From bbcab64009cdc6d4a7236ece331ece4045e14a31 Mon Sep 17 00:00:00 2001
From: renebarbosafl <70078638+renebarbosafl@users.noreply.github.com>
Date: Fri, 30 Aug 2024 23:46:44 -0300
Subject: [PATCH] fix: Add egress rule update support (#107)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Anton Babenko <anton@antonbabenko.com>
Co-authored-by: Renê Barbosa <rbarbosa@convokesystems.com>
---
 examples/complete/README.md             |  3 +-
 examples/complete/main.tf               | 43 ++++++++++++++++++++++---
 modules/resolver-endpoints/README.md    |  6 ++--
 modules/resolver-endpoints/main.tf      | 22 ++++++++-----
 modules/resolver-endpoints/variables.tf | 16 +++++++--
 5 files changed, 72 insertions(+), 18 deletions(-)

diff --git a/examples/complete/README.md b/examples/complete/README.md
index aa34918..dbf6259 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -38,9 +38,10 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_delegation_sets"></a> [delegation\_sets](#module\_delegation\_sets) | ../../modules/delegation-sets | n/a |
 | <a name="module_disabled_records"></a> [disabled\_records](#module\_disabled\_records) | ../../modules/records | n/a |
 | <a name="module_disabled_resolver_endpoints"></a> [disabled\_resolver\_endpoints](#module\_disabled\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
+| <a name="module_inbound_resolver_endpoints"></a> [inbound\_resolver\_endpoints](#module\_inbound\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
+| <a name="module_outbound_resolver_endpoints"></a> [outbound\_resolver\_endpoints](#module\_outbound\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
 | <a name="module_records"></a> [records](#module\_records) | ../../modules/records | n/a |
 | <a name="module_records_with_full_names"></a> [records\_with\_full\_names](#module\_records\_with\_full\_names) | ../../modules/records | n/a |
-| <a name="module_resolver_endpoints"></a> [resolver\_endpoints](#module\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
 | <a name="module_resolver_rule_associations"></a> [resolver\_rule\_associations](#module\_resolver\_rule\_associations) | ../../modules/resolver-rule-associations | n/a |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | n/a |
 | <a name="module_terragrunt"></a> [terragrunt](#module\_terragrunt) | ../../modules/records | n/a |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 6d14594..4fbdf72 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -293,19 +293,52 @@ module "resolver_rule_associations" {
   }
 }
 
-module "resolver_endpoints" {
+module "inbound_resolver_endpoints" {
   source = "../../modules/resolver-endpoints"
 
-  name       = "example1"
-  direction  = "INBOUND"
-  protocols  = ["Do53", "DoH"]
-  subnet_ids = module.vpc1.private_subnets
+  name      = "example1"
+  direction = "INBOUND"
+  protocols = ["Do53", "DoH"]
+
+  subnet_ids = slice(module.vpc1.private_subnets, 0, 2)
 
   vpc_id                     = module.vpc1.vpc_id
   security_group_name_prefix = "example1-sg-"
   security_group_ingress_cidr_blocks = [
     module.vpc2.vpc_cidr_block
   ]
+  security_group_egress_cidr_blocks = [
+    module.vpc2.vpc_cidr_block
+  ]
+}
+
+module "outbound_resolver_endpoints" {
+  source = "../../modules/resolver-endpoints"
+
+  name      = "example2"
+  direction = "OUTBOUND"
+  protocols = ["Do53", "DoH"]
+
+  # Using fixed IP addresses
+  ip_address = [
+    {
+      ip        = "10.0.0.35"
+      subnet_id = module.vpc1.private_subnets[0]
+    },
+    {
+      ip        = "10.0.1.35"
+      subnet_id = module.vpc1.private_subnets[1]
+    }
+  ]
+
+  vpc_id                     = module.vpc1.vpc_id
+  security_group_name_prefix = "example2-sg-"
+  security_group_ingress_cidr_blocks = [
+    module.vpc1.vpc_cidr_block
+  ]
+  security_group_egress_cidr_blocks = [
+    module.vpc2.vpc_cidr_block
+  ]
 }
 
