feat: add flag to enable ipv6 egress rule (#170)

* feat: add flag to enable ipv6 egress rule * terraform-docs: automated action * remove old inline egress rule --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
idealo · May 8, 2024 · 0d97f23 · 0d97f23
1 parent d234aed
commit 0d97f23
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -130,6 +130,9 @@ No modules.
 | [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress_all_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress_all_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_from_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
@@ -150,6 +153,7 @@ No modules.
 | <a name="input_dag_processing_logs_enabled"></a> [dag\_processing\_logs\_enabled](#input\_dag\_processing\_logs\_enabled) | n/a | `bool` | `true` | no |
 | <a name="input_dag_processing_logs_level"></a> [dag\_processing\_logs\_level](#input\_dag\_processing\_logs\_level) | One of: DEBUG, INFO, WARNING, ERROR, CRITICAL | `string` | `"WARNING"` | no |
 | <a name="input_dag_s3_path"></a> [dag\_s3\_path](#input\_dag\_s3\_path) | Relative path of the dags folder within the source bucket | `string` | `"dags/"` | no |
+| <a name="input_enable_ipv6_in_security_group"></a> [enable\_ipv6\_in\_security\_group](#input\_enable\_ipv6\_in\_security\_group) | Enable IPv6 in the security group | `bool` | `false` | no |
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | n/a | `string` | `"mw1.small"` | no |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | Name of the MWAA environment | `string` | n/a | yes |
 | <a name="input_internet_gateway_id"></a> [internet\_gateway\_id](#input\_internet\_gateway\_id) | ID of the internet gateway to the VPC, if not set and create\_networking\_config = true an internet gateway will be created | `string` | `null` | no |

diff --git a/variables.tf b/variables.tf
@@ -98,6 +98,12 @@ variable "additional_associated_security_group_ids" {
   default     = []
 }
 
+variable "enable_ipv6_in_security_group" {
+  description = "Enable IPv6 in the security group"
+  type        = bool
+  default     = false
+}
+
 # iam
 variable "additional_execution_role_policy_document_json" {
   description = "Additional permissions to attach to the base mwaa execution role"

diff --git a/vpc.tf b/vpc.tf
@@ -98,18 +98,32 @@ resource "aws_security_group" "this" {
   tags   = merge({
     Name = "mwaa-${var.environment_name}-no-ingress-sg"
   }, var.tags  )
-  ingress {
-    from_port = 0
-    to_port   = 0
-    protocol  = "-1"
-    self      = true
-  }
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = [
-      "0.0.0.0/0"
-    ]
-  }
+}
+
+resource "aws_security_group_rule" "ingress_from_self" {
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.this.id
+  to_port           = 0
+  type              = "ingress"
+  self = true
+}
+
+resource "aws_security_group_rule" "egress_all_ipv4" {
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.this.id
+  to_port           = 0
+  type              = "egress"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "egress_all_ipv6" {
+  count             = var.enable_ipv6_in_security_group ? 1 : 0
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.this.id
+  to_port           = 0
+  type              = "egress"
+  ipv6_cidr_blocks  = ["::/0"]
 }