From 092eb995377d3aeab7446112843497e00dfc5acd Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 2 Oct 2025 13:36:48 -0400 Subject: [PATCH] add prefix list to web --- CHANGELOG.md | 3 +++ common/version.tf | 2 +- web/README.md | 17 ++++++++++++++--- web/data.prefix_lists.tf | 1 + web/main.tf | 33 +++++++++++++++++++++++++++++++++ web/variables.prefix_lists.tf | 1 + web/variables.tf | 2 +- 7 files changed, 54 insertions(+), 5 deletions(-) create mode 120000 web/data.prefix_lists.tf create mode 120000 web/variables.prefix_lists.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 4af48d9..6b777f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -85,3 +85,6 @@ * 2.7.0 -- 2025-08-26 - custom: add prefix list capability + +* 2.8.0 -- 2025-10-02 + - web: add prefix list capability diff --git a/common/version.tf b/common/version.tf index 2499cf3..4baf91e 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.7.0" + _module_version = "2.8.0" } diff --git a/web/README.md b/web/README.md index 14206dd..4bd9f9b 100644 --- a/web/README.md +++ b/web/README.md @@ -21,23 +21,30 @@ module "web" { # name = "m-web" # ingress_networks = [ "1.2.3.0/24" ] # egress_networks = [ "1.2.3.0/24" ] + # ingress_prefix_list_names = [ "onprem-networks.core" ] + # egress_prefix_list_names = [ ] ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } } ``` +## ingress\_prefix\_list\_names +In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists +will be looked up and the resultant IDs used in the security group for inbound port access to port +443 (https). This will fail if the prefix list does not exist. ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | +| [aws](#provider\_aws) | >= 5.0 | ## Modules @@ -48,6 +55,8 @@ No modules. | Name | Type | |------|------| | [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | +| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source | | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | @@ -58,13 +67,15 @@ No modules. |------|-------------|------|---------|:--------:| | [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no | | [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no | +| [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no | | [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no | | [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no | | [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no | +| [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no | | [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no | | [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no | | [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no | -| [tags](#input\_tags) | Extra security group tags | `map` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | +| [tags](#input\_tags) | Extra security group tags | `map(any)` | 
{
  "CostAllocation": "csvd:infrastructure",
  "Environment": "csvd-infrastructure"
}
| no | | [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID Number | `string` | n/a | yes | diff --git a/web/data.prefix_lists.tf b/web/data.prefix_lists.tf new file mode 120000 index 0000000..08df656 --- /dev/null +++ b/web/data.prefix_lists.tf @@ -0,0 +1 @@ +../common/data.prefix_lists.tf \ No newline at end of file diff --git a/web/main.tf b/web/main.tf index 38dee58..89b52da 100644 --- a/web/main.tf +++ b/web/main.tf @@ -22,11 +22,17 @@ * # name = "m-web" * # ingress_networks = [ "1.2.3.0/24" ] * # egress_networks = [ "1.2.3.0/24" ] +* # ingress_prefix_list_names = [ "onprem-networks.core" ] +* # egress_prefix_list_names = [ ] * * ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden * # tags = { } * } * ``` +* ## ingress_prefix_list_names +* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists +* will be looked up and the resultant IDs used in the security group for inbound port access to port +* 443 (https). This will fail if the prefix list does not exist. */ data "aws_vpc" "this_vpc" { @@ -97,6 +103,20 @@ resource "aws_security_group" "this_security_group" { } } + # ingress with prefix lists + dynamic "ingress" { + for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : toset([]) + iterator = p + content { + description = "${local.short_description}: ${p.value["description"]}" + from_port = p.value["from"] + to_port = p.value["to"] + protocol = p.value["proto"] + prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id] + } + } + + # egress all egress { description = "${local.short_description}: All" @@ -119,6 +139,19 @@ resource "aws_security_group" "this_security_group" { } } + # egress with prefix lists + dynamic "egress" { + for_each = length(var.egress_prefix_list_names) > 0 ? { 1 = 1 } : {} + iterator = p + content { + description = local.short_description + from_port = 0 + to_port = 0 + protocol = -1 + prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id] + } + } + tags = merge( var.tags, { diff --git a/web/variables.prefix_lists.tf b/web/variables.prefix_lists.tf new file mode 120000 index 0000000..86cbd3c --- /dev/null +++ b/web/variables.prefix_lists.tf @@ -0,0 +1 @@ +../common/variables.prefix_lists.tf \ No newline at end of file diff --git a/web/variables.tf b/web/variables.tf index e80bb6b..ab2ad7b 100644 --- a/web/variables.tf +++ b/web/variables.tf @@ -71,7 +71,7 @@ variable "egress_security_groups" { variable "tags" { description = "Extra security group tags" - type = map + type = map(any) default = { "CostAllocation" = "csvd:infrastructure" "Environment" = "csvd-infrastructure"