Allow 0 or more CIDR blocks in allow_ssh_cidr_blocks list

hashicorp · Oct 7, 2017 · 097691c · 097691c
1 parent 1709e3a
commit 097691c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/modules/vault-cluster/README.md b/modules/vault-cluster/README.md
@@ -415,7 +415,7 @@ This module attaches a security group to each EC2 Instance that allows inbound r
   and the `allowed_inbound_security_group_ids` parameter to control the security groups that will be allowed access.  
 
 * **SSH**: For the SSH port (default: 22), you can use the `allowed_ssh_cidr_blocks` parameter to control the list of   
-  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. 
+  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. You can use the `allowed_inbound_security_group_ids` parameter to control the list of source Security Groups that will be allowed access.
 
 Note that all the ports mentioned above are configurable via the `xxx_port` variables (e.g. `api_port`). See
 [vars.tf](vars.tf) for the full list.  

diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf
@@ -89,6 +89,7 @@ resource "aws_security_group" "lc_security_group" {
 }
 
 resource "aws_security_group_rule" "allow_ssh_inbound_from_cidr_blocks" {
+  count       = "${length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.ssh_port}"
   to_port     = "${var.ssh_port}"