diff --git a/common/README.md b/common/README.md
index 35d5e5f..e3e1098 100644
--- a/common/README.md
+++ b/common/README.md
@@ -22,6 +22,8 @@ No modules.
| [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
+| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
| [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
@@ -31,16 +33,18 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_networks](#input\_egress\_networks) | List of egress networks (with all pre-defined egress ports) (default: any) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no |
| [egress\_security\_groups](#input\_egress\_security\_groups) | List of egress security groups (all ports) | `list(string)` | `[]` | no |
| [enable\_default\_egress](#input\_enable\_default\_egress) | Enable\|Disable default egress of ALL | `bool` | `true` | no |
| [enable\_self](#input\_enable\_self) | Enable\|Disable self full access | `bool` | `false` | no |
| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for access (with all pre-defined ingress ports) | `list(string)` | `[]` | no |
| [ingress\_port\_list](#input\_ingress\_port\_list) | Ingress port list of 5-tuple: from, to, proto, description, and cidr(list) | `list` | `[]` | no |
-| [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | list(object({
from = number
to = number
proto = any
description = string
cidr = list(string)
})) | `[]` | no |
+| [ingress\_port\_map](#input\_ingress\_port\_map) | Ingress port list of objects: from, to, proto, description and cidr(list) | list(object({
from = number
to = number
proto = any
description = string
cidr = list(string)
})) | `[]` | no |
+| [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no |
| [ingress\_security\_groups](#input\_ingress\_security\_groups) | List of ingress security groups for all ports | `list(string)` | `[]` | no |
| [ingress\_self\_port\_list](#input\_ingress\_self\_port\_list) | Ingress port list of 4-tuple: from, to, proto, description | `list` | `[]` | no |
-| [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | list(object({
from = number
to = number
proto = any
description = string
})) | `[]` | no |
+| [ingress\_self\_port\_map](#input\_ingress\_self\_port\_map) | Ingress self access port list of objects: from, to, proto, description | list(object({
from = number
to = number
proto = any
description = string
})) | `[]` | no |
| [tags](#input\_tags) | Extra security group tags | `map` | `{}` | no |
| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC Name | `string` | `""` | no |
diff --git a/common/data.prefix_lists.tf b/common/data.prefix_lists.tf
new file mode 100644
index 0000000..23af189
--- /dev/null
+++ b/common/data.prefix_lists.tf
@@ -0,0 +1,15 @@
+data "aws_ec2_managed_prefix_list" "ingress" {
+ for_each = toset(var.ingress_prefix_list_names)
+ filter {
+ name = "prefix-list-name"
+ values = [each.key]
+ }
+}
+
+data "aws_ec2_managed_prefix_list" "egress" {
+ for_each = toset(var.egress_prefix_list_names)
+ filter {
+ name = "prefix-list-name"
+ values = [each.key]
+ }
+}
diff --git a/common/variables.prefix_lists.tf b/common/variables.prefix_lists.tf
new file mode 100644
index 0000000..7c25043
--- /dev/null
+++ b/common/variables.prefix_lists.tf
@@ -0,0 +1,12 @@
+variable "ingress_prefix_list_names" {
+ description = "List of prefix list names for ingress access"
+ type = list(string)
+ default = []
+}
+
+variable "egress_prefix_list_names" {
+ description = "List of prefix list names for eggress access"
+ type = list(string)
+ default = []
+}
+
diff --git a/emr/README.md b/emr/README.md
index af9540a..a456da7 100644
--- a/emr/README.md
+++ b/emr/README.md
@@ -127,6 +127,7 @@ No modules.
| [aws_vpc_security_group_ingress_rule.prefix_lists](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
| [aws_vpc_security_group_ingress_rule.security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
| [aws_vpc_security_group_ingress_rule.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_ec2_managed_prefix_list.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
| [aws_ec2_managed_prefix_list.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
| [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -136,8 +137,9 @@ No modules.
