Added allowed_cidr_blocks variable to allow traffic from CIDR blocks #10
Conversation
There was a problem hiding this comment.
PR in itself is ok. But maybe like Simon says this shouldn't be part of the RDS module at all and we should just output the SG ID so we can attach rules to it via our "standard" way of centralising them in the securitygroups module.
Of course that would be a breaking change for other projects, so if we go that way we need to be sure it's versioned.
If I'm not mistaken that's the same behavior as with the Bastion module.
|
Well I sort of agree, but in any case that wasn't possible before this PR, because the ingress rule for |
|
Ah, true, you don't have to provide them. I propose you add the output for the SG then and document the possibility for such a setup. |
| tags { | ||
| Name = "${var.project}-${var.environment}${var.tag}-sg_rds" | ||
| Environment = "${var.environment}" | ||
| Project = "${var.project}" | ||
| } | ||
| } | ||
|
|
||
| resource "aws_security_group_rule" "rds_sg_in" { | ||
| count = "${length(var.security_groups)}" |
There was a problem hiding this comment.
Actually, I overlooked this in my first review. Are you sure this works, did you test it? Tried to do the same a couple of TF versions ago and it was not possible in a count. That means you have to add an extra parameter to set the count fixed.
There was a problem hiding this comment.
There was a problem hiding this comment.
Ok, cool, than my positive review is still valid ;)
There was a problem hiding this comment.
Simple cases work, but not yet everything. Here is some more info what is supported and what not:
No description provided.