Do not open ssh by default (#4)

int128 · web-flow · commit 4052699fc030 · 2019-09-16T13:54:31.000+09:00
diff --git a/README.md b/README.md
@@ -40,6 +40,31 @@ module "nat" {
 ```
 
 
+### Extra configuration
+
+You can open SSH port to the NAT instance.
+
+```tf
+resource "aws_security_group_rule" "nat_ssh" {
+  security_group_id = module.nat.sg_id
+  type              = "ingress"
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+}
+```
+
+You can attach an extra policy to the IAM role of the NAT instance.
+
+```tf
+resource "aws_iam_role_policy_attachment" "nat_iam_example" {
+  policy_arn = "arn:aws:iam::aws:policy/SOME_POLICY_NAME"
+  role       = module.nat.iam_role_name
+}
+```
+
+
 ## How it works
 
 This module will create the following resources:
diff --git a/main.tf b/main.tf
@@ -25,16 +25,6 @@ resource "aws_security_group_rule" "ingress" {
   protocol          = "tcp"
 }
 
-resource "aws_security_group_rule" "ssh" {
-  count             = var.key_name == "" ? 0 : 1
-  security_group_id = aws_security_group.this.id
-  type              = "ingress"
-  cidr_blocks       = ["0.0.0.0/0"]
-  from_port         = 22
-  to_port           = 22
-  protocol          = "tcp"
-}
-
 resource "aws_network_interface" "this" {
   security_groups   = [aws_security_group.this.id]
   subnet_id         = var.public_subnet
