feat: Add option enforce_security_group_inbound_rules_on_private_link_traffic (#332)

Co-authored-by: Bryant Biggs <[email protected]>

Author: ricardoleal

README.md

@@ -242,6 +242,7 @@ module "nlb" {
   subnets            = ["subnet-abcde012", "subnet-bcde012a"]
 
   # Security Group
+  enforce_security_group_inbound_rules_on_private_link_traffic = "on"
   security_group_ingress_rules = {
     all_http = {
       from_port   = 80
@@ -348,13 +349,13 @@ See [patterns.md](https://github.com/terraform-aws-modules/terraform-aws-alb/blo
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.23 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.31 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.23 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.31 |
 
 ## Modules
 
@@ -398,6 +399,7 @@ No modules.
 | <a name="input_enable_tls_version_and_cipher_suite_headers"></a> [enable\_tls\_version\_and\_cipher\_suite\_headers](#input\_enable\_tls\_version\_and\_cipher\_suite\_headers) | Indicates whether the two headers (`x-amzn-tls-version` and `x-amzn-tls-cipher-suite`), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Only valid for Load Balancers of type `application`. Defaults to `false` | `bool` | `null` | no |
 | <a name="input_enable_waf_fail_open"></a> [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to `false` | `bool` | `null` | no |
 | <a name="input_enable_xff_client_port"></a> [enable\_xff\_client\_port](#input\_enable\_xff\_client\_port) | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `false` | `bool` | `null` | no |
+| <a name="input_enforce_security_group_inbound_rules_on_private_link_traffic"></a> [enforce\_security\_group\_inbound\_rules\_on\_private\_link\_traffic](#input\_enforce\_security\_group\_inbound\_rules\_on\_private\_link\_traffic) | Indicates whether inbound security group rules are enforced for traffic originating from a PrivateLink. Only valid for Load Balancers of type network. The possible values are on and off. | `string` | `null` | no |
 | <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type `application`. Default: `60` | `number` | `null` | no |
 | <a name="input_internal"></a> [internal](#input\_internal) | If true, the LB will be internal. Defaults to `false` | `bool` | `null` | no |
 | <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack` | `string` | `null` | no |

examples/complete-alb/README.md

@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.23 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.31 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.23 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.31 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 
 ## Modules

examples/complete-alb/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.23"
+      version = ">= 5.31"
     }
     null = {
       source  = "hashicorp/null"

examples/complete-nlb/README.md

@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.23 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.31 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.23 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.31 |
 
 ## Modules
 

examples/complete-nlb/main.tf

@@ -46,6 +46,7 @@ module "nlb" {
   enable_deletion_protection = false
 
   # Security Group
+  enforce_security_group_inbound_rules_on_private_link_traffic = "off"
   security_group_ingress_rules = {
     all_tcp = {
       from_port   = 80

examples/complete-nlb/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.23"
+      version = ">= 5.31"
     }
   }
 }

main.tf

@@ -22,24 +22,25 @@ resource "aws_lb" "this" {
     }
   }
 
-  customer_owned_ipv4_pool                    = var.customer_owned_ipv4_pool
-  desync_mitigation_mode                      = var.desync_mitigation_mode
-  dns_record_client_routing_policy            = var.dns_record_client_routing_policy
-  drop_invalid_header_fields                  = var.drop_invalid_header_fields
-  enable_cross_zone_load_balancing            = var.enable_cross_zone_load_balancing
-  enable_deletion_protection                  = var.enable_deletion_protection
-  enable_http2                                = var.enable_http2
-  enable_tls_version_and_cipher_suite_headers = var.enable_tls_version_and_cipher_suite_headers
-  enable_waf_fail_open                        = var.enable_waf_fail_open
-  enable_xff_client_port                      = var.enable_xff_client_port
-  idle_timeout                                = var.idle_timeout
-  internal                                    = var.internal
-  ip_address_type                             = var.ip_address_type
-  load_balancer_type                          = var.load_balancer_type
-  name                                        = var.name
-  name_prefix                                 = var.name_prefix
-  preserve_host_header                        = var.preserve_host_header
-  security_groups                             = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups
+  customer_owned_ipv4_pool                                     = var.customer_owned_ipv4_pool
+  desync_mitigation_mode                                       = var.desync_mitigation_mode
+  dns_record_client_routing_policy                             = var.dns_record_client_routing_policy
+  drop_invalid_header_fields                                   = var.drop_invalid_header_fields
+  enable_cross_zone_load_balancing                             = var.enable_cross_zone_load_balancing
+  enable_deletion_protection                                   = var.enable_deletion_protection
+  enable_http2                                                 = var.enable_http2
+  enable_tls_version_and_cipher_suite_headers                  = var.enable_tls_version_and_cipher_suite_headers
+  enable_waf_fail_open                                         = var.enable_waf_fail_open
+  enable_xff_client_port                                       = var.enable_xff_client_port
+  enforce_security_group_inbound_rules_on_private_link_traffic = var.enforce_security_group_inbound_rules_on_private_link_traffic
+  idle_timeout                                                 = var.idle_timeout
+  internal                                                     = var.internal
+  ip_address_type                                              = var.ip_address_type
+  load_balancer_type                                           = var.load_balancer_type
+  name                                                         = var.name
+  name_prefix                                                  = var.name_prefix
+  preserve_host_header                                         = var.preserve_host_header
+  security_groups                                              = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups
 
