fix

terraform-modules · Dec 9, 2024 · 982121d · 982121d
1 parent 0051f58
commit 982121d
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/rds-postgres/README.md b/rds-postgres/README.md
@@ -13,7 +13,8 @@ module "postgres" {
   vpc_id = var.vpc_id
   ## optional
   # name = "m-postgres-db"
-  # prefix_list_names = [ "rds-postgres.edl.project" ]
+  # ingress_prefix_list_names = [ "rds-postgres.edl.project" ]
+  # egress_prefix_list_names = [ ]
 
   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
   # tags = { }
@@ -42,7 +43,8 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_ec2_managed_prefix_list.prefix_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -53,9 +55,11 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_description"></a> [description](#input\_description) | Security Group Description | `string` | `"RDS PostgreSQL Security Group"` | no |
 | <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_prefix_list_names "></a> [egress\_prefix\_list\_names ](#input\_egress\_prefix\_list\_names ) | List of prefix list names for eggress access | `list(string)` | `[]` | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Security Group Name | `string` | `"m-postgres-db"` | no |
 | <a name="input_short_description"></a> [short\_description](#input\_short\_description) | Security Group Short Description | `string` | `"PostgreSQL"` | no |

diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf
@@ -14,7 +14,8 @@
 *   vpc_id = var.vpc_id
 *   ## optional
 *   # name = "m-postgres-db"
-*   # prefix_list_names = [ "rds-postgres.edl.project" ]
+*   # ingress_prefix_list_names = [ "rds-postgres.edl.project" ]
+*   # egress_prefix_list_names = [ ]
 *
 *   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
 *   # tags = { }
@@ -67,15 +68,14 @@ resource "aws_security_group" "this_security_group" {
 
   # ingress with prefix lists
   ingress {
-    for_each = length(var.prefix_list_names) > 0 ? local.port_map["external"] : {}
+    for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : {}
     iterator = p
     content {
       description     = "${local.short_description}: ${p.value["description"]}"
       from_port       = p.value["from"]
       to_port         = p.value["to"]
       protocol        = p.value["proto"]
-      cidr_blocks     = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
-      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.prefix_list : pl.id]
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id]
     }
   }
 
@@ -93,6 +93,7 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+
   # ingress self (list with one or zero items)
   dynamic "ingress" {
     for_each = local.self
@@ -129,6 +130,19 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+  # egress with prefix lists
+  dynamic "egress" {
+    for_each = length(var.egress_prefix_list_names) > 0 ? local.port_map["external"] : {}
+    iterator = p
+    content {
+      description     = "${local.short_description}: ${local.egress_sg_names[sg]}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id]
+    }
+  }
+
   tags = merge(
     var.tags,
     {

diff --git a/rds-postgres/variables.tf b/rds-postgres/variables.tf
@@ -77,3 +77,15 @@ variable "tags" {
     "Environment"    = "csvd-infrastructure"
   }
 }
+
+variable "ingress_prefix_list_names" {
+  description = "List of prefix list names for ingress access"
+  type        = list(string)
+  default     = []
+}
+
+variable "egress_prefix_list_names " {
+  description = "List of prefix list names for eggress access"
+  type        = list(string)
+  default     = []
+}