Fix validation error 🙈

skwashd · Jan 4, 2025 · e399a45 · e399a45
1 parent a7ec2db
commit e399a45
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -84,6 +84,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_vpc_security_group_ingress_rule.ingress_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.ingress_tcp_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.ingress_tcp_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [cloudflare_ip_ranges.cloudflare](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/ip_ranges) | data source |
 <!-- END_TF_DOCS -->
diff --git a/output.tf b/output.tf
@@ -1,4 +1,4 @@
 output "security_group" {
   value       = aws_security_group.this
   description = "AWS security group containing ingress rules for Cloudflare services"
-}
+}
diff --git a/security_group.tf b/security_group.tf
@@ -11,16 +11,28 @@ resource "aws_security_group" "this" {
   )
 }
 
-resource "aws_vpc_security_group_ingress_rule" "ingress_tcp" {
-  for_each = local.ports
+resource "aws_vpc_security_group_ingress_rule" "ingress_tcp_ipv4" {
+  for_each = local.ipv4_rules
 
   security_group_id = aws_security_group.this.id
-  description       = "Allow ingress from Cloudflare on port ${each.key}"
+  description       = each.value.description
 
-  cidr_ipv4 = toset(data.cloudflare_ip_ranges.cloudflare.ipv4_cidr_blocks)
-  cidr_ipv6 = toset(data.cloudflare_ip_ranges.cloudflare.ipv6_cidr_blocks)
+  cidr_ipv4 = each.value.cidr
 
   ip_protocol = "tcp"
-  from_port   = each.key
-  to_port     = each.key
+  from_port   = each.value.port
+  to_port     = each.value.port
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ingress_tcp_ipv6" {
+  for_each = local.ipv6_rules
+
+  security_group_id = aws_security_group.this.id
+  description       = each.value.description
+
+  cidr_ipv6 = each.value.cidr
+
+  ip_protocol = "tcp"
+  from_port   = each.value.port
+  to_port     = each.value.port
 }
diff --git a/variables.tf b/variables.tf
@@ -24,4 +24,37 @@ variable "vpc_id" {
 locals {
   name  = var.name == "" ? "CloudflareIngress-${var.vpc_id}" : var.name
   ports = toset(length(var.additional_ports) == 0 ? ["443"] : concat(["443"], var.additional_ports))
+
+  ipv4_rules = merge(flatten(concat(
+    [
+      for port in local.ports : [
+        for cidr in data.cloudflare_ip_ranges.cloudflare.ipv4_cidr_blocks : [
+          {
+            "${cidr}:${port}" = {
+              port        = port
+              cidr        = cidr
+              description = "Allow ingress from Cloudflare (${cidr}) on port ${port}"
+            }
+          }
+        ]
+      ]
+    ]
+  )[0])...)
+
+  ipv6_rules = merge(flatten(concat(
+    [
+      for port in local.ports : [
+        for cidr in data.cloudflare_ip_ranges.cloudflare.ipv6_cidr_blocks : [
+          {
+            "${cidr}:${port}" = {
+              port        = port
+              cidr        = cidr
+              description = "Allow ingress from Cloudflare (${cidr}) on port ${port}"
+            }
+          }
+        ]
+      ]
+    ]
+  )[0])...)
+
 }