists.tf | 1 + rds-mysql/main.tf | 44 +++++++++++++++++++++++++++++ rds-mysql/variables.prefix_lists.tf | 1 + rds-mysql/version.tf | 4 +-- 9 files changed, 85 insertions(+), 14 deletions(-) create mode 120000 rds-mysql/data.prefix_lists.tf create mode 120000 rds-mysql/variables.prefix_lists.tf mode change 100644 => 120000 rds-mysql/version.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index a242ad8..45b7e40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -97,3 +97,7 @@ - change the data resources for ingress and egress SG list to not try to look them up to get names if they include a /, like for ACCOUNT/SGID for a referenced SG - use the actual passed value in the name if it is a referenced SG + +* 2.10.0 -- 2026-03-03 + - rds-mysql: add prefix list capability + diff --git a/common/README.md b/common/README.md index 16f8b4c..f096f71 100644 --- a/common/README.md +++ b/common/README.md @@ -2,14 +2,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [terraform](#requirement\_terraform) | >= 1.10.0 | +| [aws](#requirement\_aws) | >= 6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 6.0 | ## Modules diff --git a/common/version.tf b/common/version.tf index 345aa6e..a57e56b 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.9.0" + _module_version = "2.10.0" } diff --git a/common/versions.tf b/common/versions.tf index c126e81..5c3bd17 100644 --- a/common/versions.tf +++ b/common/versions.tf @@ -1,9 +1,9 @@ terraform { - required_version = ">= 1.0.0" + required_version = ">= 1.10.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 6.0" } } } diff --git a/rds-mysql/README.md b/rds-mysql/README.md index 4439a8d..3374982 100644 --- a/rds-mysql/README.md +++ b/rds-mysql/README.md @@ -13,23 +13,42 @@ module "mysql" { vpc_id = var.vpc_id ## optional # name = "m-mysql-db" + # ingress_prefix_list_names = [ "rds-postgres.edl.project" ] + # egress_prefix_list_names = [ ] ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } } ``` +## ingress\_networks +This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres. +There is a default set of CIDR blocks provided if this field is not populated. This is comprised of the +Census networks: +* 148.129.0.0/16: Census class B +* 172.16.0.0/12: Census private class B +* 192.168.0.0/16: Census private class C +* 10.0.0.0/8: Census private class A + +Passing a null or empty list to this field will ignore the ingress setting on these networks. + +## ingress\_prefix\_list\_names +In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists +will be looked up and the resultant IDs used in the security group for inbound port access to RDS +Postgres. This will fail if the prefix list does not exist. + ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12 | +| [terraform](#requirement\_terraform) | >= 1.10.0 | +| [aws](#requirement\_aws) | >= 6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | +| [aws](#provider\_aws) | >= 6.0 | ## Modules @@ -40,6 +59,8 @@ No modules. | Name | Type | |------|------| | [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -49,14 +70,16 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [description](#input\_description) | Security Group Description | `string` | `"MySQL Security Group"` | no | -| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | -| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | | [name](#input\_name) | Security Group Name | `string` | `"m-mysql-db"` | no | | [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"MySQL"` | no | -| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | diff --git a/rds-mysql/data.prefix_lists.tf b/rds-mysql/data.prefix_lists.tf new file mode 120000 index 0000000..7a36e0b --- /dev/null +++ b/rds-mysql/data.prefix_lists.tf @@ -0,0 +1 @@ +../common//data.prefix_lists.tf \ No newline at end of file diff --git a/rds-mysql/main.tf b/rds-mysql/main.tf index 1a9e876..d13b7f1 100644 --- a/rds-mysql/main.tf +++ b/rds-mysql/main.tf @@ -14,11 +14,29 @@ * vpc_id = var.vpc_id * ## optional * # name = "m-mysql-db" +* # ingress_prefix_list_names = [ "rds-postgres.edl.project" ] +* # egress_prefix_list_names = [ ] * * ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden * # tags = { } * } * ``` +* +* ## ingress_networks +* This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres. +* There is a default set of CIDR blocks provided if this field is not populated. This is comprised of the +* Census networks: +* * 148.129.0.0/16: Census class B +* * 172.16.0.0/12: Census private class B +* * 192.168.0.0/16: Census private class C +* * 10.0.0.0/8: Census private class A +* +* Passing a null or empty list to this field will ignore the ingress setting on these networks. +* +* ## ingress_prefix_list_names +* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists +* will be looked up and the resultant IDs used in the security group for inbound port access to RDS +* Postgres. This will fail if the prefix list does not exist. */ data "aws_vpc" "this_vpc" { @@ -50,6 +68,19 @@ resource "aws_security_group" "this_security_group" { description = var.description vpc_id = var.vpc_id + # ingress with prefix lists + dynamic "ingress" { + for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : toset([]) + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id] + } + } + # ingresss external port list (list + vpc if enabaled) dynamic "ingress" { for_each = local.port_map["external"] @@ -111,6 +142,19 @@ resource "aws_security_group" "this_security_group" { } } + # egress with prefix lists + dynamic "egress" { + for_each = length(var.egress_prefix_list_names) > 0 ? { 1 = 1 } : {} + iterator = p + content { + description = "${local.short_description}" + from_port = 0 + to_port = 0 + protocol = -1 + prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id] + } + } + tags = merge( var.tags, { diff --git a/rds-mysql/variables.prefix_lists.tf b/rds-mysql/variables.prefix_lists.tf new file mode 120000 index 0000000..86cbd3c --- /dev/null +++ b/rds-mysql/variables.prefix_lists.tf @@ -0,0 +1 @@ +../common/variables.prefix_lists.tf \ No newline at end of file diff --git a/rds-mysql/version.tf b/rds-mysql/version.tf deleted file mode 100644 index fa2705b..0000000 --- a/rds-mysql/version.tf +++ /dev/null @@ -1,3 +0,0 @@ -locals { - _module_version = "1.0.0" -} diff --git a/rds-mysql/version.tf b/rds-mysql/version.tf new file mode 120000 index 0000000..2b6c70e --- /dev/null +++ b/rds-mysql/version.tf @@ -0,0 +1 @@ +../common//version.tf \ No newline at end of file