feat: Create group optionally (#218)

ac988ca2 · Anton Babenko · GitHub · 18bb00a9 · ac988ca2 · ac988ca2
Commit ac988ca2 authored May 27, 2021 by Anton Babenko Committed by GitHub May 27, 2021
8 changed files
--- a/README.md
+++ b/README.md
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -35,6 +35,7 @@ No requirements.
 | <a name="module_fixed_name_sg"></a> [fixed\_name\_sg](#module\_fixed\_name\_sg) | ../../ |  |
 | <a name="module_ipv4_ipv6_example"></a> [ipv4\_ipv6\_example](#module\_ipv4\_ipv6\_example) | ../../ |  |
 | <a name="module_main_sg"></a> [main\_sg](#module\_main\_sg) | ../../ |  |
+| <a name="module_only_rules"></a> [only\_rules](#module\_only\_rules) | ../../ |  |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws |  |
 ## Resources

--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -380,3 +380,20 @@ module "fixed_name_sg" {
  ingress_rules       = ["https-443-tcp"]
 }
+############################
+# Only security group rules
+############################
+module "only_rules" {
+  source = "../../"
+  create_sg         = false
+  security_group_id = module.complete_sg.security_group_id
+  ingress_with_source_security_group_id = [
+    {
+      description              = "http from service one"
+      rule                     = "http-80-tcp"
+      source_security_group_id = data.aws_security_group.default.id
+    },
+  ]
+}
--- a/examples/rules-only/README.md
+++ b/examples/rules-only/README.md
+# Create rules only
+Configuration in this directory creates two security groups using native Terraform resources, and then uses the module to add rules.
+Data sources are used to discover existing VPC resources (VPC and default security group).
+## Usage
+To run this example you need to execute:
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+No requirements.
+## Providers
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+## Modules
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_rules_one"></a> [rules\_one](#module\_rules\_one) | ../../ |  |
+| <a name="module_rules_two"></a> [rules\_two](#module\_rules\_two) | ../../ |  |
+## Resources
+| Name | Type |
+|------|------|
+| [aws_security_group.service_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.service_two](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+## Inputs
+No inputs.
+## Outputs
+| Name | Description |
+|------|-------------|
+| <a name="output_service_one_security_group_id"></a> [service\_one\_security\_group\_id](#output\_service\_one\_security\_group\_id) | The ID of the security group for service one |
+| <a name="output_service_two_security_group_id"></a> [service\_two\_security\_group\_id](#output\_service\_two\_security\_group\_id) | The ID of the security group for service two |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/examples/rules-only/main.tf
+++ b/examples/rules-only/main.tf
+provider "aws" {
+  region = "eu-west-1"
+}
+#############################################################
+# Data sources to get VPC and default security group details
+#############################################################
+data "aws_vpc" "default" {
+  default = true
+}
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = data.aws_vpc.default.id
+}
+########################################################
+# Create SGs
+########################################################
+resource "aws_security_group" "service_one" {
+  name        = "service_one"
+  description = "Allow access from service two"
+}
+resource "aws_security_group" "service_two" {
+  name        = "service_two"
+  description = "Allow access from service one"
+}
+########################################################
+# Add SG rules
+########################################################
+module "rules_one" {
+  source = "../../"
+  create_sg         = false
+  security_group_id = aws_security_group.service_one.id
+  ingress_with_source_security_group_id = [
+    {
+      description              = "http from service two"
+      rule                     = "http-80-tcp"
+      source_security_group_id = aws_security_group.service_two.id
+    },
+  ]
+}
+module "rules_two" {
+  source = "../../"
+  create_sg         = false
+  security_group_id = aws_security_group.service_two.id
+  ingress_with_source_security_group_id = [
+    {
+      description              = "http from service one"
+      rule                     = "http-80-tcp"
+      source_security_group_id = aws_security_group.service_one.id
+    },
+  ]
+}
--- a/examples/rules-only/outputs.tf
+++ b/examples/rules-only/outputs.tf
+output "service_one_security_group_id" {
+  description = "The ID of the security group for service one"
+  value       = aws_security_group.service_one.id
+}
+output "service_two_security_group_id" {
+  description = "The ID of the security group for service two"
+  value       = aws_security_group.service_two.id
+}
--- a/main.tf
+++ b/main.tf
@@ -2,18 +2,14 @@
 # Get ID of created Security Group
 ##################################
 locals {
-  this_sg_id = concat(
+  this_sg_id = var.create_sg ? concat(aws_security_group.this.*.id, aws_security_group.this_name_prefix.*.id, [""])[0] : var.security_group_id
-    aws_security_group.this.*.id,
-    aws_security_group.this_name_prefix.*.id,
-    [""],
-  )[0]
 }
 ##########################
 # Security group with name
 ##########################
 resource "aws_security_group" "this" {
-  count = var.create && false == var.use_name_prefix ? 1 : 0
+  count = var.create && var.create_sg && !var.use_name_prefix ? 1 : 0
  name                   = var.name
  description            = var.description
@@ -32,7 +28,7 @@ resource "aws_security_group" "this" {
 # Security group with name_prefix
 #################################
 resource "aws_security_group" "this_name_prefix" {
-  count = var.create && var.use_name_prefix ? 1 : 0
+  count = var.create && var.create_sg && var.use_name_prefix ? 1 : 0
  name_prefix            = "${var.name}-"
  description            = var.description

--- a/variables.tf
+++ b/variables.tf
@@ -7,14 +7,28 @@ variable "create" {
  default     = true
 }
+variable "create_sg" {
+  description = "Whether to create security group"
+  type        = bool
+  default     = true
+}
+variable "security_group_id" {
+  description = "ID of existing security group whose rules we will manage"
+  type        = string
+  default     = null
+}
 variable "vpc_id" {
  description = "ID of the VPC where to create security group"
  type        = string
+  default     = null
 }
 variable "name" {
-  description = "Name of security group"
+  description = "Name of security group - not required if create_group is false"
  type        = string
+  default     = null
 }
 variable "use_name_prefix" {