   dynamic "subnet_mapping" {
     for_each = var.subnet_mapping

variables.tf

@@ -104,6 +104,12 @@ variable "load_balancer_type" {
   default     = "application"
 }
 
+variable "enforce_security_group_inbound_rules_on_private_link_traffic" {
+  description = "Indicates whether inbound security group rules are enforced for traffic originating from a PrivateLink. Only valid for Load Balancers of type network. The possible values are on and off."
+  type        = string
+  default     = null
+}
+
 variable "name" {
   description = "The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen"
   type        = string

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.23"
+      version = ">= 5.31"
     }
   }
 }

wrappers/main.tf

@@ -3,45 +3,46 @@ module "wrapper" {
 
   for_each = var.items
 
-  access_logs                                 = try(each.value.access_logs, var.defaults.access_logs, {})
-  associate_web_acl                           = try(each.value.associate_web_acl, var.defaults.associate_web_acl, false)
-  create                                      = try(each.value.create, var.defaults.create, true)
-  create_security_group                       = try(each.value.create_security_group, var.defaults.create_security_group, true)
-  customer_owned_ipv4_pool                    = try(each.value.customer_owned_ipv4_pool, var.defaults.customer_owned_ipv4_pool, null)
-  default_port                                = try(each.value.default_port, var.defaults.default_port, 80)
-  default_protocol                            = try(each.value.default_protocol, var.defaults.default_protocol, "HTTP")
-  desync_mitigation_mode                      = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, null)
-  dns_record_client_routing_policy            = try(each.value.dns_record_client_routing_policy, var.defaults.dns_record_client_routing_policy, null)
-  drop_invalid_header_fields                  = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, true)
-  enable_cross_zone_load_balancing            = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, true)
-  enable_deletion_protection                  = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, true)
-  enable_http2                                = try(each.value.enable_http2, var.defaults.enable_http2, null)
-  enable_tls_version_and_cipher_suite_headers = try(each.value.enable_tls_version_and_cipher_suite_headers, var.defaults.enable_tls_version_and_cipher_suite_headers, null)
-  enable_waf_fail_open                        = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, null)
-  enable_xff_client_port                      = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, null)
-  idle_timeout                                = try(each.value.idle_timeout, var.defaults.idle_timeout, null)
-  internal                                    = try(each.value.internal, var.defaults.internal, null)
-  ip_address_type                             = try(each.value.ip_address_type, var.defaults.ip_address_type, null)
-  listeners                                   = try(each.value.listeners, var.defaults.listeners, {})
-  load_balancer_type                          = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application")
-  name                                        = try(each.value.name, var.defaults.name, null)
-  name_prefix                                 = try(each.value.name_prefix, var.defaults.name_prefix, null)
-  preserve_host_header                        = try(each.value.preserve_host_header, var.defaults.preserve_host_header, null)
-  putin_khuylo                                = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
-  route53_records                             = try(each.value.route53_records, var.defaults.route53_records, {})
-  security_group_description                  = try(each.value.security_group_description, var.defaults.security_group_description, null)
-  security_group_egress_rules                 = try(each.value.security_group_egress_rules, var.defaults.security_group_egress_rules, {})
-  security_group_ingress_rules                = try(each.value.security_group_ingress_rules, var.defaults.security_group_ingress_rules, {})
-  security_group_name                         = try(each.value.security_group_name, var.defaults.security_group_name, null)
-  security_group_tags                         = try(each.value.security_group_tags, var.defaults.security_group_tags, {})
-  security_group_use_name_prefix              = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true)
-  security_groups                             = try(each.value.security_groups, var.defaults.security_groups, [])
-  subnet_mapping                              = try(each.value.subnet_mapping, var.defaults.subnet_mapping, [])
-  subnets                                     = try(each.value.subnets, var.defaults.subnets, [])
-  tags                                        = try(each.value.tags, var.defaults.tags, {})
-  target_groups                               = try(each.value.target_groups, var.defaults.target_groups, {})
-  timeouts                                    = try(each.value.timeouts, var.defaults.timeouts, {})
-  vpc_id                                      = try(each.value.vpc_id, var.defaults.vpc_id, null)
-  web_acl_arn                                 = try(each.value.web_acl_arn, var.defaults.web_acl_arn, null)
-  xff_header_processing_mode                  = try(each.value.xff_header_processing_mode, var.defaults.xff_header_processing_mode, null)
