Skip to content
This repository was archived by the owner on Jul 3, 2023. It is now read-only.

Commit 6f1c2d8

Browse files
thattommyhallthattommyhall
committed
Move ingress/egress to aws_security_group_rule in rds
When I make an RDS instance, it kept saying it needed to change stuff. This is also best practice from what I can tell (if users of the module need to add rules to the SG also)
1 parent 2df1d82 commit 6f1c2d8

File tree

1 file changed

+28
-22
lines changed

1 file changed

+28
-22
lines changed

rds/main.tf

+28-22
Original file line numberDiff line numberDiff line change
@@ -87,32 +87,38 @@ variable "subnet_ids" {
8787
type = "list"
8888
}
8989

90-
resource "aws_security_group" "main" {
91-
name = "${var.name}-rds"
92-
description = "Allows traffic to RDS from other security groups"
93-
vpc_id = "${var.vpc_id}"
90+
resource "aws_security_group_rule" "main-ingress-cidrs" {
91+
type = "ingress"
92+
cidr_blocks = ["${var.ingress_allow_cidr_blocks}"]
93+
from_port = "${var.port}"
94+
to_port = "${var.port}"
95+
protocol = "TCP"
96+
}
9497

95-
ingress {
96-
from_port = "${var.port}"
97-
to_port = "${var.port}"
98-
protocol = "TCP"
99-
security_groups = ["${var.ingress_allow_security_groups}"]
100-
}
98+
resource "aws_security_group_rule" "main-ingress-sgs" {
99+
count = "${length(var.ingress_allow_security_groups)}"
100+
source_security_group_id = "${element(var.ingress_allow_security_groups, count.index)}"
101+
type = "ingress"
102+
security_group_id = "${aws_security_group.main.id}"
103+
from_port = "${var.port}"
104+
to_port = "${var.port}"
105+
protocol = "TCP"
106+
}
101107

102-
ingress {
103-
from_port = "${var.port}"
104-
to_port = "${var.port}"
105-
protocol = "TCP"
106-
cidr_blocks = ["${var.ingress_allow_cidr_blocks}"]
107-
}
108+
resource "aws_security_group_rule" "main-egress-all" {
109+
type = "egress"
110+
security_group_id = "${aws_security_group.main.id}"
111+
from_port = 0
112+
to_port = 0
113+
protocol = -1
114+
cidr_blocks = ["0.0.0.0/0"]
115+
}
108116

109-
egress {
110-
from_port = 0
111-
to_port = 0
112-
protocol = -1
113-
cidr_blocks = ["0.0.0.0/0"]
114-
}
115117

118+
resource "aws_security_group" "main" {
119+
name = "${var.name}-rds"
120+
description = "Allows traffic to RDS from other security groups"
121+
vpc_id = "${var.vpc_id}"
116122
tags {
117123
Name = "RDS (${var.name})"
118124
}

0 commit comments

Comments
 (0)