From 40ef88650cf72a5d7d0f80c56685c4d0eac525bd Mon Sep 17 00:00:00 2001
From: Byungjin Park <posquit0.bj@gmail.com>
Date: Mon, 27 May 2024 02:01:52 +0900
Subject: [PATCH] Fix security group protocol issues

---
 modules/alb/security-group.tf  |  4 ++--
 modules/nlb/security-groups.tf | 28 ++++++++++++++++++++++++----
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/modules/alb/security-group.tf b/modules/alb/security-group.tf
index a43ac3c..9d63772 100644
--- a/modules/alb/security-group.tf
+++ b/modules/alb/security-group.tf
@@ -15,7 +15,7 @@ locals {
 
 module "security_group" {
   source  = "tedilabs/network/aws//modules/security-group"
-  version = "~> 0.31.0"
+  version = "~> 0.32.0"
 
   count = var.default_security_group.enabled ? 1 : 0
 
@@ -29,7 +29,7 @@ module "security_group" {
       for listener in var.listeners : {
         id          = "listener-${listener.port}"
         description = "Default rule for the load balancer listener."
-        protocol    = listener.protocol
+        protocol    = "tcp"
         from_port   = listener.port
         to_port     = listener.port
 
diff --git a/modules/nlb/security-groups.tf b/modules/nlb/security-groups.tf
index 95d8333..5a775e1 100644
--- a/modules/nlb/security-groups.tf
+++ b/modules/nlb/security-groups.tf
@@ -15,7 +15,7 @@ locals {
 
 module "security_group" {
   source  = "tedilabs/network/aws//modules/security-group"
-  version = "~> 0.31.0"
+  version = "~> 0.32.0"
 
   count = var.default_security_group.enabled ? 1 : 0
 
@@ -29,7 +29,7 @@ module "security_group" {
       for listener in var.listeners : {
         id          = "listener-${listener.port}"
         description = "Default rule for the load balancer listener."
-        protocol    = listener.protocol
+        protocol    = "tcp"
         from_port   = listener.port
         to_port     = listener.port
 
@@ -38,13 +38,33 @@ module "security_group" {
         prefix_lists    = var.default_security_group.listener_ingress_prefix_lists
         security_groups = var.default_security_group.listener_ingress_security_groups
       }
-      if anytrue([
+      if contains(["TCP", "TLS", "TCP_UDP"], listener.protocol) && anytrue([
         length(var.default_security_group.listener_ingress_ipv4_cidrs) > 0,
         length(var.default_security_group.listener_ingress_ipv6_cidrs) > 0,
         length(var.default_security_group.listener_ingress_prefix_lists) > 0,
         length(var.default_security_group.listener_ingress_security_groups) > 0,
       ])
-    ]
+    ],
+    [
+      for listener in var.listeners : {
+        id          = "listener-${listener.port}-udp"
+        description = "Default rule for the load balancer listener."
+        protocol    = "udp"
+        from_port   = listener.port
+        to_port     = listener.port
+
+        ipv4_cidrs      = var.default_security_group.listener_ingress_ipv4_cidrs
+        ipv6_cidrs      = var.default_security_group.listener_ingress_ipv6_cidrs
+        prefix_lists    = var.default_security_group.listener_ingress_prefix_lists
+        security_groups = var.default_security_group.listener_ingress_security_groups
+      }
+      if contains(["UDP"], listener.protocol) && anytrue([
+        length(var.default_security_group.listener_ingress_ipv4_cidrs) > 0,
+        length(var.default_security_group.listener_ingress_ipv6_cidrs) > 0,
+        length(var.default_security_group.listener_ingress_prefix_lists) > 0,
+        length(var.default_security_group.listener_ingress_security_groups) > 0,
+      ])
+    ],
   )
   egress_rules = concat(
     var.default_security_group.egress_rules,