From 63c3cdbd597fa7e6e4aa0f26231383a6f48eccf0 Mon Sep 17 00:00:00 2001
From: Samuel CHNIBER <schniber@amazon.fr>
Date: Tue, 31 Aug 2021 12:46:19 +0200
Subject: [PATCH] feature-#224-Implement ingress_with_prefix_list_ids and
 egress_with_prefix_list_ids

---
 README.md    |  10 ++++
 main.tf      | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++
 variables.tf |  36 +++++++++++++
 3 files changed, 194 insertions(+)

diff --git a/README.md b/README.md
index 118711a9..8b194311 100644
--- a/README.md
+++ b/README.md
@@ -181,21 +181,25 @@ No modules.
 | [aws_security_group_rule.computed_egress_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_egress_with_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_egress_with_ipv6_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.computed_egress_with_prefix_list_ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_egress_with_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_egress_with_source_security_group_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_ingress_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_ingress_with_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_ingress_with_ipv6_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.computed_ingress_with_prefix_list_ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_ingress_with_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.computed_ingress_with_source_security_group_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.egress_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.egress_with_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.egress_with_ipv6_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress_with_prefix_list_ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.egress_with_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.egress_with_source_security_group_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_with_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_with_ipv6_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_with_prefix_list_ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_with_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.ingress_with_source_security_group_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 
@@ -207,11 +211,13 @@ No modules.
 | <a name="input_computed_egress_rules"></a> [computed\_egress\_rules](#input\_computed\_egress\_rules) | List of computed egress rules to create by name | `list(string)` | `[]` | no |
 | <a name="input_computed_egress_with_cidr_blocks"></a> [computed\_egress\_with\_cidr\_blocks](#input\_computed\_egress\_with\_cidr\_blocks) | List of computed egress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
 | <a name="input_computed_egress_with_ipv6_cidr_blocks"></a> [computed\_egress\_with\_ipv6\_cidr\_blocks](#input\_computed\_egress\_with\_ipv6\_cidr\_blocks) | List of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
+| <a name="input_computed_egress_with_prefix_list_ids"></a> [computed\_egress\_with\_prefix\_list\_ids](#input\_computed\_egress\_with\_prefix\_list\_ids) | List of computed egress rules to create where 'prefix\_list\_ids' is used only | `list(map(string))` | `[]` | no |
 | <a name="input_computed_egress_with_self"></a> [computed\_egress\_with\_self](#input\_computed\_egress\_with\_self) | List of computed egress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
 | <a name="input_computed_egress_with_source_security_group_id"></a> [computed\_egress\_with\_source\_security\_group\_id](#input\_computed\_egress\_with\_source\_security\_group\_id) | List of computed egress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
 | <a name="input_computed_ingress_rules"></a> [computed\_ingress\_rules](#input\_computed\_ingress\_rules) | List of computed ingress rules to create by name | `list(string)` | `[]` | no |
 | <a name="input_computed_ingress_with_cidr_blocks"></a> [computed\_ingress\_with\_cidr\_blocks](#input\_computed\_ingress\_with\_cidr\_blocks) | List of computed ingress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
 | <a name="input_computed_ingress_with_ipv6_cidr_blocks"></a> [computed\_ingress\_with\_ipv6\_cidr\_blocks](#input\_computed\_ingress\_with\_ipv6\_cidr\_blocks) | List of computed ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
+| <a name="input_computed_ingress_with_prefix_list_ids"></a> [computed\_ingress\_with\_prefix\_list\_ids](#input\_computed\_ingress\_with\_prefix\_list\_ids) | List of computed ingress rules to create where 'prefix\_list\_ids' is used | `list(map(string))` | `[]` | no |
