From f640695cd972cb3ba496582c88acc136b13fdf0c Mon Sep 17 00:00:00 2001
From: Amit Kulkarni <yuvraj2987@gmail.com>
Date: Mon, 6 Apr 2020 21:46:34 -0700
Subject: [PATCH] feat: Add list variable to override source_ips for LB (#26)

* Use list variable to set source_ips for LB

Instead of hardcoding source_ip ranges into the to module, make use of
variable.

Create a new variable with name `allowed_ips` with the default set to
`[0.0.0.0/0]`.  This change allows the user to restrict access to
external load balancer from only from a small set of ip addresses.

* Add strict type constraint on allowed_ips var

Restrict `allowed_ips` values to list of strings.

Co-authored-by: Amit Kulkarni <amitk@wepay.com>
Co-authored-by: Morgante Pell <morgantep@google.com>
---
 main.tf      | 2 +-
 variables.tf | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index e33d3eb..29c45b8 100644
--- a/main.tf
+++ b/main.tf
@@ -63,7 +63,7 @@ resource "google_compute_firewall" "default-lb-fw" {
     ports    = [var.service_port]
   }
 
-  source_ranges = ["0.0.0.0/0"]
+  source_ranges = var.allowed_ips
 
   target_tags = var.target_tags
 
diff --git a/variables.tf b/variables.tf
index a324ec4..c4c0007 100644
--- a/variables.tf
+++ b/variables.tf
@@ -102,3 +102,10 @@ variable "ip_protocol" {
   description = "The IP protocol for the frontend forwarding rule and firewall rule. TCP, UDP, ESP, AH, SCTP or ICMP."
   default     = "TCP"
 }
+
+variable "allowed_ips" {
+  description = "The IP address ranges which can access the load balancer."
+  default     = ["0.0.0.0/0"]
+  type        = list(string)
+
+}