Allow multiple CIDR blocks

Author: bogsi17

.github/workflows/data-replication-pipeline.yml

@@ -32,9 +32,10 @@ on:
         required: false
         type: string
       egress_cidr:
-        description: CIDR block to allow egress traffic (optional)
-        required: false
+        description: CIDR blocks to allow egress traffic.
         type: string
+        required: true
+        default: "[]"
 
 env:
   aws_role: ${{ inputs.environment == 'production'
@@ -197,7 +198,7 @@ jobs:
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
           terraform plan -var="image_digest=${{ env.DOCKER_DIGEST }}" -var="db_secret_arn=${{ env.DB_SECRET_ARN }}" \
           -var="imported_snapshot=${{ env.SNAPSHOT_ARN }}" -var-file="env/${{ inputs.environment }}.tfvars" \
-          -var="allowed_egress_cidr_block=${{ inputs.egress_cidr }}" \
+          -var="allowed_egress_cidr_blocks=${{ fromJSON(inputs.egress_cidr) }}" \
           -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
       - name: Upload artifact
         uses: actions/upload-artifact@v4

terraform/data_replication/network.tf

@@ -39,7 +39,7 @@ resource "aws_subnet" "public_subnet" {
 }
 
 resource "aws_internet_gateway" "internet_gateway" {
-  count  = var.allowed_egress_cidr_block == null ? 0 : 1
+  count  = min(length(var.allowed_egress_cidr_blocks), 1)
   vpc_id = aws_vpc.vpc.id
   tags = {
     Name = "data-replication-igw-${var.environment}"
@@ -52,7 +52,7 @@ resource "aws_eip" "nat_ip" {
 }
 
 resource "aws_nat_gateway" "nat_gateway" {
-  count             = var.allowed_egress_cidr_block == null ? 0 : 1
+  count             = min(length(var.allowed_egress_cidr_blocks), 1)
   subnet_id         = aws_subnet.public_subnet.id
   allocation_id     = aws_eip.nat_ip.id
   connectivity_type = "public"
@@ -63,16 +63,16 @@ resource "aws_nat_gateway" "nat_gateway" {
 }
 
 resource "aws_route" "private_to_public" {
-  count                  = var.allowed_egress_cidr_block == null ? 0 : 1
+  count                  = length(var.allowed_egress_cidr_blocks)
   route_table_id         = aws_route_table.private.id
-  destination_cidr_block = var.allowed_egress_cidr_block
+  destination_cidr_block = var.allowed_egress_cidr_blocks[count.index]
   nat_gateway_id         = aws_nat_gateway.nat_gateway[0].id
 }
 
 resource "aws_route" "public_to_igw" {
-  count                  = var.allowed_egress_cidr_block == null ? 0 : 1
+  count                  = length(var.allowed_egress_cidr_blocks)
   route_table_id         = aws_route_table.public.id
-  destination_cidr_block = var.allowed_egress_cidr_block
+  destination_cidr_block = var.allowed_egress_cidr_blocks[count.index]
   gateway_id             = aws_internet_gateway.internet_gateway[0].id
 }
 

terraform/data_replication/variables.tf

@@ -126,8 +126,8 @@ locals {
   ]
 }
 
-variable "allowed_egress_cidr_block" {
-  type        = string
-  description = "CIDR block for the allowed outbound traffic from the data replication service."
-  default     = null
+variable "allowed_egress_cidr_blocks" {
+  type        = list(string)
+  description = "CIDR blocks for the allowed outbound traffic from the data replication service."
+  default     = []
 }