|------|-------------|------|---------|:--------:|
| [description\_prefix](#input\_description\_prefix) | Security Group Description Prefix | `string` | `"Security Group"` | no |
| [egress\_networks](#input\_egress\_networks) | List of egress networks (all ports) | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| [egress\_prefix\_list\_names](#input\_egress\_prefix\_list\_names) | List of prefix list names for eggress access | `list(string)` | `[]` | no |
| [ingress\_networks](#input\_ingress\_networks) | List of ingress networks for external access (not all ports). Use null to disable built-in settings | `list(string)` | `[]` | no |
-| [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | [
"all-networks.core"
]
| no |
+| [ingress\_prefix\_list\_names](#input\_ingress\_prefix\_list\_names) | List of prefix list names for ingress access | `list(string)` | `[]` | no |
| [name\_prefix](#input\_name\_prefix) | Security Group Name Prefix | `string` | n/a | yes |
| [tags](#input\_tags) | Tags | `map(any)` | {
"CostAllocation": "csvd:infrastructure",
"Environment": "infrastructure"
} | no |
| [use\_vpc\_cidr](#input\_use\_vpc\_cidr) | Enable\|Disable use of VPC CIDR block in the ingress\_networks | `bool` | `false` | no |
diff --git a/emr/data.prefix_lists.tf b/emr/data.prefix_lists.tf
deleted file mode 100644
index 47385ce..0000000
--- a/emr/data.prefix_lists.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-data "aws_ec2_managed_prefix_list" "ingress" {
- for_each = toset(var.ingress_prefix_list_names)
- filter {
- name = "prefix-list-name"
- values = [each.key]
- }
-}
-
-# data "aws_ec2_managed_prefix_list" "egress" {
-# for_each = toset(var.egress_prefix_list_names)
-# filter {
-# name = "prefix-list-name"
-# values = [each.key]
-# }
-# }
diff --git a/emr/data.prefix_lists.tf b/emr/data.prefix_lists.tf
new file mode 120000
index 0000000..08df656
--- /dev/null
+++ b/emr/data.prefix_lists.tf
@@ -0,0 +1 @@
+../common/data.prefix_lists.tf
\ No newline at end of file
diff --git a/emr/variables.prefix_lists.tf b/emr/variables.prefix_lists.tf
new file mode 120000
index 0000000..86cbd3c
--- /dev/null
+++ b/emr/variables.prefix_lists.tf
@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf
\ No newline at end of file
diff --git a/emr/variables.tf b/emr/variables.tf
index 6f13353..3c0849a 100644
--- a/emr/variables.tf
+++ b/emr/variables.tf
@@ -61,15 +61,3 @@ variable "tags" {
"Environment" = "infrastructure"
}
}
-
-variable "ingress_prefix_list_names" {
- description = "List of prefix list names for ingress access"
- type = list(string)
- default = ["all-networks.core"]
-}
-
-## variable "egress_prefix_list_names" {
-## description = "List of prefix list names for eggress access"
-## type = list(string)
-## default = []
-## }
diff --git a/pf.txt b/pf.txt
new file mode 100644
index 0000000..df82b4d
--- /dev/null
+++ b/pf.txt
@@ -0,0 +1,33 @@
+* # ingress_prefix_list_names = [ "wifi-networks.core", "vpn-networks.core" ]
+* # egress_prefix_list_names = [ ]
+*
+* ## ingress_prefix_list_names
+* In order to use a managed prefix list, you may pass a list of names in this field. The prefix lists
+* will be looked up and the resultant IDs used in the security group for inbound port access to Redshift.
+* This will fail if the prefix list does not exist.
