diff --git a/examples/complete/README.md b/examples/complete/README.md
index aa34918..dbf6259 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -38,9 +38,10 @@ Note that this example may create resources which cost money. Run `terraform des
| [delegation\_sets](#module\_delegation\_sets) | ../../modules/delegation-sets | n/a |
| [disabled\_records](#module\_disabled\_records) | ../../modules/records | n/a |
| [disabled\_resolver\_endpoints](#module\_disabled\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
+| [inbound\_resolver\_endpoints](#module\_inbound\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
+| [outbound\_resolver\_endpoints](#module\_outbound\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
| [records](#module\_records) | ../../modules/records | n/a |
| [records\_with\_full\_names](#module\_records\_with\_full\_names) | ../../modules/records | n/a |
-| [resolver\_endpoints](#module\_resolver\_endpoints) | ../../modules/resolver-endpoints | n/a |
| [resolver\_rule\_associations](#module\_resolver\_rule\_associations) | ../../modules/resolver-rule-associations | n/a |
| [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | n/a |
| [terragrunt](#module\_terragrunt) | ../../modules/records | n/a |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 6d14594..4fbdf72 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -293,19 +293,52 @@ module "resolver_rule_associations" {
}
}
-module "resolver_endpoints" {
+module "inbound_resolver_endpoints" {
source = "../../modules/resolver-endpoints"
- name = "example1"
- direction = "INBOUND"
- protocols = ["Do53", "DoH"]
- subnet_ids = module.vpc1.private_subnets
+ name = "example1"
+ direction = "INBOUND"
+ protocols = ["Do53", "DoH"]
+
+ subnet_ids = slice(module.vpc1.private_subnets, 0, 2)
vpc_id = module.vpc1.vpc_id
security_group_name_prefix = "example1-sg-"
security_group_ingress_cidr_blocks = [
module.vpc2.vpc_cidr_block
]
+ security_group_egress_cidr_blocks = [
+ module.vpc2.vpc_cidr_block
+ ]
+}
+
+module "outbound_resolver_endpoints" {
+ source = "../../modules/resolver-endpoints"
+
+ name = "example2"
+ direction = "OUTBOUND"
+ protocols = ["Do53", "DoH"]
+
+ # Using fixed IP addresses
+ ip_address = [
+ {
+ ip = "10.0.0.35"
+ subnet_id = module.vpc1.private_subnets[0]
+ },
+ {
+ ip = "10.0.1.35"
+ subnet_id = module.vpc1.private_subnets[1]
+ }
+ ]
+
+ vpc_id = module.vpc1.vpc_id
+ security_group_name_prefix = "example2-sg-"
+ security_group_ingress_cidr_blocks = [
+ module.vpc1.vpc_cidr_block
+ ]
+ security_group_egress_cidr_blocks = [
+ module.vpc2.vpc_cidr_block
+ ]
}
###################
diff --git a/modules/resolver-endpoints/README.md b/modules/resolver-endpoints/README.md
index bf3c879..ece4f0e 100644
--- a/modules/resolver-endpoints/README.md
+++ b/modules/resolver-endpoints/README.md
@@ -34,15 +34,17 @@ No modules.
