diff --git a/main.tf b/main.tf index 80af723..c7d7159 100644 --- a/main.tf +++ b/main.tf @@ -9,11 +9,11 @@ resource "aws_security_group" "default" { resource "aws_security_group_rule" "egress" { count = module.this.enabled ? 1 : 0 type = "egress" - description = "Allow all egress traffic" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + description = "Allow outbound traffic from CIDR blocks" + from_port = var.egress_port + to_port = var.egress_port + protocol = var.egress_protocol + cidr_blocks = var.allowed_egress_cidr_blocks security_group_id = join("", aws_security_group.default.*.id) } diff --git a/variables.tf b/variables.tf index 37b5074..a946dc9 100644 --- a/variables.tf +++ b/variables.tf @@ -4,6 +4,24 @@ variable "zone_id" { description = "Route53 parent zone ID. If provided (not empty), the module will create sub-domain DNS records for the DocumentDB master and replicas" } +variable "egress_port" { + type = number + default = 0 + description = "DocumentDB port for egress (e.g. `27017`)" +} + +variable "egress_protocol" { + type = string + default = "-1" + description = "DocumentDB protocol for egress (e.g. `-1`, `tcp`)" +} + +variable "allowed_egress_cidr_blocks" { + type = list(string) + default = ["0.0.0.0/0"] + description = "List of CIDR blocks to be allowed to send traffic outside of the DocumentDB cluster" +} + variable "allowed_security_groups" { type = list(string) default = []