 | <a name="input_computed_ingress_with_self"></a> [computed\_ingress\_with\_self](#input\_computed\_ingress\_with\_self) | List of computed ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
 | <a name="input_computed_ingress_with_source_security_group_id"></a> [computed\_ingress\_with\_source\_security\_group\_id](#input\_computed\_ingress\_with\_source\_security\_group\_id) | List of computed ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether to create security group and all rules | `bool` | `true` | no |
@@ -225,6 +231,7 @@ No modules.
 | <a name="input_egress_rules"></a> [egress\_rules](#input\_egress\_rules) | List of egress rules to create by name | `list(string)` | `[]` | no |
 | <a name="input_egress_with_cidr_blocks"></a> [egress\_with\_cidr\_blocks](#input\_egress\_with\_cidr\_blocks) | List of egress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
 | <a name="input_egress_with_ipv6_cidr_blocks"></a> [egress\_with\_ipv6\_cidr\_blocks](#input\_egress\_with\_ipv6\_cidr\_blocks) | List of egress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
+| <a name="input_egress_with_prefix_list_ids"></a> [egress\_with\_prefix\_list\_ids](#input\_egress\_with\_prefix\_list\_ids) | List of egress rules to create where 'prefix\_list\_ids' is used only | `list(map(string))` | `[]` | no |
 | <a name="input_egress_with_self"></a> [egress\_with\_self](#input\_egress\_with\_self) | List of egress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
 | <a name="input_egress_with_source_security_group_id"></a> [egress\_with\_source\_security\_group\_id](#input\_egress\_with\_source\_security\_group\_id) | List of egress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
 | <a name="input_ingress_cidr_blocks"></a> [ingress\_cidr\_blocks](#input\_ingress\_cidr\_blocks) | List of IPv4 CIDR ranges to use on all ingress rules | `list(string)` | `[]` | no |
@@ -233,17 +240,20 @@ No modules.
 | <a name="input_ingress_rules"></a> [ingress\_rules](#input\_ingress\_rules) | List of ingress rules to create by name | `list(string)` | `[]` | no |
 | <a name="input_ingress_with_cidr_blocks"></a> [ingress\_with\_cidr\_blocks](#input\_ingress\_with\_cidr\_blocks) | List of ingress rules to create where 'cidr\_blocks' is used | `list(map(string))` | `[]` | no |
 | <a name="input_ingress_with_ipv6_cidr_blocks"></a> [ingress\_with\_ipv6\_cidr\_blocks](#input\_ingress\_with\_ipv6\_cidr\_blocks) | List of ingress rules to create where 'ipv6\_cidr\_blocks' is used | `list(map(string))` | `[]` | no |
+| <a name="input_ingress_with_prefix_list_ids"></a> [ingress\_with\_prefix\_list\_ids](#input\_ingress\_with\_prefix\_list\_ids) | List of ingress rules to create where 'prefix\_list\_ids' is used only | `list(map(string))` | `[]` | no |
 | <a name="input_ingress_with_self"></a> [ingress\_with\_self](#input\_ingress\_with\_self) | List of ingress rules to create where 'self' is defined | `list(map(string))` | `[]` | no |
 | <a name="input_ingress_with_source_security_group_id"></a> [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | List of ingress rules to create where 'source\_security\_group\_id' is used | `list(map(string))` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of security group - not required if create\_sg is false | `string` | `null` | no |
 | <a name="input_number_of_computed_egress_rules"></a> [number\_of\_computed\_egress\_rules](#input\_number\_of\_computed\_egress\_rules) | Number of computed egress rules to create by name | `number` | `0` | no |
 | <a name="input_number_of_computed_egress_with_cidr_blocks"></a> [number\_of\_computed\_egress\_with\_cidr\_blocks](#input\_number\_of\_computed\_egress\_with\_cidr\_blocks) | Number of computed egress rules to create where 'cidr\_blocks' is used | `number` | `0` | no |
 | <a name="input_number_of_computed_egress_with_ipv6_cidr_blocks"></a> [number\_of\_computed\_egress\_with\_ipv6\_cidr\_blocks](#input\_number\_of\_computed\_egress\_with\_ipv6\_cidr\_blocks) | Number of computed egress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no |
+| <a name="input_number_of_computed_egress_with_prefix_list_ids"></a> [number\_of\_computed\_egress\_with\_prefix\_list\_ids](#input\_number\_of\_computed\_egress\_with\_prefix\_list\_ids) | Number of computed egress rules to create where 'prefix\_list\_ids' is used only | `number` | `0` | no |
