* 2.11.0 -- 2026-03-19

  - it-windows-base: refactor to use prefix lists and a YAML file

CHANGELOG.md

@@ -101,3 +101,5 @@
 * 2.10.0 -- 2026-03-03
   - rds-mysql: add prefix list capability
 
+* 2.11.0 -- 2026-03-19
+  - it-windows-base: refactor to use prefix lists and a YAML file

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.10.0"
+  _module_version = "2.11.0"
 }

it-windows-base/README.md

@@ -22,7 +22,7 @@
 
 | Name | Type |
 |------|------|
-| [aws_security_group.sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_vpc_security_group_egress_rule.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.cidr_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.prefix_lists](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |

it-windows-base/main.tf

@@ -18,31 +18,34 @@ locals {
 
 locals {
   _sg                     = yamldecode(file("${path.module}/ports.yml"))
-  sg                      = [merge(sg, { ingress_networks = flatten(distinct(compact(concat(local.ingress_networks, sg.vpc_cidr ? [data.aws_vpc.this_vpc.cidr_block] : [])))) })]
-  sg_ingress_prefix_lists = distinct(compact([for sgr in local.sg[0].ingress : try(sgr.prefix_list, null)]))
-  sg_egress_prefix_lists  = try(distinct(compact([for sgr in local.sg[0].egress : try(sgr.prefix_list, null)])), null)
-  sg_c1 = flatten([for k, v in local.sg : [for i in v.ingress : merge(i, {
-    key         = k,
-    label       = format("%v:%v:%v", k, i.from, i.proto)
-    cidr_blocks = try(i.cidr_blocks, null) == "%%INCOMING%%" ? local.ingress_networks : []
+  sg                      = merge(local._sg, { ingress_networks = flatten(distinct(compact(concat(local.ingress_networks, var.use_vpc_cidr ? [data.aws_vpc.this_vpc.cidr_block] : [])))) })
+  sg_ingress_prefix_lists = distinct(compact([for sgr in local.sg.ingress : try(sgr.prefix_list, null)]))
+  sg_egress_prefix_lists  = try(distinct(compact([for sgr in local.sg.egress : try(sgr.prefix_list, null)])), [])
+  sg_c1 = flatten([for i in local.sg.ingress : merge(i, {
+    key = local.sg.name,
+    #    label       = format("%v:%v:%v", local.sg.name, i.from, i.proto)
+    label = format("%v:%v:%v", i.from, i.to, i.proto)
+    #    cidr_blocks = try(i.cidr_blocks, null) == "%%INCOMING%%" ? local.ingress_networks : []
+    cidr_blocks = try(i.cidr_blocks, [])
     }
-  )]])
+  )])
   sg_cidr = flatten([for sg in local.sg_c1 : [for c in sg.cidr_blocks : merge(sg, {
     cidr_label = format("%v:%v", sg.label, c)
     cidr_block = c
     }
   )]])
-  sg_sg = flatten([for k, v in local.sg : [for i in try(v.ingress_security_groups, []) : merge(v, {
-    key                 = k,
-    label               = format("%v:%v", k, i)
+  sg_sg = flatten([for i in try(local.sg.ingress_security_groups, []) : merge(local.sg, {
+    key = local.sg.name,
+    #    label               = format("%v:%v", local.sg.name, i)
+    label               = i
     security_group_name = i
     }
-  )]])
+  )])
   sg_pl = flatten([for sg in local.sg_c1 : [for plk, plv in data.aws_ec2_managed_prefix_list.ingress : merge(sg, {
     prefix_list_label = format("%v:%v", sg.label, plk)
     prefix_list_id    = plv.id
-    }
-  )]])
+    }) if try(sg.prefix_list, null) == plk
+  ]])
 }
 
 data "aws_ec2_managed_prefix_list" "ingress" {
@@ -62,24 +65,29 @@ data "aws_ec2_managed_prefix_list" "egress" {
 }
 
