diff --git a/README.md b/README.md
index c555f7d7..c157d4f0 100644
--- a/README.md
+++ b/README.md
@@ -356,7 +356,9 @@ Available targets:
| [aws_rds_cluster_parameter_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_ipv6_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.traffic_inside_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [random_pet.instance](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
@@ -377,6 +379,7 @@ Available targets:
| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no |
| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no |
| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
+| [allowed\_ipv6\_cidr\_blocks](#input\_allowed\_ipv6\_cidr\_blocks) | List of IPv6 CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no |
@@ -434,6 +437,7 @@ Available targets:
| [manage\_admin\_user\_password](#input\_manage\_admin\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided | `bool` | `false` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| [network\_type](#input\_network\_type) | The network type of the cluster. Valid values: IPV4, DUAL. | `string` | `"IPV4"` | no |
| [parameter\_group\_name\_prefix\_enabled](#input\_parameter\_group\_name\_prefix\_enabled) | Set to `true` to use `name_prefix` to name the cluster and database parameter groups. Set to `false` to use `name` instead | `bool` | `true` | no |
| [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | Whether to enable Performance Insights | `bool` | `false` | no |
| [performance\_insights\_kms\_key\_id](#input\_performance\_insights\_kms\_key\_id) | The ARN for the KMS key to encrypt Performance Insights data. When specifying `performance_insights_kms_key_id`, `performance_insights_enabled` needs to be set to true | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index e6dd2592..18889aeb 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -22,6 +22,7 @@
| [dns\_master](#module\_dns\_master) | cloudposse/route53-cluster-hostname/aws | 0.12.2 |
| [dns\_replicas](#module\_dns\_replicas) | cloudposse/route53-cluster-hostname/aws | 0.12.2 |
| [enhanced\_monitoring\_label](#module\_enhanced\_monitoring\_label) | cloudposse/label/null | 0.25.0 |
+| [rds\_identifier](#module\_rds\_identifier) | cloudposse/label/null | 0.25.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
## Resources
@@ -41,7 +42,9 @@
| [aws_rds_cluster_parameter_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_ipv6_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.traffic_inside_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [random_pet.instance](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
@@ -62,6 +65,7 @@
| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no |
| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no |
| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
+| [allowed\_ipv6\_cidr\_blocks](#input\_allowed\_ipv6\_cidr\_blocks) | List of IPv6 CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no |
@@ -119,6 +123,7 @@
| [manage\_admin\_user\_password](#input\_manage\_admin\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided | `bool` | `false` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| [network\_type](#input\_network\_type) | The network type of the cluster. Valid values: IPV4, DUAL. | `string` | `"IPV4"` | no |
| [parameter\_group\_name\_prefix\_enabled](#input\_parameter\_group\_name\_prefix\_enabled) | Set to `true` to use `name_prefix` to name the cluster and database parameter groups. Set to `false` to use `name` instead | `bool` | `true` | no |
| [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | Whether to enable Performance Insights | `bool` | `false` | no |
| [performance\_insights\_kms\_key\_id](#input\_performance\_insights\_kms\_key\_id) | The ARN for the KMS key to encrypt Performance Insights data. When specifying `performance_insights_kms_key_id`, `performance_insights_enabled` needs to be set to true | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index a2fbb3be..73df8cd1 100644
--- a/main.tf
+++ b/main.tf
@@ -55,6 +55,17 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
security_group_id = join("", aws_security_group.default[*].id)
}
+resource "aws_security_group_rule" "ingress_ipv6_cidr_blocks" {
+ count = local.enabled && length(var.allowed_ipv6_cidr_blocks) > 0 ? 1 : 0
+ description = "Allow inbound traffic from existing CIDR blocks"
+ type = "ingress"
+ from_port = var.db_port
+ to_port = var.db_port
+ protocol = "tcp"
+ ipv6_cidr_blocks = var.allowed_ipv6_cidr_blocks
+ security_group_id = join("", aws_security_group.default[*].id)
+}
+
resource "aws_security_group_rule" "egress" {
count = local.enabled && var.egress_enabled ? 1 : 0
description = "Allow outbound traffic"
@@ -66,6 +77,17 @@ resource "aws_security_group_rule" "egress" {
security_group_id = join("", aws_security_group.default[*].id)
}
+resource "aws_security_group_rule" "egress_ipv6" {
+ count = local.enabled && var.egress_enabled ? 1 : 0
+ description = "Allow outbound ipv6 traffic"
+ type = "egress"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ ipv6_cidr_blocks = ["::/0"]
+ security_group_id = join("", aws_security_group.default[*].id)
+}
+
# The name "primary" is poorly chosen. We actually mean standalone or regional.
# The primary cluster of a global database is actually created with the "secondary" cluster resource below.
resource "aws_rds_cluster" "primary" {
@@ -93,6 +115,7 @@ resource "aws_rds_cluster" "primary" {
snapshot_identifier = var.snapshot_identifier
vpc_security_group_ids = compact(flatten([join("", aws_security_group.default[*].id), var.vpc_security_group_ids]))
preferred_maintenance_window = var.maintenance_window
+ network_type = var.network_type
db_subnet_group_name = join("", aws_db_subnet_group.default[*].name)
db_cluster_parameter_group_name = join("", aws_rds_cluster_parameter_group.default[*].name)
iam_database_authentication_enabled = var.iam_database_authentication_enabled
@@ -193,6 +216,7 @@ resource "aws_rds_cluster" "secondary" {
snapshot_identifier = var.snapshot_identifier
vpc_security_group_ids = compact(flatten([join("", aws_security_group.default[*].id), var.vpc_security_group_ids]))
preferred_maintenance_window = var.maintenance_window
+ network_type = var.network_type
db_subnet_group_name = join("", aws_db_subnet_group.default[*].name)
db_cluster_parameter_group_name = join("", aws_rds_cluster_parameter_group.default[*].name)
iam_database_authentication_enabled = var.iam_database_authentication_enabled
diff --git a/variables.tf b/variables.tf
index 1cf1b9be..5b54c723 100644
--- a/variables.tf
+++ b/variables.tf
@@ -240,6 +240,12 @@ variable "allowed_cidr_blocks" {
description = "List of CIDR blocks allowed to access the cluster"
}
+variable "allowed_ipv6_cidr_blocks" {
+ type = list(string)
+ default = []
+ description = "List of IPv6 CIDR blocks allowed to access the cluster"
+}
+
variable "publicly_accessible" {
type = bool
description = "Set to true if you want your cluster to be publicly accessible (such as via QuickSight)"
@@ -531,3 +537,9 @@ variable "enable_global_write_forwarding" {
default = false
description = "Set to `true`, to forward writes to an associated global cluster."
}
+
+variable "network_type" {
+ type = string
+ default = "IPV4"
+ description = "The network type of the cluster. Valid values: IPV4, DUAL."
+}
\ No newline at end of file