 | <a name="input_number_of_computed_egress_with_self"></a> [number\_of\_computed\_egress\_with\_self](#input\_number\_of\_computed\_egress\_with\_self) | Number of computed egress rules to create where 'self' is defined | `number` | `0` | no |
 | <a name="input_number_of_computed_egress_with_source_security_group_id"></a> [number\_of\_computed\_egress\_with\_source\_security\_group\_id](#input\_number\_of\_computed\_egress\_with\_source\_security\_group\_id) | Number of computed egress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no |
 | <a name="input_number_of_computed_ingress_rules"></a> [number\_of\_computed\_ingress\_rules](#input\_number\_of\_computed\_ingress\_rules) | Number of computed ingress rules to create by name | `number` | `0` | no |
 | <a name="input_number_of_computed_ingress_with_cidr_blocks"></a> [number\_of\_computed\_ingress\_with\_cidr\_blocks](#input\_number\_of\_computed\_ingress\_with\_cidr\_blocks) | Number of computed ingress rules to create where 'cidr\_blocks' is used | `number` | `0` | no |
 | <a name="input_number_of_computed_ingress_with_ipv6_cidr_blocks"></a> [number\_of\_computed\_ingress\_with\_ipv6\_cidr\_blocks](#input\_number\_of\_computed\_ingress\_with\_ipv6\_cidr\_blocks) | Number of computed ingress rules to create where 'ipv6\_cidr\_blocks' is used | `number` | `0` | no |
+| <a name="input_number_of_computed_ingress_with_prefix_list_ids"></a> [number\_of\_computed\_ingress\_with\_prefix\_list\_ids](#input\_number\_of\_computed\_ingress\_with\_prefix\_list\_ids) | Number of computed ingress rules to create where 'prefix\_list\_ids' is used | `number` | `0` | no |
 | <a name="input_number_of_computed_ingress_with_self"></a> [number\_of\_computed\_ingress\_with\_self](#input\_number\_of\_computed\_ingress\_with\_self) | Number of computed ingress rules to create where 'self' is defined | `number` | `0` | no |
 | <a name="input_number_of_computed_ingress_with_source_security_group_id"></a> [number\_of\_computed\_ingress\_with\_source\_security\_group\_id](#input\_number\_of\_computed\_ingress\_with\_source\_security\_group\_id) | Number of computed ingress rules to create where 'source\_security\_group\_id' is used | `number` | `0` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index 6ca0aaf9..8946dccf 100644
--- a/main.tf
+++ b/main.tf
@@ -430,6 +430,67 @@ resource "aws_security_group_rule" "computed_ingress_with_self" {
     var.rules[lookup(var.computed_ingress_with_self[count.index], "rule", "_")][2],
   )
 }
+# Security group rules with "prefix_list_ids", but without "cidr_blocks", "self" or "source_security_group_id"
+resource "aws_security_group_rule" "ingress_with_prefix_list_ids" {
+  count = var.create ? length(var.ingress_with_prefix_list_ids) : 0
+
+  security_group_id = local.this_sg_id
+  type              = "ingress"
+
+  prefix_list_ids = var.ingress_prefix_list_ids
+  description = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "description",
+    "Ingress Rule",
+  )
+
+  from_port = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "from_port",
+    var.rules[lookup(var.ingress_with_prefix_list_ids[count.index], "rule", "_")][0],
+  )
+  to_port = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "to_port",
+    var.rules[lookup(var.ingress_with_prefix_list_ids[count.index], "rule", "_")][1],
+  )
+  protocol = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "protocol",
+    var.rules[lookup(var.ingress_with_prefix_list_ids[count.index], "rule", "_")][2],
+  )
+}
+
+# Computed - Security group rules with "prefix_list_ids", but without "cidr_blocks", "self" or "source_security_group_id"
+resource "aws_security_group_rule" "computed_ingress_with_prefix_list_ids" {
+  count = var.create ? var.number_of_computed_ingress_with_prefix_list_ids : 0
+
+  security_group_id = local.this_sg_id
+  type              = "ingress"
+
+  prefix_list_ids = var.ingress_prefix_list_ids
+  description = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "description",
+    "Ingress Rule",
+  )
+
+  from_port = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "from_port",
+    var.rules[lookup(var.ingress_with_prefix_list_ids[count.index], "rule", "_")][0],
+  )
+  to_port = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "to_port",
+    var.rules[lookup(var.ingress_with_prefix_list_ids[count.index], "rule", "_")][1],
+  )
+  protocol = lookup(
+    var.ingress_with_prefix_list_ids[count.index],
+    "protocol",
+    var.rules[lookup(var.ingress_with_prefix_list_ids[count.index], "rule", "_")][2],
+  )
+}
 
