allow traffic inside security group

README.md

@@ -392,6 +392,7 @@ Available targets:
 | [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.traffic_inside_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_iam_policy_document.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
@@ -404,6 +405,7 @@ Available targets:
 | <a name="input_admin_user"></a> [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no |
 | <a name="input_allocated_storage"></a> [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no |
 | <a name="input_allow_major_version_upgrade"></a> [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no |
+| <a name="input_allow_traffic_inside_security_group"></a> [allow\_traffic\_inside\_security\_group](#input\_allow\_traffic\_inside\_security\_group) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no |
 | <a name="input_allowed_cidr_blocks"></a> [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
 | <a name="input_apply_immediately"></a> [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |

docs/terraform.md

@@ -40,6 +40,7 @@
 | [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.traffic_inside_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_iam_policy_document.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
@@ -52,6 +53,7 @@
 | <a name="input_admin_user"></a> [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no |
 | <a name="input_allocated_storage"></a> [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no |
 | <a name="input_allow_major_version_upgrade"></a> [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no |
+| <a name="input_allow_traffic_inside_security_group"></a> [allow\_traffic\_inside\_security\_group](#input\_allow\_traffic\_inside\_security\_group) | Whether to allow traffic between resources inside the database's security group. | `bool` | `false` | no |
 | <a name="input_allowed_cidr_blocks"></a> [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
 | <a name="input_apply_immediately"></a> [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |

examples/complete/fixtures.us-east-2.tfvars

@@ -31,3 +31,5 @@ admin_password = "admin_password"
 enhanced_monitoring_role_enabled = true
 
 rds_monitoring_interval = 30
+
+allow_traffic_inside_security_group = true

examples/complete/main.tf

@@ -28,22 +28,23 @@ module "subnets" {
 module "rds_cluster" {
   source = "../../"
 
-  engine              = var.engine
-  engine_mode         = var.engine_mode
-  cluster_family      = var.cluster_family
-  cluster_size        = var.cluster_size
-  admin_user          = var.admin_user
-  admin_password      = var.admin_password
-  db_name             = var.db_name
-  instance_type       = var.instance_type
-  vpc_id              = module.vpc.vpc_id
-  subnets             = module.subnets.private_subnet_ids
-  security_groups     = [module.vpc.vpc_default_security_group_id]
-  deletion_protection = var.deletion_protection
-  autoscaling_enabled = var.autoscaling_enabled
-  storage_type        = var.storage_type
-  iops                = var.iops
-  allocated_storage   = var.allocated_storage
+  engine                              = var.engine
+  engine_mode                         = var.engine_mode
+  cluster_family                      = var.cluster_family
+  cluster_size                        = var.cluster_size
+  admin_user                          = var.admin_user
+  admin_password                      = var.admin_password
+  db_name                             = var.db_name
+  instance_type                       = var.instance_type
+  vpc_id                              = module.vpc.vpc_id
+  subnets                             = module.subnets.private_subnet_ids
+  security_groups                     = [module.vpc.vpc_default_security_group_id]
+  deletion_protection                 = var.deletion_protection
+  autoscaling_enabled                 = var.autoscaling_enabled
+  storage_type                        = var.storage_type
+  iops                                = var.iops
+  allocated_storage                   = var.allocated_storage
+  allow_traffic_inside_security_group = var.allow_traffic_inside_security_group
 
   cluster_parameters = [
     {

examples/complete/variables.tf

@@ -84,3 +84,9 @@ variable "allocated_storage" {
   description = "The allocated storage in GBs"
   default     = null
 }
+
+variable "allow_traffic_inside_security_group" {
+  type        = bool
+  default     = false
+  description = "Whether to allow traffic between resources inside the database's security group."
+}

main.tf

@@ -33,6 +33,17 @@ resource "aws_security_group_rule" "ingress_security_groups" {
   security_group_id        = join("", aws_security_group.default.*.id)
 }
 
+resource "aws_security_group_rule" "traffic_inside_security_group" {
+  count             = local.enabled && var.allow_traffic_inside_security_group ? 1 : 0
+  description       = "Allow traffic between members of the database security group"
+  type              = "ingress"
+  from_port         = var.db_port
+  to_port           = var.db_port
+  protocol          = "tcp"
+  self              = true
+  security_group_id = join("", aws_security_group.default.*.id)
+}
+
 resource "aws_security_group_rule" "ingress_cidr_blocks" {
   count             = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
   description       = "Allow inbound traffic from existing CIDR blocks"

variables.tf

@@ -456,3 +456,9 @@ variable "subnet_group_name" {
   type        = string
   default     = ""
 }
+
+variable "allow_traffic_inside_security_group" {
+  type        = bool
+  default     = false
+  description = "Whether to allow traffic between resources inside the database's security group."
+}