feat: use security-group module instead of resource (#119)

03eec085 · Vladimir · GitHub · f74c4001 · 03eec085 · 03eec085
Commit 03eec085 authored Jun 15, 2021 by Vladimir Committed by GitHub Jun 15, 2021
11 changed files
--- a/README.md
+++ b/README.md
--- a/README.yaml
+++ b/README.yaml
@@ -97,7 +97,6 @@ usage: |-
    name                       = var.name
    zone_id                    = var.zone_id
    vpc_id                     = module.vpc.vpc_id
-    allowed_security_groups    = [module.vpc.vpc_default_security_group_id]
    subnets                    = module.subnets.private_subnet_ids
    cluster_size               = var.cluster_size
    instance_type              = var.instance_type
@@ -108,6 +107,27 @@ usage: |-
    at_rest_encryption_enabled = var.at_rest_encryption_enabled
    transit_encryption_enabled = var.transit_encryption_enabled

+    security_group_rules = [
+      {
+        type                     = "egress"
+        from_port                = 0
+        to_port                  = 65535
+        protocol                 = "-1"
+        cidr_blocks              = ["0.0.0.0/0"]
+        source_security_group_id = null
+        description              = "Allow all outbound traffic"
+      },
+      {
+        type                     = "ingress"
+        from_port                = 0
+        to_port                  = 65535
+        protocol                 = "-1"
+        cidr_blocks              = []
+        source_security_group_id = module.vpc.vpc_default_security_group_id
+        description              = "Allow all inbound traffic from trusted Security Groups"
+      },
+    ]
+
    parameter = [
      {
        name  = "notify-keyspace-events"
@@ -140,3 +160,5 @@ contributors:
    github: "christopherriley"
  - name: "RB"
    github: "nitrocode"
+  - name: "Vladimir Syromyatnikov"
+    github: "SweetOps"
--- a/docs/terraform.md
+++ b/docs/terraform.md
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -31,7 +31,6 @@ module "redis" {
  availability_zones               = var.availability_zones
  zone_id                          = var.zone_id
  vpc_id                           = module.vpc.vpc_id
-  allowed_security_groups          = [module.vpc.vpc_default_security_group_id]
  subnets                          = module.subnets.private_subnet_ids
  cluster_size                     = var.cluster_size
  instance_type                    = var.instance_type
@@ -43,6 +42,27 @@ module "redis" {
  transit_encryption_enabled       = var.transit_encryption_enabled
  cloudwatch_metric_alarms_enabled = var.cloudwatch_metric_alarms_enabled

+  security_group_rules = [
+    {
+      type                     = "egress"
+      from_port                = 0
+      to_port                  = 65535
+      protocol                 = "-1"
+      cidr_blocks              = ["0.0.0.0/0"]
+      source_security_group_id = null
+      description              = "Allow all outbound traffic"
+    },
+    {
+      type                     = "ingress"
+      from_port                = 0
+      to_port                  = 65535
+      protocol                 = "-1"
+      cidr_blocks              = []
+      source_security_group_id = module.vpc.vpc_default_security_group_id
+      description              = "Allow all inbound traffic from trusted Security Groups"
+    },
+  ]
+
  parameter = [
    {
      name  = "notify-keyspace-events"

--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -18,11 +18,6 @@ output "cluster_id" {
  description = "Redis cluster ID"
 }