| [create](#input\_create) | Whether to create Route53 resolver endpoints | `bool` | `true` | no |
| [create\_security\_group](#input\_create\_security\_group) | Whether to create Security Groups for Route53 Resolver Endpoints | `bool` | `true` | no |
| [direction](#input\_direction) | The resolver endpoint flow direction | `string` | `"INBOUND"` | no |
+| [ip\_address](#input\_ip\_address) | A list of IP addresses and subnets where Route53 resolver endpoints will be deployed | `list(any)` | `[]` | no |
| [name](#input\_name) | The resolver endpoint name | `string` | `null` | no |
| [protocols](#input\_protocols) | The resolver endpoint protocols | `list(string)` | `[]` | no |
| [security\_group\_description](#input\_security\_group\_description) | The security group description | `string` | `null` | no |
+| [security\_group\_egress\_cidr\_blocks](#input\_security\_group\_egress\_cidr\_blocks) | A list of CIDR blocks to allow on security group egress rules | `list(string)` | `[]` | no |
| [security\_group\_ids](#input\_security\_group\_ids) | A list of security group IDs | `list(string)` | `[]` | no |
-| [security\_group\_ingress\_cidr\_blocks](#input\_security\_group\_ingress\_cidr\_blocks) | A list of CIDR blocks to allow on security group | `list(string)` | `[]` | no |
+| [security\_group\_ingress\_cidr\_blocks](#input\_security\_group\_ingress\_cidr\_blocks) | A list of CIDR blocks to allow on security group ingress rules | `list(string)` | `[]` | no |
| [security\_group\_name](#input\_security\_group\_name) | The name of the security group | `string` | `null` | no |
| [security\_group\_name\_prefix](#input\_security\_group\_name\_prefix) | The prefix of the security group | `string` | `null` | no |
| [security\_group\_tags](#input\_security\_group\_tags) | A map of tags for the security group | `map(string)` | `{}` | no |
-| [subnet\_ids](#input\_subnet\_ids) | A list of subnets where Route53 resolver endpoints will be deployed | `list(string)` | `[]` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of subnets where Route53 resolver endpoints will be deployed | `list(any)` | `[]` | no |
| [tags](#input\_tags) | A map of tags for the Route53 resolver endpoint | `map(string)` | `{}` | no |
| [type](#input\_type) | The resolver endpoint IP type | `string` | `"IPV4"` | no |
| [vpc\_id](#input\_vpc\_id) | The VPC ID for all the Route53 Resolver Endpoints | `string` | `""` | no |
diff --git a/modules/resolver-endpoints/main.tf b/modules/resolver-endpoints/main.tf
index 44e2743..f801aa5 100644
--- a/modules/resolver-endpoints/main.tf
+++ b/modules/resolver-endpoints/main.tf
@@ -1,5 +1,6 @@
locals {
security_group_ids = var.create && var.create_security_group ? [aws_security_group.this[0].id] : var.security_group_ids
+ subnet_ids = var.create && length(var.subnet_ids) > 0 ? [for subnet in var.subnet_ids : { subnet_id = subnet }] : var.subnet_ids
}
resource "aws_route53_resolver_endpoint" "this" {
@@ -12,10 +13,11 @@ resource "aws_route53_resolver_endpoint" "this" {
security_group_ids = local.security_group_ids
dynamic "ip_address" {
- for_each = var.subnet_ids
+ for_each = length(var.ip_address) == 0 ? local.subnet_ids : var.ip_address
content {
- subnet_id = ip_address.value
+ ip = lookup(ip_address.value, "ip", null)
+ subnet_id = each.value.subnet_id
}
}
@@ -44,12 +46,16 @@ resource "aws_security_group" "this" {
}
}
- egress {
- description = "Allow All"
- protocol = "-1"
- from_port = 0
- to_port = 0
- cidr_blocks = ["0.0.0.0/0"]
+ dynamic "egress" {
+ for_each = toset(["tcp", "udp"])
+
+ content {
+ description = "Allow DNS"
+ protocol = egress.value
+ from_port = 53
+ to_port = 53
+ cidr_blocks = try(var.security_group_egress_cidr_blocks, ["0.0.0.0"])
+ }
}
tags = var.security_group_tags
diff --git a/modules/resolver-endpoints/variables.tf b/modules/resolver-endpoints/variables.tf
index c35a6f4..c8cc7be 100644
--- a/modules/resolver-endpoints/variables.tf
+++ b/modules/resolver-endpoints/variables.tf
@@ -30,7 +30,13 @@ variable "type" {
variable "subnet_ids" {
description = "A list of subnets where Route53 resolver endpoints will be deployed"
- type = list(string)
+ type = list(any)
+ default = []
+}
+
+variable "ip_address" {
+ description = "A list of IP addresses and subnets where Route53 resolver endpoints will be deployed"
+ type = list(any)
default = []
}
@@ -79,7 +85,13 @@ variable "security_group_description" {
}
variable "security_group_ingress_cidr_blocks" {
- description = "A list of CIDR blocks to allow on security group"
+ description = "A list of CIDR blocks to allow on security group ingress rules"
+ type = list(string)
+ default = []
+}
+
+variable "security_group_egress_cidr_blocks" {
+ description = "A list of CIDR blocks to allow on security group egress rules"
type = list(string)
default = []
}