feat(module/vpc): Add support for managed prefix list for rules in se…

…curity groups #325

modules/vpc/README.md

@@ -82,7 +82,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name of the VPC to create or use. | `string` | n/a | yes |
 | <a name="input_ntp_servers"></a> [ntp\_servers](#input\_ntp\_servers) | Specify a list of NTP server addresses for DHCP options set, default to AWS provided | `list(string)` | `[]` | no |
 | <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | Secondary CIDR block to assign to a new VPC. | `list(string)` | `[]` | no |
-| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | The `security_groups` variable is a map of maps, where each map represents an AWS Security Group.<br>  The key of each entry acts as the Security Group name.<br>  List of available attributes of each Security Group entry:<br>  - `rules`: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and<br>      needs to be unique across all rules in the Security Group.<br>      List of attributes available to define a Security Group rule:<br>      - `description`: Security Group description.<br>      - `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.<br>      - `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress<br>      Determines the traffic that can leave your instance, and where it can go.<br><br><br>  Example:<pre>security_groups = {<br>    vmseries-mgmt = {<br>      name = "vmseries-mgmt"<br>      rules = {<br>        all-outbound = {<br>          description = "Permit All traffic outbound"<br>          type        = "egress", from_port = "0", to_port = "0", protocol = "-1"<br>          cidr_blocks = ["0.0.0.0/0"]<br>        }<br>        https-inbound-private = {<br>          description = "Permit HTTPS for VM-Series Management"<br>          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"<br>          cidr_blocks = ["10.0.0.0/8"]<br>        }<br>        https-inbound-eip = {<br>          description = "Permit HTTPS for VM-Series Management from known public IPs"<br>          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"<br>          cidr_blocks = ["100.100.100.100/32"]<br>        }<br>        ssh-inbound-eip = {<br>          description = "Permit SSH for VM-Series Management from known public IPs"<br>          type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"<br>          cidr_blocks = ["100.100.100.100/32"]<br>        }<br>      }<br>    }<br>  }</pre> | `any` | `{}` | no |
+| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | The `security_groups` variable is a map of maps, where each map represents an AWS Security Group.<br>  The key of each entry acts as the Security Group name.<br>  List of available attributes of each Security Group entry:<br>  - `rules`: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and<br>      needs to be unique across all rules in the Security Group.<br>      List of attributes available to define a Security Group rule:<br>      - `description`: Security Group description.<br>      - `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.<br>      - `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress<br>      Determines the traffic that can leave your instance, and where it can go.<br>      - `prefix_list_ids`: List of Prefix List IDs<br><br><br>  Example:<pre>security_groups = {<br>    vmseries-mgmt = {<br>      name = "vmseries-mgmt"<br>      rules = {<br>        all-outbound = {<br>          description = "Permit All traffic outbound"<br>          type        = "egress", from_port = "0", to_port = "0", protocol = "-1"<br>          cidr_blocks = ["0.0.0.0/0"]<br>        }<br>        https-inbound-private = {<br>          description = "Permit HTTPS for VM-Series Management"<br>          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"<br>          cidr_blocks = ["10.0.0.0/8"]<br>        }<br>        https-inbound-eip = {<br>          description = "Permit HTTPS for VM-Series Management from known public IPs"<br>          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"<br>          cidr_blocks = ["100.100.100.100/32"]<br>        }<br>        ssh-inbound-eip = {<br>          description = "Permit SSH for VM-Series Management from known public IPs"<br>          type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"<br>          cidr_blocks = ["100.100.100.100/32"]<br>        }<br>        https-inbound-prefix-list = {<br>          description = "Permit HTTPS for VM-Series Management for IPs in managed prefix list"<br>          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"<br>          prefix_list_ids = ["pl-1a2b3c4d5e6f7g8h9i"]<br>        }<br>      }<br>    }<br>  }</pre> | `any` | `{}` | no |
 | <a name="input_use_internet_gateway"></a> [use\_internet\_gateway](#input\_use\_internet\_gateway) | If an existing VPC is provided and has IG attached, set to `true` to reuse it. | `bool` | `false` | no |
 | <a name="input_vpc_tags"></a> [vpc\_tags](#input\_vpc\_tags) | Optional map of arbitrary tags to apply to VPC resource. | `map` | `{}` | no |
 | <a name="input_vpn_gateway_amazon_side_asn"></a> [vpn\_gateway\_amazon\_side\_asn](#input\_vpn\_gateway\_amazon\_side\_asn) | ASN for the Amazon side of the gateway. | `string` | `null` | no |

modules/vpc/main.tf

@@ -177,11 +177,12 @@ resource "aws_security_group" "this" {
     ]
 
     content {
-      from_port   = ingress.value.from_port
-      to_port     = ingress.value.to_port
-      protocol    = ingress.value.protocol
-      cidr_blocks = ingress.value.cidr_blocks
-      description = lookup(ingress.value, "description", "")
+      from_port       = ingress.value.from_port
+      to_port         = ingress.value.to_port
+      protocol        = ingress.value.protocol
+      cidr_blocks     = try(ingress.value.cidr_blocks, null)
+      prefix_list_ids = try(ingress.value.prefix_list_ids, null)
+      description     = lookup(ingress.value, "description", "")
     }
   }
 
@@ -193,11 +194,12 @@ resource "aws_security_group" "this" {
     ]
 
     content {
-      from_port   = egress.value.from_port
-      to_port     = egress.value.to_port
-      protocol    = egress.value.protocol
-      cidr_blocks = egress.value.cidr_blocks
-      description = lookup(egress.value, "description", "")
+      from_port       = egress.value.from_port
+      to_port         = egress.value.to_port
+      protocol        = egress.value.protocol
+      cidr_blocks     = try(egress.value.cidr_blocks, null)
+      prefix_list_ids = try(egress.value.prefix_list_ids, null)
+      description     = lookup(egress.value, "description", "")
     }
   }
 

modules/vpc/variables.tf

@@ -125,6 +125,7 @@ variable "security_groups" {
       - `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.
       - `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress
       Determines the traffic that can leave your instance, and where it can go.
+      - `prefix_list_ids`: List of Prefix List IDs
 
 
   Example:
@@ -153,6 +154,11 @@ variable "security_groups" {
           type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
           cidr_blocks = ["100.100.100.100/32"]
         }
+        https-inbound-prefix-list = {
+          description = "Permit HTTPS for VM-Series Management for IPs in managed prefix list"
+          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
+          prefix_list_ids = ["pl-1a2b3c4d5e6f7g8h9i"]
+        }
       }
     }
   }