Make IPV6 really optional (#15)

c46893aa · Anton Babenko · GitHub · e6d4bab9 · c46893aa · c46893aa
Commit c46893aa authored Nov 03, 2017 by Anton Babenko Committed by GitHub Nov 03, 2017
Show whitespace changes
Inline Side-by-side

Showing with 132 additions and 17 deletions

main.tf examples/complete/main.tf +86 -9

main.tf main.tf +36 -8

variables.tf variables.tf +10 -0

No files found.
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -37,15 +37,14 @@ module "complete_sg" {
  # Prefix list ids to use in all ingress rules in this module.
  # ingress_prefix_list_ids = ["pl-123456"]
  # Open for all CIDRs defined in ingress_cidr_blocks
  ingress_rules = ["https-443-tcp"]
  # Open to CIDRs blocks (rule or from_port+to_port+protocol+description)
  ingress_with_cidr_blocks = [
    {
      rule        = "postgresql-tcp"
      cidr_blocks = "0.0.0.0/0,2.2.2.2/32"
-      ipv6_cidr_blocks = "2001:db8::/60"
    },
    {
      rule        = "postgresql-tcp"
@@ -59,6 +58,18 @@ module "complete_sg" {
      cidr_blocks = "10.10.0.0/20"
    },
  ]
+  # Open to IPV6 CIDR blocks (rule or from_port+to_port+protocol+description)
+  ingress_with_ipv6_cidr_blocks = [
+    {
+      from_port        = 300
+      to_port          = 400
+      protocol         = "tcp"
+      description      = "Service ports (ipv6)"
+      ipv6_cidr_blocks = "2001:db8::/64"
+    },
+  ]
  # Open for security group id (rule or from_port+to_port+protocol+description)
  ingress_with_source_security_group_id = [
    {
@@ -73,6 +84,7 @@ module "complete_sg" {
      source_security_group_id = "${data.aws_security_group.default.id}"
    },
  ]
  # Open for self (rule or from_port+to_port+protocol+description)
  ingress_with_self = [
    {
@@ -92,25 +104,26 @@ module "complete_sg" {
      self      = false
    },
  ]
  # Default CIDR blocks, which will be used for all egress rules in this module. Typically these are CIDR blocks of the VPC.
  # If this is not specified then no CIDR blocks will be used.
  egress_cidr_blocks = ["10.10.0.0/16"]
  egress_ipv6_cidr_blocks = ["2001:db8::/64"]
  # Prefix list ids to use in all egress rules in this module.
  # egress_prefix_list_ids = ["pl-123456"]
  # Open for all CIDRs defined in egress_cidr_blocks
  egress_rules = ["http-80-tcp"]
  # Open to CIDRs blocks (rule or from_port+to_port+protocol+description)
  egress_with_cidr_blocks = [
    {
      rule        = "postgresql-tcp"
      cidr_blocks = "0.0.0.0/0,2.2.2.2/32"
-      ipv6_cidr_blocks = "2001:db8::/60"
    },
    {
-      rule        = "postgresql-tcp"
+      rule        = "https-443-tcp"
      cidr_blocks = "30.30.30.30/32"
    },
    {
@@ -121,6 +134,18 @@ module "complete_sg" {
      cidr_blocks = "10.10.0.0/20"
    },
  ]
+  # Open to IPV6 CIDR blocks (rule or from_port+to_port+protocol+description)
+  egress_with_ipv6_cidr_blocks = [
+    {
+      from_port        = 300
+      to_port          = 400
+      protocol         = "tcp"
+      description      = "Service ports (ipv6)"
+      ipv6_cidr_blocks = "2001:db8::/64"
+    },
+  ]
  # Open for security group id (rule or from_port+to_port+protocol+description)
  egress_with_source_security_group_id = [
    {
@@ -135,6 +160,7 @@ module "complete_sg" {
      source_security_group_id = "${data.aws_security_group.default.id}"
    },
  ]
  # Open for self (rule or from_port+to_port+protocol+description)
  egress_with_self = [
    {
@@ -155,3 +181,54 @@ module "complete_sg" {
    },
  ]
 }
+######################################################
+# Security group with IPv4 and IPv6 sets of arguments
+######################################################
+module "ipv4_ipv6_example" {
+  source = "../../"
+  name        = "ipv4-ipv6-example"
+  description = "IPv4 and IPv6 example"
+  vpc_id      = "${data.aws_vpc.default.id}"
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 8080
+      to_port     = 8090
+      protocol    = "tcp"
+      description = "User-service ports (ipv4)"
+      cidr_blocks = "0.0.0.0/0"
+    },
+  ]
+  ingress_with_ipv6_cidr_blocks = [
+    {
+      from_port        = 8080
+      to_port          = 8090
+      protocol         = "tcp"
+      description      = "User-service ports (ipv6)"
+      ipv6_cidr_blocks = "2001:db8::/64"
+    },
+  ]
+  egress_with_cidr_blocks = [
+    {
+      from_port   = 8090
+      to_port     = 8100
+      protocol    = "tcp"
+      description = "User-service ports (ipv4)"
+      cidr_blocks = "0.0.0.0/0"
+    },
+  ]
+  egress_with_ipv6_cidr_blocks = [
+    {
+      from_port        = 8090
+      to_port          = 8100
+      protocol         = "tcp"
+      description      = "User-service ports (ipv6)"
+      ipv6_cidr_blocks = "2001:db8::/64"
+    },
+  ]
+}
--- a/main.tf
+++ b/main.tf
@@ -47,7 +47,7 @@ resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
  protocol  = "${lookup(var.ingress_with_source_security_group_id[count.index], "protocol", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 2))}"
 }
