From ca2625dffd89e097c032f210691fd479b359c7d2 Mon Sep 17 00:00:00 2001
From: marcincuber <marcincuber@hotmail.com>
Date: Tue, 17 Dec 2019 12:33:12 +0000
Subject: [PATCH] Add default security group ingress when redirect is enabled

---
 examples/alb/main.tf | 10 +---------
 main.tf              | 11 +++++++++++
 variables.tf         |  6 ++++++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/examples/alb/main.tf b/examples/alb/main.tf
index 69a95fc..2939d9c 100644
--- a/examples/alb/main.tf
+++ b/examples/alb/main.tf
@@ -39,6 +39,7 @@ module "alb" {
   subnets  = flatten([module.vpc.public_subnets])
 
   enable_http_to_https_redirect = true
+  cidr_blocks_port_80_redirect  = ["10.10.0.0/16"]
 
   tags = {
     Project = "Test"
@@ -67,15 +68,6 @@ resource "aws_lb_listener" "alb_80_redirect_to_443" {
 #####
 # SGs
 #####
-resource "aws_security_group_rule" "alb_ingress_80" {
-  security_group_id = module.alb.security_group_id
-  type              = "ingress"
-  protocol          = "tcp"
-  from_port         = 80
-  to_port           = 80
-  cidr_blocks       = ["0.0.0.0/0"]
-  ipv6_cidr_blocks  = ["::/0"]
-}
 
 resource "aws_security_group_rule" "alb_ingress_443" {
   security_group_id = module.alb.security_group_id
diff --git a/main.tf b/main.tf
index 736d323..74e14a8 100644
--- a/main.tf
+++ b/main.tf
@@ -81,6 +81,17 @@ resource "aws_security_group" "main" {
   )
 }
 
+resource "aws_security_group_rule" "allow_port_80_ingress_for_http_to_https_redirect" {
+  count       = var.load_balancer_type == "application" && var.enable_http_to_https_redirect ? 1 : 0
+  type        = "ingress"
+  from_port   = 80
+  to_port     = 80
+  protocol    = "tcp"
+  cidr_blocks = var.cidr_blocks_port_80_redirect
+
+  security_group_id = aws_security_group.main[0].id
+}
+
 resource "aws_security_group_rule" "egress" {
   count             = var.load_balancer_type == "network" ? 0 : 1
   security_group_id = aws_security_group.main[0].id
diff --git a/variables.tf b/variables.tf
index 105db2f..03450f6 100644
--- a/variables.tf
+++ b/variables.tf
@@ -96,3 +96,9 @@ variable "enable_http_to_https_redirect" {
   type        = bool
   default     = false
 }
+
+variable "cidr_blocks_port_80_redirect" {
+  type        = list(string)
+  description = "List of CIDR ranges to allow at security group level. Defaults to 0.0.0.0/0"
+  default     = ["0.0.0.0/0"]
+}