feat: allow configuring of additional security group rules (#38)

## what

- This PR makes it possible to optionally add additional security group
rules to the main security group
- We add the following:
- A new tf resource `aws_security_group_rule.additonal`, which loops
over...
  - A new tf variable `var.additional_security_group_rules` of type map
  - Additions to the README.md

## why

- By allowing the configuration of sg rules directly in this module, we
do not require the module user to create additional security groups
outside this module. This is especially useful for those users that
consume this module with terragrunt, who may not have the ability to
easily create additional security groups

## references

- N/A, but as a user of downstream module
[terraform-aws-tailscale](https://github.com/masterpointio/terraform-aws-tailscale),
I would be delighted with this addition. If accepted, I will follow-up
with a PR in that module as well


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Added support for defining additional security group rules via a new
input variable.
- **Documentation**
- Updated documentation to include details about the new resource and
input variable for additional security group rules.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: mhulscher

README.md

@@ -115,6 +115,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_launch_template.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.allow_all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_ssm_document.session_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource |
 | [null_resource.validate_instance_type](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -130,6 +131,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | Security groups that will be attached to the app instances | `list(string)` | `[]` | no |
+| <a name="input_additional_security_group_rules"></a> [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | Additional security group rules that will be attached to the primary security group | <pre>map(object({<br/>    type      = string<br/>    from_port = number<br/>    to_port   = number<br/>    protocol  = string<br/><br/>    description      = optional(string)<br/>    cidr_blocks      = optional(list(string))<br/>    ipv6_cidr_blocks = optional(list(string))<br/>    prefix_list_ids  = optional(list(string))<br/>    self             = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
 | <a name="input_ami"></a> [ami](#input\_ami) | The AMI to use for the SSM Agent EC2 Instance. If not provided, the latest Amazon Linux 2023 AMI will be used. Note: This will update periodically as AWS releases updates to their AL2023 AMI. Pin to a specific AMI if you would like to avoid these updates. | `string` | `""` | no |
 | <a name="input_architecture"></a> [architecture](#input\_architecture) | The architecture of the AMI (e.g., x86\_64, arm64) | `string` | `"arm64"` | no |

main.tf

@@ -159,6 +159,23 @@ resource "aws_security_group_rule" "allow_all_egress" {
   security_group_id = aws_security_group.default.id
 }
 
+resource "aws_security_group_rule" "additional" {
+  for_each = var.additional_security_group_rules
+
+  type      = lookup(each.value, "type")
+  from_port = lookup(each.value, "from_port")
+  to_port   = lookup(each.value, "to_port")
+  protocol  = lookup(each.value, "protocol")
+
+  description      = lookup(each.value, "description", null)
+  cidr_blocks      = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
+  prefix_list_ids  = lookup(each.value, "prefix_list_ids", null)
+  self             = lookup(each.value, "self", null)
+
+  security_group_id = aws_security_group.default.id
+}
+
 #######################
 ## SECURITY LOGGING ##
 #####################

variables.tf

@@ -62,6 +62,23 @@ variable "additional_security_group_ids" {
   default     = []
 }
 
+variable "additional_security_group_rules" {
+  description = "Additional security group rules that will be attached to the primary security group"
+  type = map(object({
+    type      = string
+    from_port = number
+    to_port   = number
+    protocol  = string
+
+    description      = optional(string)
+    cidr_blocks      = optional(list(string))
+    ipv6_cidr_blocks = optional(list(string))
+    prefix_list_ids  = optional(list(string))
+    self             = optional(bool)
+  }))
+  default = {}
+}
+
 variable "monitoring_enabled" {
   description = "Enable detailed monitoring of instance"
   type        = bool