Fix IPv6 ingress rules (#186)

mschfh · web-flow · commit 95e6dc25ca49 · 2024-11-07T11:59:16.000-08:00
diff --git a/README.md b/README.md
@@ -234,12 +234,12 @@ Available targets:
 | <a name="input_health_check_unhealthy_threshold"></a> [health\_check\_unhealthy\_threshold](#input\_health\_check\_unhealthy\_threshold) | The number of consecutive health check failures required before considering the target unhealthy | `number` | `2` | no |
 | <a name="input_http2_enabled"></a> [http2\_enabled](#input\_http2\_enabled) | A boolean flag to enable/disable HTTP/2 | `bool` | `true` | no |
 | <a name="input_http_enabled"></a> [http\_enabled](#input\_http\_enabled) | A boolean flag to enable/disable HTTP listener | `bool` | `true` | no |
-| <a name="input_http_ingress_cidr_blocks"></a> [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_http_ingress_cidr_blocks"></a> [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0",<br/>  "::/0"<br/>]</pre> | no |
 | <a name="input_http_ingress_prefix_list_ids"></a> [http\_ingress\_prefix\_list\_ids](#input\_http\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTP ingress security group | `list(string)` | `[]` | no |
 | <a name="input_http_port"></a> [http\_port](#input\_http\_port) | The port for the HTTP listener | `number` | `80` | no |
 | <a name="input_http_redirect"></a> [http\_redirect](#input\_http\_redirect) | A boolean flag to enable/disable HTTP redirect to HTTPS | `bool` | `false` | no |
 | <a name="input_https_enabled"></a> [https\_enabled](#input\_https\_enabled) | A boolean flag to enable/disable HTTPS listener | `bool` | `false` | no |
-| <a name="input_https_ingress_cidr_blocks"></a> [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_https_ingress_cidr_blocks"></a> [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0",<br/>  "::/0"<br/>]</pre> | no |
 | <a name="input_https_ingress_prefix_list_ids"></a> [https\_ingress\_prefix\_list\_ids](#input\_https\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTPS ingress security group | `list(string)` | `[]` | no |
 | <a name="input_https_port"></a> [https\_port](#input\_https\_port) | The port for the HTTPS listener | `number` | `443` | no |
 | <a name="input_https_ssl_policy"></a> [https\_ssl\_policy](#input\_https\_ssl\_policy) | The name of the SSL Policy for the listener | `string` | `"ELBSecurityPolicy-2015-05"` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -72,12 +72,12 @@
 | <a name="input_health_check_unhealthy_threshold"></a> [health\_check\_unhealthy\_threshold](#input\_health\_check\_unhealthy\_threshold) | The number of consecutive health check failures required before considering the target unhealthy | `number` | `2` | no |
 | <a name="input_http2_enabled"></a> [http2\_enabled](#input\_http2\_enabled) | A boolean flag to enable/disable HTTP/2 | `bool` | `true` | no |
 | <a name="input_http_enabled"></a> [http\_enabled](#input\_http\_enabled) | A boolean flag to enable/disable HTTP listener | `bool` | `true` | no |
-| <a name="input_http_ingress_cidr_blocks"></a> [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_http_ingress_cidr_blocks"></a> [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTP security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0",<br/>  "::/0"<br/>]</pre> | no |
 | <a name="input_http_ingress_prefix_list_ids"></a> [http\_ingress\_prefix\_list\_ids](#input\_http\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTP ingress security group | `list(string)` | `[]` | no |
 | <a name="input_http_port"></a> [http\_port](#input\_http\_port) | The port for the HTTP listener | `number` | `80` | no |
 | <a name="input_http_redirect"></a> [http\_redirect](#input\_http\_redirect) | A boolean flag to enable/disable HTTP redirect to HTTPS | `bool` | `false` | no |
 | <a name="input_https_enabled"></a> [https\_enabled](#input\_https\_enabled) | A boolean flag to enable/disable HTTPS listener | `bool` | `false` | no |
-| <a name="input_https_ingress_cidr_blocks"></a> [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_https_ingress_cidr_blocks"></a> [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allow in HTTPS security group | `list(string)` | <pre>[<br/>  "0.0.0.0/0",<br/>  "::/0"<br/>]</pre> | no |
 | <a name="input_https_ingress_prefix_list_ids"></a> [https\_ingress\_prefix\_list\_ids](#input\_https\_ingress\_prefix\_list\_ids) | List of prefix list IDs for allowing access to HTTPS ingress security group | `list(string)` | `[]` | no |
 | <a name="input_https_port"></a> [https\_port](#input\_https\_port) | The port for the HTTPS listener | `number` | `443` | no |
 | <a name="input_https_ssl_policy"></a> [https\_ssl\_policy](#input\_https\_ssl\_policy) | The name of the SSL Policy for the listener | `string` | `"ELBSecurityPolicy-2015-05"` | no |
@@ -94,7 +94,7 @@
 | <a name="input_listener_additional_tags"></a> [listener\_additional\_tags](#input\_listener\_additional\_tags) | The additional tags to apply to all listeners | `map(string)` | `{}` | no |
 | <a name="input_listener_http_fixed_response"></a> [listener\_http\_fixed\_response](#input\_listener\_http\_fixed\_response) | Have the HTTP listener return a fixed response for the default action. | <pre>object({<br/>    content_type = string<br/>    message_body = string<br/>    status_code  = string<br/>  })</pre> | `null` | no |
 | <a name="input_listener_https_fixed_response"></a> [listener\_https\_fixed\_response](#input\_listener\_https\_fixed\_response) | Have the HTTPS listener return a fixed response for the default action. | <pre>object({<br/>    content_type = string<br/>    message_body = string<br/>    status_code  = string<br/>  })</pre> | `null` | no |
-| <a name="input_listener_https_redirect"></a> [listener\_https\_redirect](#input\_listener\_https\_redirect) | Have the HTTPS listener return a redirect response for the default action. | <pre>object({<br/>    host        = optional(string)<br/>    path        = optional(string)<br/>    port        = optional(string)<br/>    protocol    = optional(string)<br/>    query       = optional(string)<br/>    status_code = optional(string)<br/>  })</pre> | `null` | no |
+| <a name="input_listener_https_redirect"></a> [listener\_https\_redirect](#input\_listener\_https\_redirect) | Have the HTTPS listener return a redirect response for the default action. | <pre>object({<br/>    host        = optional(string)<br/>    path        = optional(string)<br/>    port        = optional(string)<br/>    protocol    = optional(string)<br/>    query       = optional(string)<br/>    status_code = string<br/>  })</pre> | <pre>{<br/>  "host": null,<br/>  "path": null,<br/>  "port": null,<br/>  "protocol": null,<br/>  "query": null,<br/>  "status_code": "HTTP_301"<br/>}</pre> | no |
 | <a name="input_load_balancer_name"></a> [load\_balancer\_name](#input\_load\_balancer\_name) | The name for the default load balancer, uses a module label name if left empty | `string` | `""` | no |
 | <a name="input_load_balancer_name_max_length"></a> [load\_balancer\_name\_max\_length](#input\_load\_balancer\_name\_max\_length) | The max length of characters for the load balancer. | `number` | `32` | no |
 | <a name="input_load_balancing_algorithm_type"></a> [load\_balancing\_algorithm\_type](#input\_load\_balancing\_algorithm\_type) | Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups | `string` | `"round_robin"` | no |
diff --git a/main.tf b/main.tf
@@ -1,3 +1,13 @@
+locals {
+  # cidrnetmask returns an error for IPv6 addresses
+  # cidrhost works with both IPv4 and IPv6, and returns an error if the argument is not a valid IPv4/IPv6 CIDR prefix
+  http_ingress_cidr_blocks_v4  = [for cidr in var.http_ingress_cidr_blocks : cidr if can(cidrnetmask(cidr))]
+  http_ingress_cidr_blocks_v6  = var.ip_address_type == "dualstack" ? [for cidr in var.http_ingress_cidr_blocks : cidr if !can(cidrnetmask(cidr)) && can(cidrhost(cidr, 0))] : []
+  https_ingress_cidr_blocks_v4 = [for cidr in var.https_ingress_cidr_blocks : cidr if can(cidrnetmask(cidr))]
+  https_ingress_cidr_blocks_v6 = var.ip_address_type == "dualstack" ? [for cidr in var.https_ingress_cidr_blocks : cidr if !can(cidrnetmask(cidr)) && can(cidrhost(cidr, 0))] : []
+}
+
+
 resource "aws_security_group" "default" {
   count       = module.this.enabled && var.security_group_enabled ? 1 : 0
   description = "Controls access to the ALB (HTTP/HTTPS)"
@@ -22,7 +32,8 @@ resource "aws_security_group_rule" "http_ingress" {
   from_port         = var.http_port
   to_port           = var.http_port
   protocol          = "tcp"
-  cidr_blocks       = var.http_ingress_cidr_blocks
+  cidr_blocks       = local.http_ingress_cidr_blocks_v4
+  ipv6_cidr_blocks  = local.http_ingress_cidr_blocks_v6
   prefix_list_ids   = var.http_ingress_prefix_list_ids
   security_group_id = one(aws_security_group.default[*].id)
 }
@@ -33,7 +44,8 @@ resource "aws_security_group_rule" "https_ingress" {
   from_port         = var.https_port
   to_port           = var.https_port
   protocol          = "tcp"
-  cidr_blocks       = var.https_ingress_cidr_blocks
+  cidr_blocks       = local.https_ingress_cidr_blocks_v4
+  ipv6_cidr_blocks  = local.https_ingress_cidr_blocks_v6
   prefix_list_ids   = var.https_ingress_prefix_list_ids
   security_group_id = one(aws_security_group.default[*].id)
 }
diff --git a/variables.tf b/variables.tf
@@ -40,8 +40,13 @@ variable "http_redirect" {
 
