Added possibility to create resources conditionally (#20)

0f17f01c · Anton Babenko · GitHub · 072e49e3 · 0f17f01c · 0f17f01c
Commit 0f17f01c authored Nov 15, 2017 by Anton Babenko Committed by GitHub Nov 15, 2017
50 changed files
--- a/README.md
+++ b/README.md
@@ -16,7 +16,8 @@ This module aims to implement **ALL** combinations of arguments supported by AWS
 * Access from source security groups
 * Access from self
 * Named rules ([see the rules here](rules.tf))
-* Named groups of rules with ingress (inbound) and egress (outbound) ports open for common scenarios (eg, [ssh](modules/ssh), [http-80](modules/http-80), [mysql](modules/mysql), see the whole list [here](modules/README.md)).
+* Named groups of rules with ingress (inbound) and egress (outbound) ports open for common scenarios (eg, [ssh](modules/ssh), [http-80](modules/http-80), [mysql](modules/mysql), see the whole list [here](modules/README.md))
+* Conditionally create security group and all required security group rules ("single boolean switch").

 Ingress and egress rules can be configured in a variety of ways as listed on [the registry documentation](https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/?tab=inputs).

@@ -71,11 +72,27 @@ module "web_server_sg" {
 }
 ```

+Conditional creation
+--------------------
+
+Sometimes you need to have a way to create security group conditionally but Terraform does not allow to use `count` inside `module` block, so the solution is to specify argument `create`.
+
+```hcl
+# This security group will not be created
+module "vote_service_sg" {
+  source = "terraform-aws-modules/security-group/aws"
+
+  create = false
+  # ... omitted
+}
+```
+
 Examples
 --------

 * [Complete Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/complete) shows all available parameters to configure security group.
 * [HTTP Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/http) shows more applicable security groups for common web-servers.
+* [Disable creation of Security Group example](https://github.com/terraform-aws-modules/terraform-aws-security-group/tree/master/examples/disabled) shows how to disable creation of security group.

 How to add/update rules/groups?
 -------------------------------

--- a/examples/disabled/README.md
+++ b/examples/disabled/README.md
+HTTP Security Group example
+===========================
+
+Configuration in this directory creates set of Security Group and Security Group Rules resources in various combination.
+
+Data sources are used to discover existing VPC resources (VPC and default security group).
+
+Usage
+=====
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
--- a/examples/disabled/main.tf
+++ b/examples/disabled/main.tf
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#############################################################
+# Data sources to get VPC and default security group details
+#############################################################
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = "${data.aws_vpc.default.id}"
+}
+
+########################################################
+# Security groups WILL NOT be created by these examples
+########################################################
+module "complete_sg_disabled" {
+  source = "../../"
+
+  create      = false
+  name        = "complete-sg"
+  description = "Security group with all available arguments set (this is just an example)"
+  vpc_id      = "${data.aws_vpc.default.id}"
+
+  ingress_cidr_blocks = ["0.0.0.0/0"]
+}
+
+module "http_sg_disabled" {
+  source = "../../modules/http-80"
+
+  create      = false
+  name        = "http-sg"
+  description = "Security group with HTTP ports open for everybody (IPv4 CIDR), egress ports are all world open"
+  vpc_id      = "${data.aws_vpc.default.id}"
+
+  ingress_cidr_blocks = ["0.0.0.0/0"]
+}
--- a/examples/disabled/outputs.tf
+++ b/examples/disabled/outputs.tf
+output "this_security_group_id" {
+  description = "The ID of the security group"
+  value       = "${module.complete_sg_disabled.this_security_group_id}"
+}
--- a/main.tf
+++ b/main.tf
@@ -2,6 +2,8 @@
 # Security group
 #################
 resource "aws_security_group" "this" {
+  count = "${var.create}"
+
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"
@@ -14,7 +16,7 @@ resource "aws_security_group" "this" {
 ###################################
 # Security group rules with "cidr_blocks" and it uses list of rules names
 resource "aws_security_group_rule" "ingress_rules" {
-  count = "${length(var.ingress_rules)}"
+  count = "${var.create ? length(var.ingress_rules) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "ingress"
@@ -33,7 +35,7 @@ resource "aws_security_group_rule" "ingress_rules" {
 ##########################
 # Security group rules with "source_security_group_id", but without "cidr_blocks" and "self"
 resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
-  count = "${length(var.ingress_with_source_security_group_id)}"
+  count = "${var.create ? length(var.ingress_with_source_security_group_id) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "ingress"
@@ -49,7 +51,7 @@ resource "aws_security_group_rule" "ingress_with_source_security_group_id" {

 # Security group rules with "cidr_blocks", but without "ipv6_cidr_blocks", "source_security_group_id" and "self"
 resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
-  count = "${length(var.ingress_with_cidr_blocks)}"
+  count = "${var.create ? length(var.ingress_with_cidr_blocks) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "ingress"
@@ -64,7 +66,7 @@ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {

 # Security group rules with "ipv6_cidr_blocks", but without "cidr_blocks", "source_security_group_id" and "self"
 resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks" {
-  count = "${length(var.ingress_with_ipv6_cidr_blocks)}"
+  count = "${var.create ? length(var.ingress_with_ipv6_cidr_blocks) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "ingress"
@@ -79,7 +81,7 @@ resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks" {

 # Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
 resource "aws_security_group_rule" "ingress_with_self" {
-  count = "${length(var.ingress_with_self)}"
+  count = "${var.create ? length(var.ingress_with_self) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "ingress"
@@ -102,7 +104,7 @@ resource "aws_security_group_rule" "ingress_with_self" {
 ##################################
 # Security group rules with "cidr_blocks" and it uses list of rules names
 resource "aws_security_group_rule" "egress_rules" {
