pull out prefix lists var and data to their own files

terraform-modules · Mar 13, 2025 · c03adb0 · c03adb0
1 parent a00112a
commit c03adb0
Show file tree

Hide file tree

Showing 16 changed files with 76 additions and 105 deletions.
diff --git a/common/README.md b/common/README.md
@@ -22,6 +22,8 @@ No modules.
 | [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
@@ -31,16 +33,18 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_egress_prefix_list_names"></a> [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no |
 | <a name="input_egress_security_groups"></a> [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
 | <a name="input_enable_default_egress"></a> [enable\_default\_egress](#input\_enable\_default\_egress) | Enable\|Disable default egress of ALL | `bool` | `true` | no |
 | <a name="input_enable_self"></a> [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
 | <a name="input_ingress_port_list"></a> [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
-| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>    cidr        = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_ingress_port_map"></a> [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | <pre>list(object({<br/>    from        = number<br/>    to          = number<br/>    proto       = any<br/>    description = string<br/>    cidr        = list(string)<br/>  }))</pre> | `[]` | no |
+| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no |
 | <a name="input_ingress_security_groups"></a> [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
 | <a name="input_ingress_self_port_list"></a> [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | `[]` | no |
-| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br>    from        = number<br>    to          = number<br>    proto       = any<br>    description = string<br>  }))</pre> | `[]` | no |
+| <a name="input_ingress_self_port_map"></a> [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | <pre>list(object({<br/>    from        = number<br/>    to          = number<br/>    proto       = any<br/>    description = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |

diff --git a/common/data.prefix_lists.tf b/common/data.prefix_lists.tf
@@ -0,0 +1,15 @@
+data "aws_ec2_managed_prefix_list" "ingress" {
+  for_each = toset(var.ingress_prefix_list_names)
+  filter {
+    name   = "prefix-list-name"
+    values = [each.key]
+  }
+}
+
+data "aws_ec2_managed_prefix_list" "egress" {
+  for_each = toset(var.egress_prefix_list_names)
+  filter {
+    name   = "prefix-list-name"
+    values = [each.key]
+  }
+}
diff --git a/common/variables.prefix_lists.tf b/common/variables.prefix_lists.tf
@@ -0,0 +1,12 @@
+variable "ingress_prefix_list_names" {
+  description = "List of prefix list names for ingress access"
+  type        = list(string)
+  default     = []
+}
+
+variable "egress_prefix_list_names" {
+  description = "List of prefix list names for eggress access"
+  type        = list(string)
+  default     = []
+}
+
diff --git a/emr/README.md b/emr/README.md
@@ -127,6 +127,7 @@ No modules.
 | [aws_vpc_security_group_ingress_rule.prefix_lists](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
@@ -136,8 +137,9 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_description_prefix"></a> [description\_prefix](#input\_description\_prefix) | Security Group Description Prefix | `string` | `"Security Group"` | no |
 | <a name="input_egress_networks"></a> [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_egress_prefix_list_names"></a> [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no |
 | <a name="input_ingress_networks"></a> [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports). Use null to disable built-in settings | `list(string)` | `[]` | no |
-| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | <pre>[<br/>  "all-networks.core"<br/>]</pre> | no |
+| <a name="input_ingress_prefix_list_names"></a> [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Security Group Name Prefix | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags | `map(any)` | <pre>{<br/>  "CostAllocation": "csvd:infrastructure",<br/>  "Environment": "infrastructure"<br/>}</pre> | no |
 | <a name="input_use_vpc_cidr"></a> [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |

