SSH CIDR Blocks ipv6 support + checkov false positive ignore

RaJiska · Jun 17, 2024 · d74d6d4 · d74d6d4
1 parent 2bcd121
commit d74d6d4
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -83,7 +83,7 @@ module "fck-nat" {
 | <a name="input_name"></a> [name](#input\_name) | Name used for resources created within the module | `string` | n/a | yes |
 | <a name="input_route_table_id"></a> [route\_table\_id](#input\_route\_table\_id) | Deprecated. Use route\_tables\_ids instead | `string` | `null` | no |
 | <a name="input_route_tables_ids"></a> [route\_tables\_ids](#input\_route\_tables\_ids) | Route tables to update. Only valid if update\_route\_tables is true | `map(string)` | `{}` | no |
-| <a name="input_ssh_cidr_blocks"></a> [ssh\_cidr\_blocks](#input\_ssh\_cidr\_blocks) | CIDR blocks to allow SSH access to the NAT instance from | `list(string)` | `[]` | no |
+| <a name="input_ssh_cidr_blocks"></a> [ssh\_cidr\_blocks](#input\_ssh\_cidr\_blocks) | CIDR blocks to allow SSH access to the NAT instance from | <pre>object({<br>    ipv4 = optional(list(string), [])<br>    ipv6 = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "ipv4": [],<br>  "ipv6": []<br>}</pre> | no |
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided | `string` | `null` | no |
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | Subnet ID to deploy the NAT instance into | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources created within the module | `map(string)` | `{}` | no |

diff --git a/main.tf b/main.tf
@@ -14,6 +14,7 @@ data "aws_vpc" "main" {
 }
 
 resource "aws_security_group" "main" {
+  #checkov:skip=CKV_AWS_24:False positive from Checkov, ingress CIDR blocks on port 22 default to "[]"
   name        = var.name
   description = "Used in ${var.name} instance of fck-nat in subnet ${var.subnet_id}"
   vpc_id      = data.aws_vpc.main.id
@@ -27,14 +28,15 @@ resource "aws_security_group" "main" {
   }
 
   dynamic "ingress" {
-    for_each = var.use_ssh && length(var.ssh_cidr_blocks) > 0 ? [1] : []
+    for_each = var.use_ssh && (length(var.ssh_cidr_blocks.ipv4) > 0 || length(var.ssh_cidr_blocks.ipv6) > 0) ? [1] : [] #  
 
     content {
-      description = "SSH access"
-      from_port   = 22
-      to_port     = 22
-      protocol    = "tcp"
-      cidr_blocks = var.ssh_cidr_blocks
+      description      = "SSH access"
+      from_port        = 22
+      to_port          = 22
+      protocol         = "tcp"
+      cidr_blocks      = var.ssh_cidr_blocks.ipv4
+      ipv6_cidr_blocks = var.ssh_cidr_blocks.ipv6
     }
   }
 

diff --git a/variables.tf b/variables.tf
@@ -137,8 +137,14 @@ variable "ssh_key_name" {
 
 variable "ssh_cidr_blocks" {
   description = "CIDR blocks to allow SSH access to the NAT instance from"
-  type        = list(string)
-  default     = []
+  type = object({
+    ipv4 = optional(list(string), [])
+    ipv6 = optional(list(string), [])
+  })
+  default = {
+    ipv4 = [],
+    ipv6 = []
+  }
 }
 
 variable "tags" {