From 1440602d90a2fb2414158758dbe2c6f131282a7b Mon Sep 17 00:00:00 2001 From: mschfh <37435502+mschfh@users.noreply.github.com> Date: Wed, 30 Oct 2024 23:54:04 +0100 Subject: [PATCH] Fix IPv6 ingress rules --- README.md | 4 ++-- docs/terraform.md | 6 +++--- main.tf | 16 ++++++++++++++-- variables.tf | 19 +++++++++++++++++-- 4 files changed, 36 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 2961ab0..8e1b492 100644 --- a/README.md +++ b/README.md @@ -234,12 +234,12 @@ Available targets: | [health\_check\_unhealthy\_threshold](#input\_health\_check\_unhealthy\_threshold) | The number of consecutive health check failures required before considering the target unhealthy | `number` | `2` | no | | [http2\_enabled](#input\_http2\_enabled) | A boolean flag to enable/disable HTTP/2 | `bool` | `true` | no | | [http\_enabled](#input\_http\_enabled) | A boolean flag to enable/disable HTTP listener | `bool` | `true` | no | -| [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` |
[
"0.0.0.0/0"
]
| no | +| [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` |
[
"0.0.0.0/0",
"::/0"
]
| no | | [http\_ingress\_prefix\_list\_ids](#input\_http\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTP ingress security group | `list(string)` | `[]` | no | | [http\_port](#input\_http\_port) | The port for the HTTP listener | `number` | `80` | no | | [http\_redirect](#input\_http\_redirect) | A boolean flag to enable/disable HTTP redirect to HTTPS | `bool` | `false` | no | | [https\_enabled](#input\_https\_enabled) | A boolean flag to enable/disable HTTPS listener | `bool` | `false` | no | -| [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` |
[
"0.0.0.0/0"
]
| no | +| [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` |
[
"0.0.0.0/0",
"::/0"
]
| no | | [https\_ingress\_prefix\_list\_ids](#input\_https\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTPS ingress security group | `list(string)` | `[]` | no | | [https\_port](#input\_https\_port) | The port for the HTTPS listener | `number` | `443` | no | | [https\_ssl\_policy](#input\_https\_ssl\_policy) | The name of the SSL Policy for the listener | `string` | `"ELBSecurityPolicy-2015-05"` | no | diff --git a/docs/terraform.md b/docs/terraform.md index dffb11b..322eca8 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -72,12 +72,12 @@ | [health\_check\_unhealthy\_threshold](#input\_health\_check\_unhealthy\_threshold) | The number of consecutive health check failures required before considering the target unhealthy | `number` | `2` | no | | [http2\_enabled](#input\_http2\_enabled) | A boolean flag to enable/disable HTTP/2 | `bool` | `true` | no | | [http\_enabled](#input\_http\_enabled) | A boolean flag to enable/disable HTTP listener | `bool` | `true` | no | -| [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` |
[
"0.0.0.0/0"
]
| no | +| [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` |
[
"0.0.0.0/0",
"::/0"
]
| no | | [http\_ingress\_prefix\_list\_ids](#input\_http\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTP ingress security group | `list(string)` | `[]` | no | | [http\_port](#input\_http\_port) | The port for the HTTP listener | `number` | `80` | no | | [http\_redirect](#input\_http\_redirect) | A boolean flag to enable/disable HTTP redirect to HTTPS | `bool` | `false` | no | | [https\_enabled](#input\_https\_enabled) | A boolean flag to enable/disable HTTPS listener | `bool` | `false` | no | -| [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` |
[
"0.0.0.0/0"
]
| no | +| [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` |
[
"0.0.0.0/0",
"::/0"
]
| no | | [https\_ingress\_prefix\_list\_ids](#input\_https\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTPS ingress security group | `list(string)` | `[]` | no | | [https\_port](#input\_https\_port) | The port for the HTTPS listener | `number` | `443` | no | | [https\_ssl\_policy](#input\_https\_ssl\_policy) | The name of the SSL Policy for the listener | `string` | `"ELBSecurityPolicy-2015-05"` | no | @@ -94,7 +94,7 @@ | [listener\_additional\_tags](#input\_listener\_additional\_tags) | The additional tags to apply to all listeners | `map(string)` | `{}` | no | | [listener\_http\_fixed\_response](#input\_listener\_http\_fixed\_response) | Have the HTTP listener return a fixed response for the default action. |
object({
content_type = string
message_body = string
status_code = string
})
| `null` | no | | [listener\_https\_fixed\_response](#input\_listener\_https\_fixed\_response) | Have the HTTPS listener return a fixed response for the default action. |
object({
