From 0a1d9d73e35ada4370906d9f5f9c1395d9516c05 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 9 Dec 2024 13:49:46 -0500 Subject: [PATCH] fix --- rds-postgres/README.md | 16 ++++++++++++++++ rds-postgres/main.tf | 18 +++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/rds-postgres/README.md b/rds-postgres/README.md index e7378c5..9d62684 100644 --- a/rds-postgres/README.md +++ b/rds-postgres/README.md @@ -19,6 +19,22 @@ module "postgres" { ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden # tags = { } } + +## ingress_networks +This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres. +There is a default set of CIDR blocks provided if this field is not populated. This is comprised of the +Census networks: +* 148.129.0.0/16: Census class B +* 172.16.0.0/12: Census private class B +* 192.168.0.0/16: Census private class C +* 10.0.0.0/8: Censsu private class A + +Passing a null or empty list to this field will ignore the ingress setting on these networks. + +## ingress_prefix_list_names +In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists +will be looked up and the resultant IDs used in the security group for inbound port access to RDS +Postgres. This will fail if the prefix list does not exist. ``` ## Requirements diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf index c74dae4..e0da91d 100644 --- a/rds-postgres/main.tf +++ b/rds-postgres/main.tf @@ -20,6 +20,22 @@ * ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden * # tags = { } * } +* +* ## ingress_networks +* This is the list of network CIDR blocks for inbound access to the ports defined for RDS Postgres. +* There is a default set of CIDR blocks provided if this field is not populated. This is comprised of the +* Census networks: +* * 148.129.0.0/16: Census class B +* * 172.16.0.0/12: Census private class B +* * 192.168.0.0/16: Census private class C +* * 10.0.0.0/8: Censsu private class A +* +* Passing a null or empty list to this field will ignore the ingress setting on these networks. +* +* ## ingress_prefix_list_names +* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists +* will be looked up and the resultant IDs used in the security group for inbound port access to RDS +* Postgres. This will fail if the prefix list does not exist. * ``` */ @@ -54,7 +70,7 @@ resource "aws_security_group" "this_security_group" { # ingresss external port list (list + vpc if enabaled) dynamic "ingress" { - for_each = var.ingress_networks != null ? local.port_map["external"] : toset([]) + for_each = (var.ingress_networks != null && length(var.ingress_networks) > 0) ? local.port_map["external"] : toset([]) iterator = p content { description = "${local.short_description}: ${p.value["description"]}"