Support option to pass in 0 or more Allowed SSH CIDR blocks to vault-cluster module

[sclausson]

Currently the vault-cluster module requires at least 1 CIDR block to be passed in via the allowed_ssh_cidr_blocks variable. In my case, I do not want to pass in any CIDR blocks, since I use a bastion host for SSH access to the cluster. So I want to only pass in the bastion host's security group id via the allowed_inbound_security_group_ids variable.

I've successfully tested in my fork by modifying https://github.com/hashicorp/terraform-aws-vault/blob/master/modules/vault-cluster/main.tf#L91-L99

resource "aws_security_group_rule" "allow_ssh_inbound_from_cidr_blocks" {
  count       = "${length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0}"
  type        = "ingress"
  from_port   = "${var.ssh_port}"
  to_port     = "${var.ssh_port}"
  protocol    = "tcp"
  cidr_blocks = ["${var.allowed_ssh_cidr_blocks}"]

  security_group_id = "${aws_security_group.lc_security_group.id}"
}

[brikis98]

Ah, that's a good catch. I'd welcome a PR for that!

[sclausson]

Thanks for merging!