Added support for optional IP whitelist (var.ip_whitelist).

Author: BSick7

CHANGELOG.md

@@ -1,3 +1,6 @@
+# 0.5.8 (Apr 03, 2025)
+* Added support for optional IP whitelist (`var.ip_whitelist`).
+
 # 0.5.7 (Mar 31, 2025)
 * Use SSL certificate from connected subdomain if it created one.
 

https.tf

@@ -36,7 +36,7 @@ resource "aws_security_group_rule" "lb-https-from-world" {
   count = var.enable_https ? 1 : 0
 
   security_group_id = aws_security_group.lb.id
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = local.allow_ips
   type              = "ingress"
   protocol          = "tcp"
   from_port         = 443

security.tf

@@ -7,7 +7,7 @@ resource "aws_security_group" "lb" {
 // This rule is always enabled; when we are listening on https, we still want to force http to https through redirect
 resource "aws_security_group_rule" "lb-http-from-world" {
   security_group_id = aws_security_group.lb.id
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = local.allow_ips
   type              = "ingress"
   protocol          = "tcp"
   from_port         = 80

subdomain.tf

@@ -1,6 +1,5 @@
 data "ns_connection" "subdomain" {
   name     = "subdomain"
-  type     = "subdomain/aws"
   contract = "subdomain/aws/route53"
   optional = !var.enable_https
 }

variables.tf

@@ -148,3 +148,16 @@ Time in seconds that the connection is allowed to be idle.
 Default: 60.
 EOF
 }
+
+variable "ip_whitelist" {
+  type        = list(string)
+  default     = []
+  description = <<EOF
+Specify a list of source IP addresses that can reach this load balancer.
+If null or empty, this load balancer allows any IP address to access it.
+EOF
+}
+
+locals {
+  allow_ips = (var.ip_whitelist == null || length(var.ip_whitelist) == 0) ? ["0.0.0.0/0"] : var.ip_whitelist
+}