+  access_logs                                                  = try(each.value.access_logs, var.defaults.access_logs, {})
+  associate_web_acl                                            = try(each.value.associate_web_acl, var.defaults.associate_web_acl, false)
+  create                                                       = try(each.value.create, var.defaults.create, true)
+  create_security_group                                        = try(each.value.create_security_group, var.defaults.create_security_group, true)
+  customer_owned_ipv4_pool                                     = try(each.value.customer_owned_ipv4_pool, var.defaults.customer_owned_ipv4_pool, null)
+  default_port                                                 = try(each.value.default_port, var.defaults.default_port, 80)
+  default_protocol                                             = try(each.value.default_protocol, var.defaults.default_protocol, "HTTP")
+  desync_mitigation_mode                                       = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, null)
+  dns_record_client_routing_policy                             = try(each.value.dns_record_client_routing_policy, var.defaults.dns_record_client_routing_policy, null)
+  drop_invalid_header_fields                                   = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, true)
+  enable_cross_zone_load_balancing                             = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, true)
+  enable_deletion_protection                                   = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, true)
+  enable_http2                                                 = try(each.value.enable_http2, var.defaults.enable_http2, null)
+  enable_tls_version_and_cipher_suite_headers                  = try(each.value.enable_tls_version_and_cipher_suite_headers, var.defaults.enable_tls_version_and_cipher_suite_headers, null)
+  enable_waf_fail_open                                         = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, null)
+  enable_xff_client_port                                       = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, null)
+  enforce_security_group_inbound_rules_on_private_link_traffic = try(each.value.enforce_security_group_inbound_rules_on_private_link_traffic, var.defaults.enforce_security_group_inbound_rules_on_private_link_traffic, null)
+  idle_timeout                                                 = try(each.value.idle_timeout, var.defaults.idle_timeout, null)
+  internal                                                     = try(each.value.internal, var.defaults.internal, null)
+  ip_address_type                                              = try(each.value.ip_address_type, var.defaults.ip_address_type, null)
+  listeners                                                    = try(each.value.listeners, var.defaults.listeners, {})
+  load_balancer_type                                           = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application")
+  name                                                         = try(each.value.name, var.defaults.name, null)
+  name_prefix                                                  = try(each.value.name_prefix, var.defaults.name_prefix, null)
+  preserve_host_header                                         = try(each.value.preserve_host_header, var.defaults.preserve_host_header, null)
+  putin_khuylo                                                 = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
+  route53_records                                              = try(each.value.route53_records, var.defaults.route53_records, {})
+  security_group_description                                   = try(each.value.security_group_description, var.defaults.security_group_description, null)
+  security_group_egress_rules                                  = try(each.value.security_group_egress_rules, var.defaults.security_group_egress_rules, {})
+  security_group_ingress_rules                                 = try(each.value.security_group_ingress_rules, var.defaults.security_group_ingress_rules, {})
+  security_group_name                                          = try(each.value.security_group_name, var.defaults.security_group_name, null)
+  security_group_tags                                          = try(each.value.security_group_tags, var.defaults.security_group_tags, {})
+  security_group_use_name_prefix                               = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true)
+  security_groups                                              = try(each.value.security_groups, var.defaults.security_groups, [])
+  subnet_mapping                                               = try(each.value.subnet_mapping, var.defaults.subnet_mapping, [])
+  subnets                                                      = try(each.value.subnets, var.defaults.subnets, [])
+  tags                                                         = try(each.value.tags, var.defaults.tags, {})
+  target_groups                                                = try(each.value.target_groups, var.defaults.target_groups, {})
+  timeouts                                                     = try(each.value.timeouts, var.defaults.timeouts, {})
+  vpc_id                                                       = try(each.value.vpc_id, var.defaults.vpc_id, null)
+  web_acl_arn                                                  = try(each.value.web_acl_arn, var.defaults.web_acl_arn, null)
+  xff_header_processing_mode                                   = try(each.value.xff_header_processing_mode, var.defaults.xff_header_processing_mode, null)
 }