From 4cc97b383fb4d888d853f8ad1852b08c7fae1974 Mon Sep 17 00:00:00 2001
From: Haidar <33404432+haidargit@users.noreply.github.com>
Date: Sat, 22 Jul 2023 06:19:53 +0700
Subject: [PATCH] feat(tf-documentdb-cluster): enable docdb egress traffic
exposure adjustment (#54)
---
README.md | 8 ++++----
docs/terraform.md | 4 ++++
main.tf | 10 +++++-----
variables.tf | 24 ++++++++++++++++++++++++
4 files changed, 37 insertions(+), 9 deletions(-)
diff --git a/README.md b/README.md
index d9d2e6e..cbb3eb9 100644
--- a/README.md
+++ b/README.md
@@ -88,10 +88,6 @@ We highly recommend that in your code you pin the version to the exact version y
using so that your infrastructure remains stable, and update versions in a
systematic way so that they do not catch you by surprise.
-Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
-the registry shows many of our inputs as required when in fact they are optional.
-The table below correctly indicates which inputs are required.
-
For a complete example, see [examples/complete](examples/complete).
@@ -181,6 +177,7 @@ Available targets:
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [allow\_ingress\_from\_self](#input\_allow\_ingress\_from\_self) | Adds the Document DB security group itself as a source for ingress rules. Useful when this security group will be shared with applications. | `bool` | `false` | no |
| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks to be allowed to connect to the DocumentDB cluster | `list(string)` | `[]` | no |
+| [allowed\_egress\_cidr\_blocks](#input\_allowed\_egress\_cidr\_blocks) | List of CIDR blocks to be allowed to send traffic outside of the DocumentDB cluster | `list(string)` | [
"0.0.0.0/0"
]
| no |
| [allowed\_security\_groups](#input\_allowed\_security\_groups) | List of existing Security Groups to be allowed to connect to the DocumentDB cluster | `list(string)` | `[]` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
@@ -194,6 +191,9 @@ Available targets:
| [deletion\_protection](#input\_deletion\_protection) | A value that indicates whether the DB cluster has deletion protection enabled | `bool` | `false` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
+| [egress\_from\_port](#input\_egress\_from\_port) | [from\_port]DocumentDB initial port range for egress (e.g. `0`) | `number` | `0` | no |
+| [egress\_protocol](#input\_egress\_protocol) | DocumentDB protocol for egress (e.g. `-1`, `tcp`) | `string` | `"-1"` | no |
+| [egress\_to\_port](#input\_egress\_to\_port) | [to\_port]DocumentDB initial port range for egress (e.g. `65535`) | `number` | `0` | no |
| [enable\_performance\_insights](#input\_enable\_performance\_insights) | Specifies whether to enable Performance Insights for the DB Instance. | `bool` | `false` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to export to cloudwatch. The following log types are supported: `audit`, `error`, `general`, `slowquery` | `list(string)` | `[]` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 58f899e..ac8f548 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -45,6 +45,7 @@
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [allow\_ingress\_from\_self](#input\_allow\_ingress\_from\_self) | Adds the Document DB security group itself as a source for ingress rules. Useful when this security group will be shared with applications. | `bool` | `false` | no |
| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks to be allowed to connect to the DocumentDB cluster | `list(string)` | `[]` | no |
+| [allowed\_egress\_cidr\_blocks](#input\_allowed\_egress\_cidr\_blocks) | List of CIDR blocks to be allowed to send traffic outside of the DocumentDB cluster | `list(string)` | [
"0.0.0.0/0"
]
| no |
| [allowed\_security\_groups](#input\_allowed\_security\_groups) | List of existing Security Groups to be allowed to connect to the DocumentDB cluster | `list(string)` | `[]` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
@@ -58,6 +59,9 @@
| [deletion\_protection](#input\_deletion\_protection) | A value that indicates whether the DB cluster has deletion protection enabled | `bool` | `false` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
+| [egress\_from\_port](#input\_egress\_from\_port) | [from\_port]DocumentDB initial port range for egress (e.g. `0`) | `number` | `0` | no |
+| [egress\_protocol](#input\_egress\_protocol) | DocumentDB protocol for egress (e.g. `-1`, `tcp`) | `string` | `"-1"` | no |
+| [egress\_to\_port](#input\_egress\_to\_port) | [to\_port]DocumentDB initial port range for egress (e.g. `65535`) | `number` | `0` | no |
| [enable\_performance\_insights](#input\_enable\_performance\_insights) | Specifies whether to enable Performance Insights for the DB Instance. | `bool` | `false` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to export to cloudwatch. The following log types are supported: `audit`, `error`, `general`, `slowquery` | `list(string)` | `[]` | no |
diff --git a/main.tf b/main.tf
index 8298a6f..93f36c1 100644
--- a/main.tf
+++ b/main.tf
@@ -9,11 +9,11 @@ resource "aws_security_group" "default" {
resource "aws_security_group_rule" "egress" {
count = module.this.enabled ? 1 : 0
type = "egress"
- description = "Allow all egress traffic"
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
+ description = "Allow outbound traffic from CIDR blocks"
+ from_port = var.egress_from_port
+ to_port = var.egress_to_port
+ protocol = var.egress_protocol
+ cidr_blocks = var.allowed_egress_cidr_blocks
security_group_id = join("", aws_security_group.default[*].id)
}
diff --git a/variables.tf b/variables.tf
index d509615..c59361e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,6 +4,30 @@ variable "zone_id" {
description = "Route53 parent zone ID. If provided (not empty), the module will create sub-domain DNS records for the DocumentDB master and replicas"
}
+variable "egress_from_port" {
+ type = number
+ default = 0
+ description = "[from_port]DocumentDB initial port range for egress (e.g. `0`)"
+}
+
+variable "egress_to_port" {
+ type = number
+ default = 0
+ description = "[to_port]DocumentDB initial port range for egress (e.g. `65535`)"
+}
+
+variable "egress_protocol" {
+ type = string
+ default = "-1"
+ description = "DocumentDB protocol for egress (e.g. `-1`, `tcp`)"
+}
+
+variable "allowed_egress_cidr_blocks" {
+ type = list(string)
+ default = ["0.0.0.0/0"]
+ description = "List of CIDR blocks to be allowed to send traffic outside of the DocumentDB cluster"
+}
+
variable "allowed_security_groups" {
type = list(string)
default = []