-# Security group rules with "cidr_blocks", but without "source_security_group_id" and "self"
+# Security group rules with "cidr_blocks", but without "ipv6_cidr_blocks", "source_security_group_id" and "self"
 resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
  count = "${length(var.ingress_with_cidr_blocks)}"
@@ -55,7 +55,6 @@ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
  type              = "ingress"
  cidr_blocks     = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}"]
-  ipv6_cidr_blocks = ["${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]
  prefix_list_ids = ["${var.ingress_prefix_list_ids}"]
  from_port = "${lookup(var.ingress_with_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 0))}"
@@ -63,6 +62,21 @@ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
  protocol  = "${lookup(var.ingress_with_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 2))}"
 }
+# Security group rules with "ipv6_cidr_blocks", but without "cidr_blocks", "source_security_group_id" and "self"
+resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks" {
+  count = "${length(var.ingress_with_ipv6_cidr_blocks)}"
+  security_group_id = "${aws_security_group.this.id}"
+  type              = "ingress"
+  ipv6_cidr_blocks = ["${split(",", lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.ingress_ipv6_cidr_blocks)))}"]
+  prefix_list_ids  = ["${var.ingress_prefix_list_ids}"]
+  from_port = "${lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 0))}"
+  to_port   = "${lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 1))}"
+  protocol  = "${lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 2))}"
+}
 # Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
 resource "aws_security_group_rule" "ingress_with_self" {
  count = "${length(var.ingress_with_self)}"
@@ -121,7 +135,7 @@ resource "aws_security_group_rule" "egress_with_source_security_group_id" {
  protocol  = "${lookup(var.egress_with_source_security_group_id[count.index], "protocol", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 2))}"
 }
-# Security group rules with "cidr_blocks", but without "source_security_group_id" and "self"
+# Security group rules with "cidr_blocks", but without "ipv6_cidr_blocks", "source_security_group_id" and "self"
 resource "aws_security_group_rule" "egress_with_cidr_blocks" {
  count = "${length(var.egress_with_cidr_blocks)}"
@@ -129,7 +143,6 @@ resource "aws_security_group_rule" "egress_with_cidr_blocks" {
  type              = "egress"
  cidr_blocks     = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.egress_cidr_blocks)))}"]
-  ipv6_cidr_blocks = ["${split(",", lookup(var.egress_with_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]
  prefix_list_ids = ["${var.egress_prefix_list_ids}"]
  from_port = "${lookup(var.egress_with_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 0))}"
@@ -137,6 +150,21 @@ resource "aws_security_group_rule" "egress_with_cidr_blocks" {
  protocol  = "${lookup(var.egress_with_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 2))}"
 }
+# Security group rules with "ipv6_cidr_blocks", but without "cidr_blocks", "source_security_group_id" and "self"
+resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks" {
+  count = "${length(var.egress_with_ipv6_cidr_blocks)}"
+  security_group_id = "${aws_security_group.this.id}"
+  type              = "egress"
+  ipv6_cidr_blocks = ["${split(",", lookup(var.egress_with_ipv6_cidr_blocks[count.index], "ipv6_cidr_blocks", join(",", var.egress_ipv6_cidr_blocks)))}"]
+  prefix_list_ids  = ["${var.egress_prefix_list_ids}"]
+  from_port = "${lookup(var.egress_with_ipv6_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.egress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 0))}"
+  to_port   = "${lookup(var.egress_with_ipv6_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.egress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 1))}"
+  protocol  = "${lookup(var.egress_with_ipv6_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.egress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 2))}"
+}
 # Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
 resource "aws_security_group_rule" "egress_with_self" {
  count = "${length(var.egress_with_self)}"

--- a/variables.tf
+++ b/variables.tf
@@ -37,6 +37,11 @@ variable "ingress_with_cidr_blocks" {
  default     = []
 }
+variable "ingress_with_ipv6_cidr_blocks" {
+  description = "List of ingress rules to create where 'ipv6_cidr_blocks' is used"
+  default     = []
+}
 variable "ingress_with_source_security_group_id" {
  description = "List of ingress rules to create where 'source_security_group_id' is used"
  default     = []
@@ -75,6 +80,11 @@ variable "egress_with_cidr_blocks" {
  default     = []
 }
+variable "egress_with_ipv6_cidr_blocks" {
+  description = "List of egress rules to create where 'ipv6_cidr_blocks' is used"
+  default     = []
+}
 variable "egress_with_source_security_group_id" {
  description = "List of egress rules to create where 'source_security_group_id' is used"
  default     = []