Skip to content

Commit

Permalink
feat: add flag to enable ipv6 egress rule
Browse files Browse the repository at this point in the history
  • Loading branch information
jdiebold committed May 7, 2024
1 parent d234aed commit e03a385
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 6 deletions.
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,12 @@ variable "additional_associated_security_group_ids" {
default = []
}

variable "enable_ipv6_in_security_group" {
description = "Enable IPv6 in the security group"
type = bool
default = false
}

# iam
variable "additional_execution_role_policy_document_json" {
description = "Additional permissions to attach to the base mwaa execution role"
Expand Down
34 changes: 28 additions & 6 deletions vpc.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,6 @@ resource "aws_security_group" "this" {
tags = merge({
Name = "mwaa-${var.environment_name}-no-ingress-sg"
}, var.tags )
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
from_port = 0
to_port = 0
Expand All @@ -113,3 +107,31 @@ resource "aws_security_group" "this" {
]
}
}

resource "aws_security_group_rule" "ingress_from_self" {
from_port = 0
protocol = "-1"
security_group_id = aws_security_group.this.id
to_port = 0
type = "ingress"
self = true
}

resource "aws_security_group_rule" "egress_all_ipv4" {
from_port = 0
protocol = "-1"
security_group_id = aws_security_group.this.id
to_port = 0
type = "egress"
cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "egress_all_ipv6" {
count = var.enable_ipv6_in_security_group ? 1 : 0
from_port = 0
protocol = "-1"
security_group_id = aws_security_group.this.id
to_port = 0
type = "egress"
ipv6_cidr_blocks = ["::/0"]
}

0 comments on commit e03a385

Please sign in to comment.