content_type = string
message_body = string
status_code = string
})
| `null` | no | -| [listener\_https\_redirect](#input\_listener\_https\_redirect) | Have the HTTPS listener return a redirect response for the default action. |
object({
host = optional(string)
path = optional(string)
port = optional(string)
protocol = optional(string)
query = optional(string)
status_code = optional(string)
})
| `null` | no | +| [listener\_https\_redirect](#input\_listener\_https\_redirect) | Have the HTTPS listener return a redirect response for the default action. |
object({
host = optional(string)
path = optional(string)
port = optional(string)
protocol = optional(string)
query = optional(string)
status_code = string
})
|
{
"host": null,
"path": null,
"port": null,
"protocol": null,
"query": null,
"status_code": "HTTP_301"
}
| no | | [load\_balancer\_name](#input\_load\_balancer\_name) | The name for the default load balancer, uses a module label name if left empty | `string` | `""` | no | | [load\_balancer\_name\_max\_length](#input\_load\_balancer\_name\_max\_length) | The max length of characters for the load balancer. | `number` | `32` | no | | [load\_balancing\_algorithm\_type](#input\_load\_balancing\_algorithm\_type) | Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups | `string` | `"round_robin"` | no | diff --git a/main.tf b/main.tf index 4804301..9074125 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,13 @@ +locals { + # cidrnetmask returns an error for IPv6 addresses + # cidrhost works with both IPv4 and IPv6, and returns an error if the argument is not a valid IPv4/IPv6 CIDR prefix + http_ingress_cidr_blocks_v4 = [for cidr in var.http_ingress_cidr_blocks : cidr if can(cidrnetmask(cidr))] + http_ingress_cidr_blocks_v6 = var.ip_address_type == "dualstack" ? [for cidr in var.http_ingress_cidr_blocks : cidr if !can(cidrnetmask(cidr)) && can(cidrhost(cidr, 0))] : [] + https_ingress_cidr_blocks_v4 = [for cidr in var.https_ingress_cidr_blocks : cidr if can(cidrnetmask(cidr))] + https_ingress_cidr_blocks_v6 = var.ip_address_type == "dualstack" ? [for cidr in var.https_ingress_cidr_blocks : cidr if !can(cidrnetmask(cidr)) && can(cidrhost(cidr, 0))] : [] +} + + resource "aws_security_group" "default" { count = module.this.enabled && var.security_group_enabled ? 1 : 0 description = "Controls access to the ALB (HTTP/HTTPS)" @@ -22,7 +32,8 @@ resource "aws_security_group_rule" "http_ingress" { from_port = var.http_port to_port = var.http_port protocol = "tcp" - cidr_blocks = var.http_ingress_cidr_blocks + cidr_blocks = local.http_ingress_cidr_blocks_v4 + ipv6_cidr_blocks = local.http_ingress_cidr_blocks_v6 prefix_list_ids = var.http_ingress_prefix_list_ids security_group_id = one(aws_security_group.default[*].id) } @@ -33,7 +44,8 @@ resource "aws_security_group_rule" "https_ingress" { from_port = var.https_port to_port = var.https_port protocol = "tcp" - cidr_blocks = var.https_ingress_cidr_blocks + cidr_blocks = local.https_ingress_cidr_blocks_v4 + ipv6_cidr_blocks = local.https_ingress_cidr_blocks_v6 prefix_list_ids = var.https_ingress_prefix_list_ids security_group_id = one(aws_security_group.default[*].id) } diff --git a/variables.tf b/variables.tf index a44a1e3..8fbff5c 100644 --- a/variables.tf +++ b/variables.tf @@ -40,8 +40,13 @@ variable "http_redirect" { variable "http_ingress_cidr_blocks" { type = list(string) - default = ["0.0.0.0/0"] + default = ["0.0.0.0/0", "::/0"] description = "List of CIDR blocks to allow in HTTP security group" + + validation { + condition = alltrue([for cidr in var.http_ingress_cidr_blocks : can(cidrhost(cidr, 0))]) + error_message = "Each entry in http_ingress_cidr_blocks must be a valid CIDR block." + } } variable "http_ingress_prefix_list_ids" { @@ -70,8 +75,13 @@ variable "https_enabled" { variable "https_ingress_cidr_blocks" { type = list(string) - default = ["0.0.0.0/0"] + default = ["0.0.0.0/0", "::/0"] description = "List of CIDR blocks to allow in HTTPS security group" + + validation { + condition = alltrue([for cidr in var.https_ingress_cidr_blocks : can(cidrhost(cidr, 0))]) + error_message = "Each entry in https_ingress_cidr_blocks must be a valid CIDR block." + } } variable "https_ingress_prefix_list_ids" { @@ -132,6 +142,11 @@ variable "ip_address_type" { type = string default = "ipv4" description = "The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack`." + + validation { + condition = contains(["ipv4", "dualstack"], var.ip_address_type) + error_message = "ip_address_type must be either `ipv4` or `dualstack`." + } } variable "deletion_protection_enabled" {