From 221219bfb37d29112c4342dfbd2b2b316a9a7fea Mon Sep 17 00:00:00 2001
From: Andrew Plummer <plummer574@gmail.com>
Date: Fri, 8 Feb 2019 16:54:11 +0000
Subject: [PATCH] Allow setting datapipeline security group (#35)

* Allow setting datapipeline security group

* CR: join with empty string, not a space
---
 README.md         | 1 +
 cloudformation.tf | 2 +-
 docs/terraform.md | 1 +
 outputs.tf        | 2 +-
 security_group.tf | 3 ++-
 variables.tf      | 6 ++++++
 6 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index facf8d5..433aab6 100644
--- a/README.md
+++ b/README.md
@@ -153,6 +153,7 @@ Available targets:
 |------|-------------|:----:|:-----:|:-----:|
 | attributes | Additional attributes (e.g. `efs-backup`) | list | `<list>` | no |
 | datapipeline_config | DataPipeline configuration options | map | `<map>` | no |
+| datapipeline_security_group | Optionally specify a security group to use for the datapipeline instances | string | `` | no |
 | delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no |
 | efs_mount_target_id | EFS Mount Target ID (e.g. `fsmt-279bfc62`) | string | - | yes |
 | modify_security_group | Should the module modify the `EFS` security group | string | `false` | no |
diff --git a/cloudformation.tf b/cloudformation.tf
index a681671..69d480d 100644
--- a/cloudformation.tf
+++ b/cloudformation.tf
@@ -36,7 +36,7 @@ resource "aws_cloudformation_stack" "datapipeline" {
   parameters {
     myInstanceType             = "${var.datapipeline_config["instance_type"]}"
     mySubnetId                 = "${var.subnet_id == "" ? data.aws_subnet_ids.default.ids[0] : var.subnet_id}"
-    mySecurityGroupId          = "${aws_security_group.datapipeline.id}"
+    mySecurityGroupId          = "${var.datapipeline_security_group == "" ? join("", aws_security_group.datapipeline.*.id) : var.datapipeline_security_group}"
     myEFSHost                  = "${var.use_ip_address == "true" ? data.aws_efs_mount_target.default.ip_address : format("%s.efs.%s.amazonaws.com", data.aws_efs_mount_target.default.file_system_id, (signum(length(var.region)) == 1 ? var.region : data.aws_region.default.name))}"
     myS3BackupsBucket          = "${aws_s3_bucket.backups.id}"
     myRegion                   = "${signum(length(var.region)) == 1 ? var.region : data.aws_region.default.name}"
diff --git a/docs/terraform.md b/docs/terraform.md
index e3f63f9..b09910d 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -4,6 +4,7 @@
 |------|-------------|:----:|:-----:|:-----:|
 | attributes | Additional attributes (e.g. `efs-backup`) | list | `<list>` | no |
 | datapipeline_config | DataPipeline configuration options | map | `<map>` | no |
+| datapipeline_security_group | Optionally specify a security group to use for the datapipeline instances | string | `` | no |
 | delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no |
 | efs_mount_target_id | EFS Mount Target ID (e.g. `fsmt-279bfc62`) | string | - | yes |
 | modify_security_group | Should the module modify the `EFS` security group | string | `false` | no |
diff --git a/outputs.tf b/outputs.tf
index 07b5711..5a10fe8 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -14,7 +14,7 @@ output "datapipeline_ids" {
 }
 
 output "security_group_id" {
-  value       = "${aws_security_group.datapipeline.id}"
+  value       = "${var.datapipeline_security_group == "" ? join("", aws_security_group.datapipeline.*.id) : var.datapipeline_security_group}"
   description = "Security group id"
 }
 
diff --git a/security_group.tf b/security_group.tf
index aede215..7505686 100644
--- a/security_group.tf
+++ b/security_group.tf
@@ -1,4 +1,5 @@
 resource "aws_security_group" "datapipeline" {
+  count       = "${var.datapipeline_security_group == "" ? 1 : 0}"
   tags        = "${module.label.tags}"
   vpc_id      = "${data.aws_vpc.default.id}"
   name        = "${module.label.id}"
@@ -26,5 +27,5 @@ resource "aws_security_group_rule" "datapipeline_efs_ingress" {
   security_group_id        = "${data.aws_efs_mount_target.default.security_groups[0]}"
   to_port                  = 0
   type                     = "ingress"
-  source_security_group_id = "${aws_security_group.datapipeline.id}"
+  source_security_group_id = "${var.datapipeline_security_group == "" ? join("", aws_security_group.datapipeline.*.id) : var.datapipeline_security_group}"
 }
diff --git a/variables.tf b/variables.tf
index 74125bc..1c8d97b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -84,3 +84,9 @@ variable "subnet_id" {
   default     = ""
   description = "Optionally specify the subnet to use"
 }
+
+variable "datapipeline_security_group" {
+  type        = "string"
+  default     = ""
+  description = "Optionally specify a security group to use for the datapipeline instances"
+}