fix

terraform-modules · Dec 9, 2024 · 0a1d9d7 · 0a1d9d7
1 parent 9c37c6b
commit 0a1d9d7
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/rds-postgres/README.md b/rds-postgres/README.md
@@ -19,6 +19,22 @@ module "postgres" {
   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
   # tags = { }
 }
+
+## ingress_networks
+This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres.
+There is a default set of CIDR blocks provided if this field is not populated.  This is comprised of the
+Census networks:
+* 148.129.0.0/16: Census class B
+* 172.16.0.0/12: Census private class B
+* 192.168.0.0/16: Census private class C
+* 10.0.0.0/8: Censsu private class A
+
+Passing a null or empty list to this field will ignore the ingress setting on these networks.
+
+## ingress_prefix_list_names
+In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists
+will be looked up and the resultant IDs used in the security group for inbound port access to RDS
+Postgres.  This will fail if the prefix list does not exist.
 ```
 
 ## Requirements

diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf
@@ -20,6 +20,22 @@
 *   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
 *   # tags = { }
 * }
+*
+* ## ingress_networks
+* This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres.
+* There is a default set of CIDR blocks provided if this field is not populated.  This is comprised of the
+* Census networks:
+* * 148.129.0.0/16: Census class B
+* * 172.16.0.0/12: Census private class B
+* * 192.168.0.0/16: Census private class C
+* * 10.0.0.0/8: Censsu private class A
+*
+* Passing a null or empty list to this field will ignore the ingress setting on these networks.
+*
+* ## ingress_prefix_list_names
+* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists
+* will be looked up and the resultant IDs used in the security group for inbound port access to RDS
+* Postgres.  This will fail if the prefix list does not exist.
 * ```
 */
 
@@ -54,7 +70,7 @@ resource "aws_security_group" "this_security_group" {
 
   # ingresss external port list (list + vpc if enabaled)
   dynamic "ingress" {
-    for_each = var.ingress_networks != null ? local.port_map["external"] : toset([])
+    for_each = (var.ingress_networks != null && length(var.ingress_networks) > 0) ? local.port_map["external"] : toset([])
     iterator = p
     content {
       description = "${local.short_description}: ${p.value["description"]}"