Fix security group protocol issues

tedilabs · May 26, 2024 · 40ef886 · 40ef886
1 parent 165c8ed
commit 40ef886
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/modules/alb/security-group.tf b/modules/alb/security-group.tf
@@ -15,7 +15,7 @@ locals {
 
 module "security_group" {
   source  = "tedilabs/network/aws//modules/security-group"
-  version = "~> 0.31.0"
+  version = "~> 0.32.0"
 
   count = var.default_security_group.enabled ? 1 : 0
 
@@ -29,7 +29,7 @@ module "security_group" {
       for listener in var.listeners : {
         id          = "listener-${listener.port}"
         description = "Default rule for the load balancer listener."
-        protocol    = listener.protocol
+        protocol    = "tcp"
         from_port   = listener.port
         to_port     = listener.port
 

diff --git a/modules/nlb/security-groups.tf b/modules/nlb/security-groups.tf
@@ -15,7 +15,7 @@ locals {
 
 module "security_group" {
   source  = "tedilabs/network/aws//modules/security-group"
-  version = "~> 0.31.0"
+  version = "~> 0.32.0"
 
   count = var.default_security_group.enabled ? 1 : 0
 
@@ -29,7 +29,7 @@ module "security_group" {
       for listener in var.listeners : {
         id          = "listener-${listener.port}"
         description = "Default rule for the load balancer listener."
-        protocol    = listener.protocol
+        protocol    = "tcp"
         from_port   = listener.port
         to_port     = listener.port
 
@@ -38,13 +38,33 @@ module "security_group" {
         prefix_lists    = var.default_security_group.listener_ingress_prefix_lists
         security_groups = var.default_security_group.listener_ingress_security_groups
       }
-      if anytrue([
+      if contains(["TCP", "TLS", "TCP_UDP"], listener.protocol) && anytrue([
         length(var.default_security_group.listener_ingress_ipv4_cidrs) > 0,
         length(var.default_security_group.listener_ingress_ipv6_cidrs) > 0,
         length(var.default_security_group.listener_ingress_prefix_lists) > 0,
         length(var.default_security_group.listener_ingress_security_groups) > 0,
       ])
-    ]
+    ],
+    [
+      for listener in var.listeners : {
+        id          = "listener-${listener.port}-udp"
+        description = "Default rule for the load balancer listener."
+        protocol    = "udp"
+        from_port   = listener.port
+        to_port     = listener.port
+
+        ipv4_cidrs      = var.default_security_group.listener_ingress_ipv4_cidrs
+        ipv6_cidrs      = var.default_security_group.listener_ingress_ipv6_cidrs
+        prefix_lists    = var.default_security_group.listener_ingress_prefix_lists
+        security_groups = var.default_security_group.listener_ingress_security_groups
+      }
+      if contains(["UDP"], listener.protocol) && anytrue([
+        length(var.default_security_group.listener_ingress_ipv4_cidrs) > 0,
+        length(var.default_security_group.listener_ingress_ipv6_cidrs) > 0,
+        length(var.default_security_group.listener_ingress_prefix_lists) > 0,
+        length(var.default_security_group.listener_ingress_security_groups) > 0,
+      ])
+    ],
   )
   egress_rules = concat(
     var.default_security_group.egress_rules,