 #################
 # End of ingress
@@ -807,6 +868,93 @@ resource "aws_security_group_rule" "computed_egress_with_self" {
   )
 }
 
+# Security group rules with "egress_prefix_list_ids", but without "cidr_blocks", "self" or "source_security_group_id"
+resource "aws_security_group_rule" "egress_with_prefix_list_ids" {
+  count = var.create ? length(var.egress_with_prefix_list_ids) : 0
+
+  security_group_id = local.this_sg_id
+  type              = "egress"
+
+  prefix_list_ids = var.egress_prefix_list_ids
+  description = lookup(
+    var.egress_with_prefix_list_ids[count.index],
+    "description",
+    "Egress Rule",
+  )
+
+  from_port = lookup(
+    var.egress_with_prefix_list_ids[count.index],
+    "from_port",
+    var.rules[lookup(
+      var.egress_with_prefix_list_ids[count.index],
+      "rule",
+      "_",
+    )][0],
+  )
+  to_port = lookup(
+    var.egress_with_prefix_list_ids[count.index],
+    "to_port",
+    var.rules[lookup(
+      var.egress_with_prefix_list_ids[count.index],
+      "rule",
+      "_",
+    )][1],
+  )
+  protocol = lookup(
+    var.egress_with_prefix_list_ids[count.index],
+    "protocol",
+    var.rules[lookup(
+      var.egress_with_prefix_list_ids[count.index],
+      "rule",
+      "_",
+    )][2],
+  )
+}
+
+# Computed - Security group rules with "source_security_group_id", but without "cidr_blocks", "self" or "source_security_group_id"
+resource "aws_security_group_rule" "computed_egress_with_prefix_list_ids" {
+  count = var.create ? var.number_of_computed_egress_with_prefix_list_ids : 0
+
+  security_group_id = local.this_sg_id
+  type              = "egress"
+
+  source_security_group_id = var.computed_egress_with_prefix_list_ids[count.index]["source_security_group_id"]
+  prefix_list_ids          = var.egress_prefix_list_ids
+  description = lookup(
+    var.computed_egress_with_prefix_list_ids[count.index],
+    "description",
+    "Egress Rule",
+  )
+
+  from_port = lookup(
+    var.computed_egress_with_prefix_list_ids[count.index],
+    "from_port",
+    var.rules[lookup(
+      var.computed_egress_with_prefix_list_ids[count.index],
+      "rule",
+      "_",
+    )][0],
+  )
+  to_port = lookup(
+    var.computed_egress_with_prefix_list_ids[count.index],
+    "to_port",
+    var.rules[lookup(
+      var.computed_egress_with_prefix_list_ids[count.index],
+      "rule",
+      "_",
+    )][1],
+  )
+  protocol = lookup(
+    var.computed_egress_with_prefix_list_ids[count.index],
+    "protocol",
+    var.rules[lookup(
+      var.computed_egress_with_prefix_list_ids[count.index],
+      "rule",
+      "_",
+    )][2],
+  )
+}
+
 ################
 # End of egress
 ################
diff --git a/variables.tf b/variables.tf
index 960f0cbc..9fa499d4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -118,6 +118,12 @@ variable "ingress_prefix_list_ids" {
   default     = []
 }
 
+variable "ingress_with_prefix_list_ids" {
+  description = "List of ingress rules to create where 'prefix_list_ids' is used only"
+  type        = list(map(string))
+  default     = []
+}
+
 ###################
 # Computed Ingress
 ###################
@@ -151,6 +157,12 @@ variable "computed_ingress_with_source_security_group_id" {
   default     = []
 }
 
+variable "computed_ingress_with_prefix_list_ids" {
+  description = "List of computed ingress rules to create where 'prefix_list_ids' is used"
+  type        = list(map(string))
+  default     = []
+}
+
 ###################################
 # Number of computed ingress rules
 ###################################
@@ -184,6 +196,12 @@ variable "number_of_computed_ingress_with_source_security_group_id" {
   default     = 0
 }
 
+variable "number_of_computed_ingress_with_prefix_list_ids" {
+  description = "Number of computed ingress rules to create where 'prefix_list_ids' is used"
+  type        = number
+  default     = 0
+}
+
 #########
 # Egress
 #########
@@ -217,6 +235,12 @@ variable "egress_with_source_security_group_id" {
   default     = []
 }
 
+variable "egress_with_prefix_list_ids" {
+  description = "List of egress rules to create where 'prefix_list_ids' is used only"
+  type        = list(map(string))
+  default     = []
+}
+
 variable "egress_cidr_blocks" {
   description = "List of IPv4 CIDR ranges to use on all egress rules"
   type        = list(string)
@@ -268,6 +292,12 @@ variable "computed_egress_with_source_security_group_id" {
   default     = []
 }
 
+variable "computed_egress_with_prefix_list_ids" {
+  description = "List of computed egress rules to create where 'prefix_list_ids' is used only"
+  type        = list(map(string))
+  default     = []
+}
+
 ##################################
 # Number of computed egress rules
 ##################################
@@ -301,6 +331,12 @@ variable "number_of_computed_egress_with_source_security_group_id" {
   default     = 0
 }
 
+variable "number_of_computed_egress_with_prefix_list_ids" {
+  description = "Number of computed egress rules to create where 'prefix_list_ids' is used only"
+  type        = number
+  default     = 0
+}
+
 variable "putin_khuylo" {
   description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
   type        = bool