Add security group as input

schubergphilis · Dec 15, 2023 · 366b8b5 · 366b8b5
1 parent 23442e9
commit 366b8b5
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 35 deletions.
diff --git a/main.tf b/main.tf
@@ -72,7 +72,7 @@ data "aws_subnet" "selected" {
 
 resource "aws_security_group" "default" {
   #checkov:skip=CKV2_AWS_5: False positive finding, the security group is attached.
-  count = var.subnet_ids != null ? 1 : 0
+  count = var.subnet_ids != null && var.security_group_id == null ? 1 : 0
 
   name        = var.security_group_name_prefix == null ? var.name : null
   name_prefix = var.security_group_name_prefix != null ? var.security_group_name_prefix : null
@@ -85,20 +85,6 @@ resource "aws_security_group" "default" {
   }
 }
 
-resource "aws_vpc_security_group_egress_rule" "default" {
-  for_each = var.subnet_ids != null && length(var.security_group_egress_rules) != 0 ? { for v in var.security_group_egress_rules : v.description => v } : {}
-
-  cidr_ipv4                    = each.value.cidr_ipv4
-  cidr_ipv6                    = each.value.cidr_ipv6
-  description                  = each.value.description
-  from_port                    = each.value.from_port
-  ip_protocol                  = each.value.ip_protocol
-  prefix_list_id               = each.value.prefix_list_id
-  referenced_security_group_id = each.value.referenced_security_group_id
-  security_group_id            = aws_security_group.default[0].id
-  to_port                      = each.value.to_port
-}
-
 data "archive_file" "dummy" {
   type        = "zip"
   output_path = "${path.module}/dummy_payload.zip"
@@ -204,7 +190,7 @@ resource "aws_lambda_function" "default" {
 
     content {
       subnet_ids         = var.subnet_ids
-      security_group_ids = [aws_security_group.default[0].id]
+      security_group_ids = [var.security_group_id != null ? var.security_group_id : aws_security_group.default[0].id]
     }
   }
 

diff --git a/outputs.tf b/outputs.tf
@@ -24,7 +24,7 @@ output "role_arn" {
 }
 
 output "security_group_id" {
-  value       = var.subnet_ids != null ? aws_security_group.default[0].id : ""
+  value       = var.subnet_ids != null ? var.security_group_id != null ? var.security_group_id : aws_security_group.default[0].id : ""
   description = "If the Lambda is deployed into a VPC this will output the security group id"
 }
 

diff --git a/variables.tf b/variables.tf
@@ -176,24 +176,10 @@ variable "s3_object_version" {
   description = "The object version containing the function's deployment package"
 }
 
-variable "security_group_egress_rules" {
-  type = list(object({
-    cidr_ipv4                    = optional(string)
-    cidr_ipv6                    = optional(string)
-    description                  = string
-    from_port                    = optional(number, 0)
-    ip_protocol                  = optional(string, "-1")
-    prefix_list_id               = optional(string)
-    referenced_security_group_id = optional(string)
-    to_port                      = optional(number, 0)
-  }))
-  default     = []
-  description = "Security Group egress rules"
-
-  validation {
-    condition     = alltrue([for o in var.security_group_egress_rules : (o.cidr_ipv4 != null || o.cidr_ipv6 != null || o.prefix_list_id != null || o.referenced_security_group_id != null)])
-    error_message = "Although \"cidr_ipv4\", \"cidr_ipv6\", \"prefix_list_id\", and \"referenced_security_group_id\" are all marked as optional, you must provide one of them in order to configure the destination of the traffic."
-  }
+variable "security_group_id" {
+  type        = string
+  default     = null
+  description = "The security group for running the Lambda within the VPC. If not specified a minimal default SG will be created"
 }
 
 variable "security_group_name_prefix" {