 # create group with just egress. Add all ingress via secondary resource
-resource "aws_security_group" "sg" {
-  for_each    = local.sg
-  name        = format("%v-%v", var.name_prefix, each.key)
-  description = trimspace(format("%v %v", var.description_prefix, each.value.description))
+#resource "aws_security_group" "sg" {
+resource "aws_security_group" "this_security_group" {
+  #  for_each    = { for sg in local.sg: sg.name => sg }
+  #  name        = format("%v-%v", var.name_prefix, each.key)
+  name = local.sg.name
+  #  description = trimspace(format("%v %v", var.description_prefix, each.value.description))
+  description = trimspace(local.sg.description)
   vpc_id      = var.vpc_id
 
   tags = merge(
-    local.base_tags,
+    #    local.base_tags,
     var.tags,
-    { "Name" = format("sg-%v-%v", var.name_prefix, each.key) }
+    #    { "Name" = format("sg-%v-%v", var.name_prefix, each.key) }
+    { "Name" = format("sg-%v", local.sg.name) }
   )
 }
 
 # egress: all
 resource "aws_vpc_security_group_egress_rule" "all" {
-  for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id }
+  #  for_each = { for k, v in local.sg : k => aws_security_group.this_security_group[k].id }
+  #  for_each = { for k, v in local.sg : k => aws_security_group.this_security_group.id }
 
-  security_group_id = each.value
+  security_group_id = aws_security_group.this_security_group.id
   description       = "ALL"
   ip_protocol       = -1
   #  cidr_block = local.egress_networks
@@ -89,7 +97,7 @@ resource "aws_vpc_security_group_egress_rule" "all" {
 
 # ingress: self
 resource "aws_vpc_security_group_ingress_rule" "self" {
-  for_each = { for k, v in local.sg : k => aws_security_group.sg[k].id if try(v.self, false) }
+  for_each = try(local.sg.self, false) ? { (local.sg.name) = aws_security_group.this_security_group.id } : {}
 
   security_group_id            = each.value
   description                  = "self"
@@ -101,17 +109,17 @@ resource "aws_vpc_security_group_ingress_rule" "self" {
 resource "aws_vpc_security_group_ingress_rule" "security_group" {
   for_each = { for x in local.sg_sg : x.label => x }
 
-  security_group_id            = aws_security_group.sg[each.value.key].id
+  security_group_id            = aws_security_group.this_security_group.id
   description                  = "self"
   ip_protocol                  = -1
-  referenced_security_group_id = aws_security_group.sg[each.value.security_group_name].id
+  referenced_security_group_id = aws_security_group.this_security_group.id
 }
 
 # ingress: by cidr_block
 resource "aws_vpc_security_group_ingress_rule" "cidr_block" {
   for_each = { for x in local.sg_cidr : x.cidr_label => x }
 
-  security_group_id = aws_security_group.sg[each.value.key].id
+  security_group_id = aws_security_group.this_security_group.id
   description       = each.value.short
   from_port         = each.value.from
   to_port           = each.value.to
@@ -123,7 +131,7 @@ resource "aws_vpc_security_group_ingress_rule" "cidr_block" {
 resource "aws_vpc_security_group_ingress_rule" "prefix_lists" {
   for_each = { for x in local.sg_pl : x.prefix_list_label => x }
 
-  security_group_id = aws_security_group.sg[each.value.key].id
+  security_group_id = aws_security_group.this_security_group.id
   description       = each.value.short
   from_port         = each.value.from
   to_port           = each.value.to

it-windows-base/ports.yml

@@ -19,24 +19,30 @@ ingress:
     to: -1
     proto: icmp
     short: "ICMP"
-    all: true
-  #  cidr_blocks: 0.0.0.0/0
+#    all: true
+    cidr_blocks:
+      - 0.0.0.0/0
   - from: 161
     to: 161
     proto: udp
     short: "SNMP"
-    all: true
-  #  cidr_blocks: 0.0.0.0/0
+  #  all: true
+    cidr_blocks:
+      - 0.0.0.0/0
   - from: 5201
     to: 5201
     proto: udp
     short: "iperf3"
-    all: true
+    # all: true
+    cidr_blocks: 
+      - 0.0.0.0/0
   - from: 5201
     to: 5201
     proto: tcp
     short: "iperf3"
-    all: true
+    # all: true
+    cidr_blocks: 
+      - 0.0.0.0/0
   - from: 1556
     to: 1556
     proto: tcp