Added inbound cidrs for loadbalancer

[grimesjm]

I ran into a limitation with using a non-public LB setup with vault. We have our network extended into AWS and want to limit the CIDR ranges that exist on that internal network that have access to the loadbalancer. This gives us an optional list we can pass into the module to add that access to that range.

I ran this against my own TF I have for provisioning a consul cluster and it updates the SG rules as I would expect.

[townsendduong]

I was looking at the same thing. Puzzling that the vault-lb-aws module supports this as an input variable but the vault-aws module doesn't provide a way to pass an input through to that. There is a workaround: module.vault-aws.vault_lb_sg_id is exported, and you can create a resource in your calling module to create an additional security group rule. Note this only makes sense when it's an internal load balancer.

resource "aws_security_group_rule" "other_allowed_networks" {
  count             = "${length(compact(var.lb_inbound_cidrs)) > 0 ? 1 : 0}"

  security_group_id = "${module.vault_aws.vault_lb_sg_id}"
  type              = "ingress"
  protocol          = "tcp"
  from_port         = 8200
  to_port           = 8200
  cidr_blocks       = "${var.lb_inbound_cidrs}"
}