feat(security-groups): add ingress prefix lists (#205)

* feat(security-groups): add ingress prefix lists

Add new variable: allowed_prefix_list_ids
Add new resource: aws_security_group_rule.ingress_cidr_blocks

Signed-off-by: Viktoras Draugelis <viktoras.draugelis@oag.com>

* chore(security-group): replace join with one for target sg id

Co-authored-by: Veronika Gnilitska <30597968+gberenice@users.noreply.github.com>

---------

Signed-off-by: Viktoras Draugelis <viktoras.draugelis@oag.com>
Co-authored-by: Veronika Gnilitska <30597968+gberenice@users.noreply.github.com>

Author: draugelis-at-oag

main.tf

@@ -215,6 +215,18 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
   security_group_id = join("", aws_security_group.default[*].id)
 }
 
+resource "aws_security_group_rule" "ingress_prefix_lists" {
+  count = module.this.enabled && length(var.allowed_prefix_list_ids) > 0 ? 1 : 0
+
+  description       = "Allow inbound traffic from prefix lists"
+  type              = "ingress"
+  from_port         = var.database_port
+  to_port           = var.database_port
+  protocol          = "tcp"
+  prefix_list_ids   = var.allowed_prefix_list_ids
+  security_group_id = one(aws_security_group.default[*].id)
+}
+
 resource "aws_security_group_rule" "egress" {
   count             = module.this.enabled ? 1 : 0
   description       = "Allow all egress traffic"

variables.tf

@@ -22,6 +22,12 @@ variable "allowed_cidr_blocks" {
   description = "The whitelisted CIDRs which to allow `ingress` traffic to the DB instance"
 }
 
+variable "allowed_prefix_list_ids" {
+  type        = list(string)
+  default     = []
+  description = "The list of prefix list IDs from which to allow `ingress` traffic to the DB instance"
+}
+
 variable "associate_security_group_ids" {
   type        = list(string)
   default     = []