Allow the addition of IP-based ingress rules (#51)

terraform-aws-modules · Jun 24, 2019 · 86a8d13 · 86a8d13
1 parent 80805d8
commit 86a8d13
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -32,6 +32,8 @@ module "db" {
   replica_count                   = 1
   allowed_security_groups         = ["sg-12345678"]
   allowed_security_groups_count   = 1
+  allowed_cidr_blocks             = ["10.0.0.0/8"]
+  allowed_cidr_blocks_count       = 1
   instance_type                   = "db.r4.large"
   storage_encrypted               = true
   apply_immediately               = true
@@ -64,6 +66,8 @@ Terraform documentation is generated automatically using [pre-commit hooks](http
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| allowed\_cidr\_blocks | A list of CIDR blocks which are allowed to access the database | list | `[]` | no |
+| allowed\_cidr\_blocks\_count | The number of CIDR blocks being added, terraform doesn't let us use length() in a count field | string | `"0"` | no |
 | allowed\_security\_groups | A list of Security Group ID's to allow access to. | list | `[]` | no |
 | allowed\_security\_groups\_count | The number of Security Groups being added, terraform doesn't let us use length() in a count field | string | `"0"` | no |
 | apply\_immediately | Determines whether or not any DB modifications are applied immediately, or during the maintenance window | string | `"false"` | no |
@@ -105,7 +109,7 @@ Terraform documentation is generated automatically using [pre-commit hooks](http
 | tags | A map of tags to add to all resources. | map | `{}` | no |
 | username | Master DB username | string | `"root"` | no |
 | vpc\_id | VPC ID | string | n/a | yes |
-| vpc\_security\_group\_ids | List of VPC security groups to associate to the cluster in addition to the SG we create in this module | list | `<list>` | no |
+| vpc\_security\_group\_ids | List of VPC security groups to associate to the cluster in addition to the SG we create in this module | list | `[]` | no |
 
 ## Outputs
 

diff --git a/examples/mysql/main.tf b/examples/mysql/main.tf
@@ -26,6 +26,9 @@ module "aurora" {
   db_parameter_group_name         = "${aws_db_parameter_group.aurora_db_57_parameter_group.id}"
   db_cluster_parameter_group_name = "${aws_rds_cluster_parameter_group.aurora_57_cluster_parameter_group.id}"
   enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"]
+
+  allowed_cidr_blocks_count = 1
+  allowed_cidr_blocks       = ["10.20.0.0/20"]
 }
 
 resource "aws_db_parameter_group" "aurora_db_57_parameter_group" {

diff --git a/main.tf b/main.tf
@@ -151,3 +151,14 @@ resource "aws_security_group_rule" "default_ingress" {
   source_security_group_id = "${element(var.allowed_security_groups, count.index)}"
   security_group_id        = "${aws_security_group.this.id}"
 }
+
+resource "aws_security_group_rule" "cidr_ingress" {
+  count = "${var.allowed_cidr_blocks_count}"
+
+  type              = "ingress"
+  from_port         = "${aws_rds_cluster.this.port}"
+  to_port           = "${aws_rds_cluster.this.port}"
+  protocol          = "tcp"
+  cidr_blocks       = ["${element(var.allowed_cidr_blocks, count.index)}"]
+  security_group_id = "${aws_security_group.this.id}"
+}
diff --git a/variables.tf b/variables.tf
@@ -22,6 +22,17 @@ variable "allowed_security_groups_count" {
   default     = 0
 }
 
+variable "allowed_cidr_blocks" {
+  description = "A list of CIDR blocks which are allowed to access the database"
+  type        = "list"
+  default     = []
+}
+
+variable "allowed_cidr_blocks_count" {
+  description = "The number of CIDR blocks being added, terraform doesn't let us use length() in a count field"
+  default     = 0
+}
+
 variable "vpc_id" {
   description = "VPC ID"
 }