Merge pull request #4 from kunlabora/master

masterpointio · Mar 25, 2022 · 7e0d13b · 7e0d13b
2 parents c8cfba4 + b8c0036
commit 7e0d13b
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -29,5 +29,8 @@ override.tf.json
 # example: *tfplan*
 *.plan
 
+# Ignore IntelliJ configuration
+/.idea/
+
 # Ignore lock files
-.terraform.lock.hcl
+.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -133,6 +133,7 @@ Use [the awesome `gossm` project](https://github.com/gjbae1212/gossm).
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the permissions boundary that will be applied to the SSM Agent role. | `string` | `""` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to deploy the S3 bucket for session logs. If not supplied, the module will use the current region. | `string` | `""` | no |
+| <a name="input_additional_security_group_ids"></a> [additional\_security\_group\_ids](#input\_additional\_security\_group\_ids) | Additional security groups to attach to SSM agents | `list(string)` | `[]` | no|
 | <a name="input_session_logging_bucket_name"></a> [session\_logging\_bucket\_name](#input\_session\_logging\_bucket\_name) | The name of the S3 Bucket to ship session logs to. This will remove creation of an independent session logging bucket. This is only relevant if the session\_logging\_enabled variable is `true`. | `string` | `""` | no |
 | <a name="input_session_logging_enabled"></a> [session\_logging\_enabled](#input\_session\_logging\_enabled) | To enable CloudWatch and S3 session logging or not. Note this does not apply to SSH sessions as AWS cannot log those sessions. | `bool` | `true` | no |
 | <a name="input_session_logging_encryption_enabled"></a> [session\_logging\_encryption\_enabled](#input\_session\_logging\_encryption\_enabled) | To enable CloudWatch and S3 session logging encryption or not. | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -295,7 +295,7 @@ resource "aws_launch_template" "default" {
   network_interfaces {
     associate_public_ip_address = false
     delete_on_termination       = true
-    security_groups             = [aws_security_group.default.id]
+    security_groups             = concat(var.additional_security_group_ids, [aws_security_group.default.id])
   }
 
   iam_instance_profile {

diff --git a/variables.tf b/variables.tf
@@ -56,6 +56,12 @@ variable "key_pair_name" {
   description = "The name of the key-pair to associate with the SSM Agent instances. This can be (and probably should) left empty unless you specifically plan to use `AWS-StartSSHSession`."
 }
 
+variable "additional_security_group_ids" {
+  description = "Security groups that will be attached to the app instances"
+  type        = list(string)
+  default     = []
+}
+
 ######################
 ## SESSION LOGGING ##
 ####################