diff --git a/emr/data.prefix_lists.tf b/emr/data.prefix_lists.tf
diff --git a/emr/data.prefix_lists.tf b/emr/data.prefix_lists.tf
@@ -0,0 +1 @@
+../common/data.prefix_lists.tf
diff --git a/emr/variables.prefix_lists.tf b/emr/variables.prefix_lists.tf
@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf
diff --git a/emr/variables.tf b/emr/variables.tf
@@ -61,15 +61,3 @@ variable "tags" {
     "Environment"    = "infrastructure"
   }
 }
-
-variable "ingress_prefix_list_names" {
-  description = "List of prefix list names for ingress access"
-  type        = list(string)
-  default     = ["all-networks.core"]
-}
-
-## variable "egress_prefix_list_names" {
-##   description = "List of prefix list names for eggress access"
-##   type        = list(string)
-##   default     = []
-## }
diff --git a/pf.txt b/pf.txt
@@ -0,0 +1,33 @@
+*   # ingress_prefix_list_names = [ "wifi-networks.core", "vpn-networks.core" ]
+*   # egress_prefix_list_names = [ ]
+*
+* ## ingress_prefix_list_names
+* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists
+* will be looked up and the resultant IDs used in the security group for inbound port access to Redshift. 
+* This will fail if the prefix list does not exist.
+
+  # ingress with prefix lists
+  dynamic "ingress" {
+    for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : toset([])
+    iterator = p
+    content {
+      description     = "${local.short_description}: ${p.value["description"]}"
+      from_port       = p.value["from"]
+      to_port         = p.value["to"]
+      protocol        = p.value["proto"]
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id]
+    }
+  }
+
+  # egress with prefix lists
+  dynamic "egress" {
+    for_each = length(var.egress_prefix_list_names) > 0 ? { 1 = 1 } : {}
+    iterator = p
+    content {
+      description     = "${local.short_description}"
+      from_port       = 0
+      to_port         = 0
+      protocol        = -1
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id]
+    }
+  }
diff --git a/rds-postgres/data.prefix_lists.tf b/rds-postgres/data.prefix_lists.tf
diff --git a/rds-postgres/data.prefix_lists.tf b/rds-postgres/data.prefix_lists.tf
@@ -0,0 +1 @@
+../common/data.prefix_lists.tf
diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf
@@ -44,16 +44,6 @@ data "aws_vpc" "this_vpc" {
   id    = var.vpc_id
 }
 
-## data "aws_security_group" "ingress_security_groups" {
-##   for_each = toset(var.ingress_security_groups))
-##   id    = each.key
-## }
-## 
-## data "aws_security_group" "egress_security_groups" {
-##   for_each = toset(var.egress_security_groups)
-##   id    = each.key
-## }
-
 locals {
   vpc_networks              = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))

diff --git a/rds-postgres/variables.prefix_lists.tf b/rds-postgres/variables.prefix_lists.tf
@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf
diff --git a/rds-postgres/variables.tf b/rds-postgres/variables.tf
@@ -77,15 +77,3 @@ variable "tags" {
     "Environment"    = "csvd-infrastructure"
   }
 }
-
-variable "ingress_prefix_list_names" {
-  description = "List of prefix list names for ingress access"
-  type        = list(string)
-  default     = []
-}
-
-variable "egress_prefix_list_names" {
-  description = "List of prefix list names for eggress access"
-  type        = list(string)
-  default     = []
-}
diff --git a/redshift/data.prefix_lists.tf b/redshift/data.prefix_lists.tf
diff --git a/redshift/data.prefix_lists.tf b/redshift/data.prefix_lists.tf
@@ -0,0 +1 @@
+../common/data.prefix_lists.tf
diff --git a/redshift/main.tf b/redshift/main.tf
@@ -44,16 +44,6 @@ data "aws_vpc" "this_vpc" {
   id    = var.vpc_id
 }
 
-## data "aws_security_group" "ingress_security_groups" {
-##   for_each = toset(var.ingress_security_groups))
-##   id    = each.key
-## }
-## 
-## data "aws_security_group" "egress_security_groups" {
-##   for_each = toset(var.egress_security_groups)
-##   id    = each.key
-## }
-
 locals {
   vpc_networks              = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
   external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))

diff --git a/redshift/variables.prefix_lists.tf b/redshift/variables.prefix_lists.tf
@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf
diff --git a/redshift/variables.tf b/redshift/variables.tf
@@ -77,15 +77,3 @@ variable "tags" {
     "Environment"    = "csvd-infrastructure"
   }
 }
-
-variable "ingress_prefix_list_names" {
-  description = "List of prefix list names for ingress access"
-  type        = list(string)
-  default     = []
-}
-
-variable "egress_prefix_list_names" {
-  description = "List of prefix list names for eggress access"
-  type        = list(string)
-  default     = []
-}