-  count = "${length(var.egress_rules)}"
+  count = "${var.create ? length(var.egress_rules) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "egress"
@@ -121,7 +123,7 @@ resource "aws_security_group_rule" "egress_rules" {
 #########################
 # Security group rules with "source_security_group_id", but without "cidr_blocks" and "self"
 resource "aws_security_group_rule" "egress_with_source_security_group_id" {
-  count = "${length(var.egress_with_source_security_group_id)}"
+  count = "${var.create ? length(var.egress_with_source_security_group_id) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "egress"
@@ -137,7 +139,7 @@ resource "aws_security_group_rule" "egress_with_source_security_group_id" {

 # Security group rules with "cidr_blocks", but without "ipv6_cidr_blocks", "source_security_group_id" and "self"
 resource "aws_security_group_rule" "egress_with_cidr_blocks" {
-  count = "${length(var.egress_with_cidr_blocks)}"
+  count = "${var.create ? length(var.egress_with_cidr_blocks) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "egress"
@@ -152,7 +154,7 @@ resource "aws_security_group_rule" "egress_with_cidr_blocks" {

 # Security group rules with "ipv6_cidr_blocks", but without "cidr_blocks", "source_security_group_id" and "self"
 resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks" {
-  count = "${length(var.egress_with_ipv6_cidr_blocks)}"
+  count = "${var.create ? length(var.egress_with_ipv6_cidr_blocks) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "egress"
@@ -167,7 +169,7 @@ resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks" {

 # Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
 resource "aws_security_group_rule" "egress_with_self" {
-  count = "${length(var.egress_with_self)}"
+  count = "${var.create ? length(var.egress_with_self) : 0}"

  security_group_id = "${aws_security_group.this.id}"
  type              = "egress"

--- a/modules/_templates/main.tf
+++ b/modules/_templates/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/_templates/variables.tf
+++ b/modules/_templates/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/carbon-relay-ng/main.tf
+++ b/modules/carbon-relay-ng/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/carbon-relay-ng/variables.tf
+++ b/modules/carbon-relay-ng/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/cassandra/main.tf
+++ b/modules/cassandra/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/cassandra/variables.tf
+++ b/modules/cassandra/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/consul/main.tf
+++ b/modules/consul/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/consul/variables.tf
+++ b/modules/consul/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/docker-swarm/main.tf
+++ b/modules/docker-swarm/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/docker-swarm/variables.tf
+++ b/modules/docker-swarm/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/elasticsearch/main.tf
+++ b/modules/elasticsearch/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/elasticsearch/variables.tf
+++ b/modules/elasticsearch/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/http-80/main.tf
+++ b/modules/http-80/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/http-80/variables.tf
+++ b/modules/http-80/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/https-443/main.tf
+++ b/modules/https-443/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/https-443/variables.tf
+++ b/modules/https-443/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/kafka/main.tf
+++ b/modules/kafka/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/kafka/variables.tf
+++ b/modules/kafka/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/ldaps/main.tf
+++ b/modules/ldaps/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/ldaps/variables.tf
+++ b/modules/ldaps/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/memcached/main.tf
+++ b/modules/memcached/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/memcached/variables.tf
+++ b/modules/memcached/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/mssql/main.tf
+++ b/modules/mssql/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/mssql/variables.tf
+++ b/modules/mssql/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/mysql/main.tf
+++ b/modules/mysql/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/mysql/variables.tf
+++ b/modules/mysql/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/nomad/main.tf
+++ b/modules/nomad/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/nomad/variables.tf
+++ b/modules/nomad/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/openvpn/main.tf
+++ b/modules/openvpn/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/openvpn/variables.tf
+++ b/modules/openvpn/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/redis/main.tf
+++ b/modules/redis/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/redis/variables.tf
+++ b/modules/redis/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/ssh/main.tf
+++ b/modules/ssh/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/ssh/variables.tf
+++ b/modules/ssh/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/storm/main.tf
+++ b/modules/storm/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/storm/variables.tf
+++ b/modules/storm/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/web/main.tf
+++ b/modules/web/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/web/variables.tf
+++ b/modules/web/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/zipkin/main.tf
+++ b/modules/zipkin/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/zipkin/variables.tf
+++ b/modules/zipkin/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/modules/zookeeper/main.tf
+++ b/modules/zookeeper/main.tf
 module "sg" {
  source = "../../"

+  create      = "${var.create}"
  name        = "${var.name}"
  description = "${var.description}"
  vpc_id      = "${var.vpc_id}"

--- a/modules/zookeeper/variables.tf
+++ b/modules/zookeeper/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
-  description = "ID of VPC to create security group into"
+  description = "ID of the VPC where to create security group"
 }

 variable "name" {

--- a/variables.tf
+++ b/variables.tf
 #################
 # Security group
 #################
+variable "create" {
+  description = "Whether to create security group and all rules"
+  default     = true
+}
+
 variable "vpc_id" {
  description = "ID of the VPC where to create security group"
 }