adding a feature to customize the egress rule

cloudposse · May 4, 2023 · 8d31280 · 8d31280
1 parent 6fbf8d4
commit 8d31280
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -9,11 +9,11 @@ resource "aws_security_group" "default" {
 resource "aws_security_group_rule" "egress" {
   count             = module.this.enabled ? 1 : 0
   type              = "egress"
-  description       = "Allow all egress traffic"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
+  description       = "Allow outbound traffic from CIDR blocks"
+  from_port         = var.egress_port
+  to_port           = var.egress_port
+  protocol          = var.egress_protocol
+  cidr_blocks       = var.allowed_egress_cidr_blocks
   security_group_id = join("", aws_security_group.default.*.id)
 }
 

diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,24 @@ variable "zone_id" {
   description = "Route53 parent zone ID. If provided (not empty), the module will create sub-domain DNS records for the DocumentDB master and replicas"
 }
 
+variable "egress_port" {
+  type        = number
+  default     = 0
+  description = "DocumentDB port for egress (e.g. `27017`)"
+}
+
+variable "egress_protocol" {
+  type        = string
+  default     = "-1"
+  description = "DocumentDB protocol for egress (e.g. `-1`, `tcp`)"
+}
+
+variable "allowed_egress_cidr_blocks" {
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+  description = "List of CIDR blocks to be allowed to send traffic outside of the DocumentDB cluster"
+}
+
 variable "allowed_security_groups" {
   type        = list(string)
   default     = []