+
+ # ingress with prefix lists
+ dynamic "ingress" {
+ for_each = length(var.ingress_prefix_list_names) > 0 ? local.port_map["external"] : toset([])
+ iterator = p
+ content {
+ description = "${local.short_description}: ${p.value["description"]}"
+ from_port = p.value["from"]
+ to_port = p.value["to"]
+ protocol = p.value["proto"]
+ prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.ingress : pl.id]
+ }
+ }
+
+ # egress with prefix lists
+ dynamic "egress" {
+ for_each = length(var.egress_prefix_list_names) > 0 ? { 1 = 1 } : {}
+ iterator = p
+ content {
+ description = "${local.short_description}"
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.egress : pl.id]
+ }
+ }
diff --git a/rds-postgres/data.prefix_lists.tf b/rds-postgres/data.prefix_lists.tf
deleted file mode 100644
index 23af189..0000000
--- a/rds-postgres/data.prefix_lists.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-data "aws_ec2_managed_prefix_list" "ingress" {
- for_each = toset(var.ingress_prefix_list_names)
- filter {
- name = "prefix-list-name"
- values = [each.key]
- }
-}
-
-data "aws_ec2_managed_prefix_list" "egress" {
- for_each = toset(var.egress_prefix_list_names)
- filter {
- name = "prefix-list-name"
- values = [each.key]
- }
-}
diff --git a/rds-postgres/data.prefix_lists.tf b/rds-postgres/data.prefix_lists.tf
new file mode 120000
index 0000000..08df656
--- /dev/null
+++ b/rds-postgres/data.prefix_lists.tf
@@ -0,0 +1 @@
+../common/data.prefix_lists.tf
\ No newline at end of file
diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf
index a247239..595d91f 100644
--- a/rds-postgres/main.tf
+++ b/rds-postgres/main.tf
@@ -44,16 +44,6 @@ data "aws_vpc" "this_vpc" {
id = var.vpc_id
}
-## data "aws_security_group" "ingress_security_groups" {
-## for_each = toset(var.ingress_security_groups))
-## id = each.key
-## }
-##
-## data "aws_security_group" "egress_security_groups" {
-## for_each = toset(var.egress_security_groups)
-## id = each.key
-## }
-
locals {
vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
diff --git a/rds-postgres/variables.prefix_lists.tf b/rds-postgres/variables.prefix_lists.tf
new file mode 120000
index 0000000..86cbd3c
--- /dev/null
+++ b/rds-postgres/variables.prefix_lists.tf
@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf
\ No newline at end of file
diff --git a/rds-postgres/variables.tf b/rds-postgres/variables.tf
index 77d98ad..228be9c 100644
--- a/rds-postgres/variables.tf
+++ b/rds-postgres/variables.tf
@@ -77,15 +77,3 @@ variable "tags" {
"Environment" = "csvd-infrastructure"
}
}
-
-variable "ingress_prefix_list_names" {
- description = "List of prefix list names for ingress access"
- type = list(string)
- default = []
-}
-
-variable "egress_prefix_list_names" {
- description = "List of prefix list names for eggress access"
- type = list(string)
- default = []
-}
diff --git a/redshift/data.prefix_lists.tf b/redshift/data.prefix_lists.tf
deleted file mode 100644
index 23af189..0000000
--- a/redshift/data.prefix_lists.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-data "aws_ec2_managed_prefix_list" "ingress" {
- for_each = toset(var.ingress_prefix_list_names)
- filter {
- name = "prefix-list-name"
- values = [each.key]
- }
-}
-
-data "aws_ec2_managed_prefix_list" "egress" {
- for_each = toset(var.egress_prefix_list_names)
- filter {
- name = "prefix-list-name"
- values = [each.key]
- }
-}
diff --git a/redshift/data.prefix_lists.tf b/redshift/data.prefix_lists.tf
new file mode 120000
index 0000000..08df656
--- /dev/null
+++ b/redshift/data.prefix_lists.tf
@@ -0,0 +1 @@
+../common/data.prefix_lists.tf
\ No newline at end of file
diff --git a/redshift/main.tf b/redshift/main.tf
index 8057d27..f5de3a2 100644
--- a/redshift/main.tf
+++ b/redshift/main.tf
@@ -44,16 +44,6 @@ data "aws_vpc" "this_vpc" {
id = var.vpc_id
}
-## data "aws_security_group" "ingress_security_groups" {
-## for_each = toset(var.ingress_security_groups))
-## id = each.key
-## }
-##
-## data "aws_security_group" "egress_security_groups" {
-## for_each = toset(var.egress_security_groups)
-## id = each.key
-## }
-
locals {
vpc_networks = var.use_vpc_cidr ? [data.aws_vpc.this_vpc[0].cidr_block] : []
external_ingress_networks = compact(concat(local.vpc_networks, local.ingress_networks))
diff --git a/redshift/variables.prefix_lists.tf b/redshift/variables.prefix_lists.tf
new file mode 120000
index 0000000..86cbd3c
--- /dev/null
+++ b/redshift/variables.prefix_lists.tf
@@ -0,0 +1 @@
+../common/variables.prefix_lists.tf
\ No newline at end of file
diff --git a/redshift/variables.tf b/redshift/variables.tf
index 8061571..a6685e9 100644
--- a/redshift/variables.tf
+++ b/redshift/variables.tf
@@ -77,15 +77,3 @@ variable "tags" {
"Environment" = "csvd-infrastructure"
}
}
-
-variable "ingress_prefix_list_names" {
- description = "List of prefix list names for ingress access"
- type = list(string)
- default = []
-}
-
-variable "egress_prefix_list_names" {
- description = "List of prefix list names for eggress access"
- type = list(string)
- default = []
-}