diff --git a/README.md b/README.md
index e965bf7..d7a105d 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,9 @@ No modules.
| [aws_route_table_association.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_route_table_association.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress_all_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress_all_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_from_self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_subnet.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_subnet.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
@@ -150,6 +153,7 @@ No modules.
| [dag\_processing\_logs\_enabled](#input\_dag\_processing\_logs\_enabled) | n/a | `bool` | `true` | no |
| [dag\_processing\_logs\_level](#input\_dag\_processing\_logs\_level) | One of: DEBUG, INFO, WARNING, ERROR, CRITICAL | `string` | `"WARNING"` | no |
| [dag\_s3\_path](#input\_dag\_s3\_path) | Relative path of the dags folder within the source bucket | `string` | `"dags/"` | no |
+| [enable\_ipv6\_in\_security\_group](#input\_enable\_ipv6\_in\_security\_group) | Enable IPv6 in the security group | `bool` | `false` | no |
| [environment\_class](#input\_environment\_class) | n/a | `string` | `"mw1.small"` | no |
| [environment\_name](#input\_environment\_name) | Name of the MWAA environment | `string` | n/a | yes |
| [internet\_gateway\_id](#input\_internet\_gateway\_id) | ID of the internet gateway to the VPC, if not set and create\_networking\_config = true an internet gateway will be created | `string` | `null` | no |
diff --git a/variables.tf b/variables.tf
index 088a9ee..fdcf57f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -98,6 +98,12 @@ variable "additional_associated_security_group_ids" {
default = []
}
+variable "enable_ipv6_in_security_group" {
+ description = "Enable IPv6 in the security group"
+ type = bool
+ default = false
+}
+
# iam
variable "additional_execution_role_policy_document_json" {
description = "Additional permissions to attach to the base mwaa execution role"
diff --git a/vpc.tf b/vpc.tf
index 9728ceb..4c8f03c 100644
--- a/vpc.tf
+++ b/vpc.tf
@@ -98,18 +98,32 @@ resource "aws_security_group" "this" {
tags = merge({
Name = "mwaa-${var.environment_name}-no-ingress-sg"
}, var.tags )
- ingress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- self = true
- }
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = [
- "0.0.0.0/0"
- ]
- }
+}
+
+resource "aws_security_group_rule" "ingress_from_self" {
+ from_port = 0
+ protocol = "-1"
+ security_group_id = aws_security_group.this.id
+ to_port = 0
+ type = "ingress"
+ self = true
+}
+
+resource "aws_security_group_rule" "egress_all_ipv4" {
+ from_port = 0
+ protocol = "-1"
+ security_group_id = aws_security_group.this.id
+ to_port = 0
+ type = "egress"
+ cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "egress_all_ipv6" {
+ count = var.enable_ipv6_in_security_group ? 1 : 0
+ from_port = 0
+ protocol = "-1"
+ security_group_id = aws_security_group.this.id
+ to_port = 0
+ type = "egress"
+ ipv6_cidr_blocks = ["::/0"]
}