Merge pull request #20 from terraform-modules/enable-ingress-egress

v1.1.0: enable ingress and egress networks to function
terraform-modules · Sep 15, 2021 · 0e44a66 · 0e44a66
2 parents 41b323e + 06bc7d1
commit 0e44a66
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 10 deletions.
diff --git a/web/CHANGELOG.md b/web/CHANGELOG.md
@@ -1,2 +1,5 @@
 # v1.0.0 -- 20210604
   - add module version, update tags
+
+# v1.1.0 -- 20210915
+  - enable use of ingress_networks and egress_networks for pre-defined port list
diff --git a/web/README.md b/web/README.md
@@ -19,6 +19,8 @@ module "web" {
   vpc_id = var.vpc_id
   ## optional
   # name = "m-web"
+  # ingress_networks = [ "1.2.3.0/24" ]
+  # egress_networks = [ "1.2.3.0/24" ]
 
   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
   # tags = { }
@@ -55,10 +57,10 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `"Web Security Group"` | no |
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) | `list(string)` | `[]` | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
-| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `"m-web"` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"Web"` | no |

diff --git a/web/main.tf b/web/main.tf
@@ -20,6 +20,8 @@
 *   vpc_id = var.vpc_id
 *   ## optional
 *   # name = "m-web"
+*   # ingress_networks = [ "1.2.3.0/24" ]
+*   # egress_networks = [ "1.2.3.0/24" ]
 *
 *   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
 *   # tags = { }
@@ -65,7 +67,7 @@ resource "aws_security_group" "this_security_group" {
       from_port   = p.value["from"]
       to_port     = p.value["to"]
       protocol    = p.value["proto"]
-      cidr_blocks = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+      cidr_blocks = length(p.value["cidr"]) == 0 ? flatten(compact(concat(local.external_ingress_networks, var.ingress_networks))) : flatten(compact(concat(p.value["cidr"], var.ingress_networks)))
     }
   }
 
@@ -101,7 +103,7 @@ resource "aws_security_group" "this_security_group" {
     from_port   = 0
     to_port     = 0
     protocol    = -1
-    cidr_blocks = local.egress_networks
+    cidr_blocks = flatten(compact(concat(local.egress_networks, var.egress_networks)))
   }
 
   # egress security group ids (all)

diff --git a/web/ports.tf b/web/ports.tf
@@ -20,7 +20,6 @@ locals {
     [8443, 8443, "tcp", "Tomcat-https", local.n_census, ["external"]],
   ]
 
-  # these are ignored
   ingress_networks = var.ingress_networks
   egress_networks  = var.egress_networks
 

diff --git a/web/variables.tf b/web/variables.tf
@@ -46,15 +46,15 @@ variable "vpc_full_name" {
 }
 
 variable "ingress_networks" {
-  description = "List of ingress networks for external access (not all ports)"
+  description = "List of ingress networks for access (with all pre-defined ingress ports)"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = []
 }
 
 variable "egress_networks" {
-  description = "List of egress networks (all ports)"
+  description = "List of egress networks (with all pre-defined egress ports)"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = []
 }
 
 variable "ingress_security_groups" {

diff --git a/web/version.tf b/web/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.0"
+  _module_version = "1.1.0"
 }