From 097691cf5804972ecf00fff8ad2441a420545c98 Mon Sep 17 00:00:00 2001
From: Shayne Clausson <shayne.clausson@extenda.se>
Date: Sat, 7 Oct 2017 23:05:46 +0200
Subject: [PATCH] Allow 0 or more CIDR blocks in allow_ssh_cidr_blocks list

---
 modules/vault-cluster/README.md | 2 +-
 modules/vault-cluster/main.tf   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/vault-cluster/README.md b/modules/vault-cluster/README.md
index 32ea101c..a883c919 100644
--- a/modules/vault-cluster/README.md
+++ b/modules/vault-cluster/README.md
@@ -415,7 +415,7 @@ This module attaches a security group to each EC2 Instance that allows inbound r
   and the `allowed_inbound_security_group_ids` parameter to control the security groups that will be allowed access.  
 
 * **SSH**: For the SSH port (default: 22), you can use the `allowed_ssh_cidr_blocks` parameter to control the list of   
-  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. 
+  [CIDR blocks](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) that will be allowed access. You can use the `allowed_inbound_security_group_ids` parameter to control the list of source Security Groups that will be allowed access.
   
 Note that all the ports mentioned above are configurable via the `xxx_port` variables (e.g. `api_port`). See
 [vars.tf](vars.tf) for the full list.  
diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf
index dd60d284..1136798c 100644
--- a/modules/vault-cluster/main.tf
+++ b/modules/vault-cluster/main.tf
@@ -89,6 +89,7 @@ resource "aws_security_group" "lc_security_group" {
 }
 
 resource "aws_security_group_rule" "allow_ssh_inbound_from_cidr_blocks" {
+  count       = "${length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0}"
   type        = "ingress"
   from_port   = "${var.ssh_port}"
   to_port     = "${var.ssh_port}"