adding a feature to customize the egress rule

main.tf

@@ -9,11 +9,11 @@ resource "aws_security_group" "default" {
 resource "aws_security_group_rule" "egress" {
   count             = module.this.enabled ? 1 : 0
   type              = "egress"
-  description       = "Allow all egress traffic"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
+  description       = "Allow outbound traffic from CIDR blocks"
+  from_port         = var.egress_source_port
+  to_port           = var.egress_dest_port
+  protocol          = var.egress_protocol
+  cidr_blocks       = var.allowed_egress_cidr_blocks
   security_group_id = join("", aws_security_group.default[*].id)
 }
 

variables.tf

@@ -4,6 +4,30 @@ variable "zone_id" {
   description = "Route53 parent zone ID. If provided (not empty), the module will create sub-domain DNS records for the DocumentDB master and replicas"
 }
 
+variable "egress_source_port" {
+  type        = number
+  default     = 0
+  description = "DocumentDB source port for egress (e.g. `27017`)"
+}
+
+variable "egress_dest_port" {
+  type        = number
+  default     = 0
+  description = "DocumentDB destination port for egress (e.g. `27017`)"
+}
+
+variable "egress_protocol" {
+  type        = string
+  default     = "-1"
+  description = "DocumentDB protocol for egress (e.g. `-1`, `tcp`)"
+}
+
+variable "allowed_egress_cidr_blocks" {
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+  description = "List of CIDR blocks to be allowed to send traffic outside of the DocumentDB cluster"
+}
+
 variable "allowed_security_groups" {
   type        = list(string)
   default     = []