 variable "http_ingress_cidr_blocks" {
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = ["0.0.0.0/0", "::/0"]
   description = "List of CIDR blocks to allow in HTTP security group"
+
+  validation {
+    condition     = alltrue([for cidr in var.http_ingress_cidr_blocks : can(cidrhost(cidr, 0))])
+    error_message = "Each entry in http_ingress_cidr_blocks must be a valid CIDR block."
+  }
 }
 
 variable "http_ingress_prefix_list_ids" {
@@ -70,8 +75,13 @@ variable "https_enabled" {
 
 variable "https_ingress_cidr_blocks" {
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = ["0.0.0.0/0", "::/0"]
   description = "List of CIDR blocks to allow in HTTPS security group"
+
+  validation {
+    condition     = alltrue([for cidr in var.https_ingress_cidr_blocks : can(cidrhost(cidr, 0))])
+    error_message = "Each entry in https_ingress_cidr_blocks must be a valid CIDR block."
+  }
 }
 
 variable "https_ingress_prefix_list_ids" {
@@ -132,6 +142,11 @@ variable "ip_address_type" {
   type        = string
   default     = "ipv4"
   description = "The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack`."
+
+  validation {
+    condition     = contains(["ipv4", "dualstack"], var.ip_address_type)
+    error_message = "ip_address_type must be either `ipv4` or `dualstack`."
+  }
 }
 
 variable "deletion_protection_enabled" {