-output "cluster_security_group_id" {
-  value       = module.redis.security_group_id
-  description = "Cluster Security Group ID"
-}
-
 output "cluster_endpoint" {
  value       = module.redis.endpoint
  description = "Redis primary endpoint"
@@ -32,3 +27,18 @@ output "cluster_host" {
  value       = module.redis.host
  description = "Redis hostname"
 }
+
+output "cluster_security_group_id" {
+  value       = module.redis.security_group_id
+  description = "Redis Security Group ID"
+}
+
+output "cluster_security_group_arn" {
+  value       = module.redis.security_group_arn
+  description = "Redis Security Group ARN"
+}
+
+output "cluster_security_group_name" {
+  value       = module.redis.security_group_name
+  description = "Redis Security Group name"
+}
--- a/main.tf
+++ b/main.tf
-#
-# Security Group Resources
-#
-resource "aws_security_group" "default" {
-  count       = module.this.enabled && var.use_existing_security_groups == false ? 1 : 0
-  description = var.security_group_description
-  vpc_id      = var.vpc_id
-  name        = module.this.id
-  tags        = module.this.tags
-}
-
-resource "aws_security_group_rule" "egress" {
-  count             = module.this.enabled && var.use_existing_security_groups == false && length(var.egress_cidr_blocks) > 0 ? 1 : 0
-  description       = "Allow outbound traffic from existing cidr blocks"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = var.egress_cidr_blocks
-  security_group_id = join("", aws_security_group.default.*.id)
-  type              = "egress"
-}
-
-resource "aws_security_group_rule" "ingress_security_groups" {
-  count                    = module.this.enabled && var.use_existing_security_groups == false ? length(var.allowed_security_groups) : 0
-  description              = "Allow inbound traffic from existing Security Groups"
-  from_port                = var.port
-  to_port                  = var.port
-  protocol                 = "tcp"
-  source_security_group_id = var.allowed_security_groups[count.index]
-  security_group_id        = join("", aws_security_group.default.*.id)
-  type                     = "ingress"
-}
-
-resource "aws_security_group_rule" "ingress_cidr_blocks" {
-  count             = module.this.enabled && var.use_existing_security_groups == false && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
-  description       = "Allow inbound traffic from CIDR blocks"
-  from_port         = var.port
-  to_port           = var.port
-  protocol          = "tcp"
-  cidr_blocks       = var.allowed_cidr_blocks
-  security_group_id = join("", aws_security_group.default.*.id)
-  type              = "ingress"
-}
-
 locals {
  elasticache_subnet_group_name = var.elasticache_subnet_group_name != "" ? var.elasticache_subnet_group_name : join("", aws_elasticache_subnet_group.default.*.name)

@@ -55,6 +11,20 @@ locals {
  )

  elasticache_member_clusters = module.this.enabled ? tolist(aws_elasticache_replication_group.default.0.member_clusters) : []
+  security_group_enabled      = module.this.enabled && var.security_group_enabled
+}
+
+module "security_group" {
+  source  = "cloudposse/security-group/aws"
+  version = "0.3.1"
+
+  use_name_prefix = var.security_group_use_name_prefix
+  rules           = var.security_group_rules
+  description     = var.security_group_description
+  vpc_id          = var.vpc_id
+
+  enabled = local.security_group_enabled
+  context = module.this.context
 }

 resource "aws_elasticache_subnet_group" "default" {
@@ -91,7 +61,7 @@ resource "aws_elasticache_replication_group" "default" {
  automatic_failover_enabled    = var.automatic_failover_enabled
  multi_az_enabled              = var.multi_az_enabled
  subnet_group_name             = local.elasticache_subnet_group_name
-  security_group_ids            = var.use_existing_security_groups ? var.existing_security_groups : [join("", aws_security_group.default.*.id)]
+  security_group_ids            = compact(concat(module.security_group.*.id, var.security_groups))
  maintenance_window            = var.maintenance_window
  notification_topic_arn        = var.notification_topic_arn
  engine_version                = var.engine_version

--- a/outputs.tf
+++ b/outputs.tf
@@ -4,8 +4,18 @@ output "id" {
 }

 output "security_group_id" {
-  value       = join("", aws_security_group.default.*.id)
-  description = "Security group ID"
+  value       = module.security_group.id
+  description = "Redis Security Group ID"
+}
+
+output "security_group_arn" {
+  value       = module.security_group.arn
+  description = "Redis Security Group ARN"
+}
+
+output "security_group_name" {
+  value       = module.security_group.name
+  description = "Redis Security Group name"
 }

