From e03a385dd2576f43bb8880c013242e016373a4f6 Mon Sep 17 00:00:00 2001
From: Jakob Diebold <jakob.diebold@idealo.de>
Date: Tue, 7 May 2024 16:42:00 +0200
Subject: [PATCH 1/3] feat: add flag to enable ipv6 egress rule

---
 variables.tf |  6 ++++++
 vpc.tf       | 34 ++++++++++++++++++++++++++++------
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/variables.tf b/variables.tf
index 088a9ee..fdcf57f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -98,6 +98,12 @@ variable "additional_associated_security_group_ids" {
   default     = []
 }
 
+variable "enable_ipv6_in_security_group" {
+  description = "Enable IPv6 in the security group"
+  type        = bool
+  default     = false
+}
+
 # iam
 variable "additional_execution_role_policy_document_json" {
   description = "Additional permissions to attach to the base mwaa execution role"
diff --git a/vpc.tf b/vpc.tf
index 9728ceb..cad4931 100644
--- a/vpc.tf
+++ b/vpc.tf
@@ -98,12 +98,6 @@ resource "aws_security_group" "this" {
   tags   = merge({
     Name = "mwaa-${var.environment_name}-no-ingress-sg"
   }, var.tags  )
-  ingress {
-    from_port = 0
-    to_port   = 0
-    protocol  = "-1"
-    self      = true
-  }
   egress {
     from_port   = 0
     to_port     = 0
@@ -113,3 +107,31 @@ resource "aws_security_group" "this" {
     ]
   }
 }
+
+resource "aws_security_group_rule" "ingress_from_self" {
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.this.id
+  to_port           = 0
+  type              = "ingress"
+  self = true
+}
+
+resource "aws_security_group_rule" "egress_all_ipv4" {
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.this.id
+  to_port           = 0
+  type              = "egress"
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "egress_all_ipv6" {
+  count             = var.enable_ipv6_in_security_group ? 1 : 0
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.this.id
+  to_port           = 0
+  type              = "egress"
+  ipv6_cidr_blocks  = ["::/0"]
+}

From 69801e865d47b945e0cdb5b548b6466ebaedbf73 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 7 May 2024 14:42:33 +0000
Subject: [PATCH 2/3] terraform-docs: automated action

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index e965bf7..d7a105d 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,9 @@ No modules.
 | [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress_all_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress_all_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_from_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
@@ -150,6 +153,7 @@ No modules.
 | <a name="input_dag_processing_logs_enabled"></a> [dag\_processing\_logs\_enabled](#input\_dag\_processing\_logs\_enabled) | n/a | `bool` | `true` | no |
 | <a name="input_dag_processing_logs_level"></a> [dag\_processing\_logs\_level](#input\_dag\_processing\_logs\_level) | One of: DEBUG, INFO, WARNING, ERROR, CRITICAL | `string` | `"WARNING"` | no |
 | <a name="input_dag_s3_path"></a> [dag\_s3\_path](#input\_dag\_s3\_path) | Relative path of the dags folder within the source bucket | `string` | `"dags/"` | no |
+| <a name="input_enable_ipv6_in_security_group"></a> [enable\_ipv6\_in\_security\_group](#input\_enable\_ipv6\_in\_security\_group) | Enable IPv6 in the security group | `bool` | `false` | no |
 | <a name="input_environment_class"></a> [environment\_class](#input\_environment\_class) | n/a | `string` | `"mw1.small"` | no |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | Name of the MWAA environment | `string` | n/a | yes |
 | <a name="input_internet_gateway_id"></a> [internet\_gateway\_id](#input\_internet\_gateway\_id) | ID of the internet gateway to the VPC, if not set and create\_networking\_config = true an internet gateway will be created | `string` | `null` | no |

From cc611e902551f258a4c6764febfce97fb0208bbd Mon Sep 17 00:00:00 2001
From: Jakob Diebold <jakob.diebold@idealo.de>
Date: Tue, 7 May 2024 16:43:13 +0200
Subject: [PATCH 3/3] remove old inline egress rule

---
 vpc.tf | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/vpc.tf b/vpc.tf
index cad4931..4c8f03c 100644
--- a/vpc.tf
+++ b/vpc.tf
@@ -98,14 +98,6 @@ resource "aws_security_group" "this" {
   tags   = merge({
     Name = "mwaa-${var.environment_name}-no-ingress-sg"
   }, var.tags  )
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = [
-      "0.0.0.0/0"
-    ]
-  }
 }
 
 resource "aws_security_group_rule" "ingress_from_self" {