 ###################
diff --git a/modules/resolver-endpoints/README.md b/modules/resolver-endpoints/README.md
index bf3c879..ece4f0e 100644
--- a/modules/resolver-endpoints/README.md
+++ b/modules/resolver-endpoints/README.md
@@ -34,15 +34,17 @@ No modules.
 | <a name="input_create"></a> [create](#input\_create) | Whether to create Route53 resolver endpoints | `bool` | `true` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Whether to create Security Groups for Route53 Resolver Endpoints | `bool` | `true` | no |
 | <a name="input_direction"></a> [direction](#input\_direction) | The resolver endpoint flow direction | `string` | `"INBOUND"` | no |
+| <a name="input_ip_address"></a> [ip\_address](#input\_ip\_address) | A list of IP addresses and subnets where Route53 resolver endpoints will be deployed | `list(any)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The resolver endpoint name | `string` | `null` | no |
 | <a name="input_protocols"></a> [protocols](#input\_protocols) | The resolver endpoint protocols | `list(string)` | `[]` | no |
 | <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | The security group description | `string` | `null` | no |
+| <a name="input_security_group_egress_cidr_blocks"></a> [security\_group\_egress\_cidr\_blocks](#input\_security\_group\_egress\_cidr\_blocks) | A list of CIDR blocks to allow on security group egress rules | `list(string)` | `[]` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | A list of security group IDs | `list(string)` | `[]` | no |
-| <a name="input_security_group_ingress_cidr_blocks"></a> [security\_group\_ingress\_cidr\_blocks](#input\_security\_group\_ingress\_cidr\_blocks) | A list of CIDR blocks to allow on security group | `list(string)` | `[]` | no |
+| <a name="input_security_group_ingress_cidr_blocks"></a> [security\_group\_ingress\_cidr\_blocks](#input\_security\_group\_ingress\_cidr\_blocks) | A list of CIDR blocks to allow on security group ingress rules | `list(string)` | `[]` | no |
 | <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | The name of the security group | `string` | `null` | no |
 | <a name="input_security_group_name_prefix"></a> [security\_group\_name\_prefix](#input\_security\_group\_name\_prefix) | The prefix of the security group | `string` | `null` | no |
 | <a name="input_security_group_tags"></a> [security\_group\_tags](#input\_security\_group\_tags) | A map of tags for the security group | `map(string)` | `{}` | no |
-| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnets where Route53 resolver endpoints will be deployed | `list(string)` | `[]` | no |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnets where Route53 resolver endpoints will be deployed | `list(any)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags for the Route53 resolver endpoint | `map(string)` | `{}` | no |
 | <a name="input_type"></a> [type](#input\_type) | The resolver endpoint IP type | `string` | `"IPV4"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID for all the Route53 Resolver Endpoints | `string` | `""` | no |
diff --git a/modules/resolver-endpoints/main.tf b/modules/resolver-endpoints/main.tf
index 44e2743..f801aa5 100644
--- a/modules/resolver-endpoints/main.tf
+++ b/modules/resolver-endpoints/main.tf
@@ -1,5 +1,6 @@
 locals {
   security_group_ids = var.create && var.create_security_group ? [aws_security_group.this[0].id] : var.security_group_ids
+  subnet_ids         = var.create && length(var.subnet_ids) > 0 ? [for subnet in var.subnet_ids : { subnet_id = subnet }] : var.subnet_ids
 }
 
 resource "aws_route53_resolver_endpoint" "this" {
@@ -12,10 +13,11 @@ resource "aws_route53_resolver_endpoint" "this" {
   security_group_ids     = local.security_group_ids
 
   dynamic "ip_address" {
-    for_each = var.subnet_ids
+    for_each = length(var.ip_address) == 0 ? local.subnet_ids : var.ip_address
 
     content {
-      subnet_id = ip_address.value
+      ip        = lookup(ip_address.value, "ip", null)
+      subnet_id = each.value.subnet_id
     }
   }
 
@@ -44,12 +46,16 @@ resource "aws_security_group" "this" {
     }
   }
 
-  egress {
-    description = "Allow All"
-    protocol    = "-1"
-    from_port   = 0
-    to_port     = 0
-    cidr_blocks = ["0.0.0.0/0"]
+  dynamic "egress" {
+    for_each = toset(["tcp", "udp"])
+
+    content {
+      description = "Allow DNS"
+      protocol    = egress.value
+      from_port   = 53
+      to_port     = 53
+      cidr_blocks = try(var.security_group_egress_cidr_blocks, ["0.0.0.0"])
+    }
   }
 
   tags = var.security_group_tags
diff --git a/modules/resolver-endpoints/variables.tf b/modules/resolver-endpoints/variables.tf
index c35a6f4..c8cc7be 100644
--- a/modules/resolver-endpoints/variables.tf
+++ b/modules/resolver-endpoints/variables.tf
@@ -30,7 +30,13 @@ variable "type" {
 
 variable "subnet_ids" {
   description = "A list of subnets where Route53 resolver endpoints will be deployed"
-  type        = list(string)
+  type        = list(any)
+  default     = []
+}
+
+variable "ip_address" {
+  description = "A list of IP addresses and subnets where Route53 resolver endpoints will be deployed"
+  type        = list(any)
   default     = []
 }
 
@@ -79,7 +85,13 @@ variable "security_group_description" {
 }
 
 variable "security_group_ingress_cidr_blocks" {
-  description = "A list of CIDR blocks to allow on security group"
+  description = "A list of CIDR blocks to allow on security group ingress rules"
+  type        = list(string)
+  default     = []
+}
+
+variable "security_group_egress_cidr_blocks" {
+  description = "A list of CIDR blocks to allow on security group egress rules"
   type        = list(string)
   default     = []
 }