 output "port" {

--- a/test/src/examples_complete_test.go
+++ b/test/src/examples_complete_test.go
@@ -60,4 +60,20 @@ func TestExamplesComplete(t *testing.T) {
 	clusterId := terraform.Output(t, terraformOptions, "cluster_id")
 	// Verify we're getting back the outputs we expect
 	assert.Equal(t, "eg-test-redis-test-"+randId, clusterId)
+
+	// Run `terraform output` to get the value of an output variable
+	securityGroupName := terraform.Output(t, terraformOptions, "cluster_security_group_name")
+	expectedSecurityGroupName := "eg-test-redis-test-" + randId
+	// Verify we're getting back the outputs we expect
+	assert.Equal(t, expectedSecurityGroupName, securityGroupName)
+
+	// Run `terraform output` to get the value of an output variable
+	securityGroupID := terraform.Output(t, terraformOptions, "cluster_security_group_id")
+	// Verify we're getting back the outputs we expect
+	assert.Contains(t, securityGroupID, "sg-", "SG ID should contains substring 'sg-'")
+
+	// Run `terraform output` to get the value of an output variable
+	securityGroupARN := terraform.Output(t, terraformOptions, "cluster_security_group_arn")
+	// Verify we're getting back the outputs we expect
+	assert.Contains(t, securityGroupARN, "arn:aws:ec2", "SG ID should contains substring 'arn:aws:ec2'")
 }
--- a/test/src/go.mod
+++ b/test/src/go.mod
@@ -3,12 +3,6 @@ module github.com/cloudposse/terraform-aws-elasticache-redis
 go 1.14

 require (
-	github.com/aws/aws-sdk-go v1.34.6 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/google/uuid v1.1.1 // indirect
-	github.com/gruntwork-io/terratest v0.16.0
-	github.com/pquerna/otp v1.2.0 // indirect
+	github.com/gruntwork-io/terratest v0.34.7
 	github.com/stretchr/testify v1.5.1
-	golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f // indirect
-	golang.org/x/sys v0.0.0-20190527104216-9cd6430ef91e // indirect
 )
--- a/test/src/go.sum
+++ b/test/src/go.sum
--- a/variables.tf
+++ b/variables.tf
-variable "use_existing_security_groups" {
-  type        = bool
-  description = "Flag to enable/disable creation of Security Group in the module. Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into"
-  default     = false
+variable "vpc_id" {
+  type        = string
+  description = "VPC ID"
 }

-variable "existing_security_groups" {
+variable "subnets" {
  type        = list(string)
+  description = "Subnet IDs"
  default     = []
-  description = "List of existing Security Group IDs to place the cluster into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster"
 }

-variable "allowed_security_groups" {
-  type        = list(string)
-  default     = []
-  description = "List of Security Group IDs that are allowed ingress to the cluster's Security Group created in the module"
+variable "security_group_enabled" {
+  type        = bool
+  description = "Whether to create default Security Group for ElastiCache."
+  default     = true
 }

 variable "security_group_description" {
  type        = string
-  description = "The description for the security group. If this is changed, this will cause a create/destroy on the security group resource. Set this to `null` to maintain parity with releases <= `0.34.0`."
-  default     = "Security group for Elasticache Redis"
+  default     = "ElastiCache Security Group"
+  description = "The Security Group description."
 }

-variable "allowed_cidr_blocks" {
-  type        = list(string)
-  default     = []
-  description = "List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module"
-}
-
-variable "vpc_id" {
-  type        = string
-  description = "VPC ID"
-}
-
-variable "subnets" {
+variable "security_group_use_name_prefix" {
+  type        = bool
+  default     = false
+  description = "Whether to create a default Security Group with unique name beginning with the normalized prefix."
+}
+
+variable "security_group_rules" {
+  type = list(any)
+  default = [
+    {
+      type        = "egress"
+      from_port   = 0
+      to_port     = 65535
+      protocol    = "-1"
+      cidr_blocks = ["0.0.0.0/0"]
+      description = "Allow all outbound traffic"
+    }
+  ]
+  description = <<-EOT
+    A list of maps of Security Group rules. 
+    The values of map is fully complated with `aws_security_group_rule` resource. 
+    To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
+  EOT
+}
+
+variable "security_groups" {
+  description = "A list of Security Group IDs to associate with ElastiCache."
  type        = list(string)
-  description = "Subnet IDs"
  default     = []
 }

@@ -193,7 +206,6 @@ variable "snapshot_arns" {
  default     = []
 }

-
 variable "snapshot_name" {
  type        = string
  description = "The name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource."
@@ -241,9 +253,3 @@ variable "cloudwatch_metric_alarms_enabled" {
  description = "Boolean flag to enable/disable CloudWatch metrics alarms"
  default     = false
 }
-
-variable egress_cidr_blocks {
-  type        = list
-  default     = ["0.0.0.0/0"]
-  description = "Outbound traffic address"
-}