From 8eb5183fc22fac1b1fce1930640ff4becf828de1 Mon Sep 17 00:00:00 2001 From: Andrew den Hertog Date: Thu, 14 Dec 2023 13:28:21 -0500 Subject: [PATCH] chore: bump security group module version (#210) * chore: bump security group module version Signed-off-by: Andrew den Hertog * chore: gen docs Signed-off-by: Andrew den Hertog * task: make new vars avaialbe Signed-off-by: Andrew den Hertog * chore: run format: Signed-off-by: Andrew den Hertog --------- Signed-off-by: Andrew den Hertog --- .github/renovate.json | 7 +++-- README.md | 8 ++++-- docs/terraform.md | 8 ++++-- main.tf | 9 ++++-- security_group_inputs.tf | 60 ++++++++++++++++++++++++++++++++++++++-- 5 files changed, 80 insertions(+), 12 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index b61ed24f..909df094 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,13 +1,14 @@ { "extends": [ "config:base", - ":preserveSemverRanges" + ":preserveSemverRanges", + ":rebaseStalePrs" ], - "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"], + "baseBranches": ["main"], "labels": ["auto-update"], "dependencyDashboardAutoclose": true, "enabledManagers": ["terraform"], "terraform": { - "ignorePaths": ["**/context.tf", "examples/**"] + "ignorePaths": ["**/context.tf"] } } diff --git a/README.md b/README.md index c73b112e..e8ac7165 100644 --- a/README.md +++ b/README.md @@ -198,7 +198,7 @@ Available targets: | Name | Source | Version | |------|--------|---------| -| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 1.0.1 | +| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 2.2.0 | | [dns](#module\_dns) | cloudposse/route53-cluster-hostname/aws | 0.12.2 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -255,6 +255,7 @@ Available targets: | [family](#input\_family) | Redis family | `string` | `"redis4.0"` | no | | [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [inline\_rules\_enabled](#input\_inline\_rules\_enabled) | NOT RECOMMENDED. Create rules "inline" instead of as separate `aws_security_group_rule` resources.
See [#20046](https://github.com/hashicorp/terraform-provider-aws/issues/20046) for one of several issues with inline rules.
See [this post](https://github.com/hashicorp/terraform-provider-aws/pull/9032#issuecomment-639545250) for details on the difference between inline rules and rule resources. | `bool` | `false` | no | | [instance\_type](#input\_instance\_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | | [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | @@ -272,13 +273,15 @@ Available targets: | [parameter\_group\_description](#input\_parameter\_group\_description) | Managed by Terraform | `string` | `null` | no | | [parameter\_group\_name](#input\_parameter\_group\_name) | Override the default parameter group name | `string` | `null` | no | | [port](#input\_port) | Redis port | `number` | `6379` | no | +| [preserve\_security\_group\_id](#input\_preserve\_security\_group\_id) | When `false` and `create_before_destroy` is `true`, changes to security group rules
cause a new security group to be created with the new rules, and the existing security group is then
replaced with the new one, eliminating any service interruption.
When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
existing security group rules will be deleted before new ones are created, resulting in a service interruption,
but preserving the security group itself.
**NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
it only keeps changes to the security group rules from triggering a replacement.
See the README for further discussion. | `bool` | `false` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | +| [revoke\_rules\_on\_delete](#input\_revoke\_rules\_on\_delete) | Instruct Terraform to revoke all of the Security Group's attached ingress and egress rules before deleting
the security group itself. This is normally not needed. | `bool` | `false` | no | | [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | | [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | | [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | | [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | -| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | +| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | | [snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no | | [snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no | | [snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | @@ -286,6 +289,7 @@ Available targets: | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [subnets](#input\_subnets) | Subnet IDs | `list(string)` | `[]` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [target\_security\_group\_id](#input\_target\_security\_group\_id) | The ID of an existing Security Group to which Security Group rules will be assigned.
The Security Group's name and description will not be changed.
Not compatible with `inline_rules_enabled` or `revoke_rules_on_delete`.
If not provided (the default), this module will create a security group. | `list(string)` | `[]` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | | [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | | [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.
Historical description: Flag to enable/disable creation of Security Group in the module.
Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.
Historical default: `false` | `bool` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 7fb0a3ef..2bdf23e1 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -16,7 +16,7 @@ | Name | Source | Version | |------|--------|---------| -| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 1.0.1 | +| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 2.2.0 | | [dns](#module\_dns) | cloudposse/route53-cluster-hostname/aws | 0.12.2 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -73,6 +73,7 @@ | [family](#input\_family) | Redis family | `string` | `"redis4.0"` | no | | [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [inline\_rules\_enabled](#input\_inline\_rules\_enabled) | NOT RECOMMENDED. Create rules "inline" instead of as separate `aws_security_group_rule` resources.
See [#20046](https://github.com/hashicorp/terraform-provider-aws/issues/20046) for one of several issues with inline rules.
See [this post](https://github.com/hashicorp/terraform-provider-aws/pull/9032#issuecomment-639545250) for details on the difference between inline rules and rule resources. | `bool` | `false` | no | | [instance\_type](#input\_instance\_type) | Elastic cache instance type | `string` | `"cache.t2.micro"` | no | | [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. `at_rest_encryption_enabled` must be set to `true` | `string` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | @@ -90,13 +91,15 @@ | [parameter\_group\_description](#input\_parameter\_group\_description) | Managed by Terraform | `string` | `null` | no | | [parameter\_group\_name](#input\_parameter\_group\_name) | Override the default parameter group name | `string` | `null` | no | | [port](#input\_port) | Redis port | `number` | `6379` | no | +| [preserve\_security\_group\_id](#input\_preserve\_security\_group\_id) | When `false` and `create_before_destroy` is `true`, changes to security group rules
cause a new security group to be created with the new rules, and the existing security group is then
replaced with the new one, eliminating any service interruption.
When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
existing security group rules will be deleted before new ones are created, resulting in a service interruption,
but preserving the security group itself.
**NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
it only keeps changes to the security group rules from triggering a replacement.
See the README for further discussion. | `bool` | `false` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints:
A name must contain from 1 to 20 alphanumeric characters or hyphens.
The first character must be a letter.
A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no | +| [revoke\_rules\_on\_delete](#input\_revoke\_rules\_on\_delete) | Instruct Terraform to revoke all of the Security Group's attached ingress and egress rules before deleting
the security group itself. This is normally not needed. | `bool` | `false` | no | | [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are upgrading this module and need to keep
the existing security group from being replaced.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no | | [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no | | [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no | | [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no | -| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | +| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no | | [snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no | | [snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no | | [snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no | @@ -104,6 +107,7 @@ | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [subnets](#input\_subnets) | Subnet IDs | `list(string)` | `[]` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [target\_security\_group\_id](#input\_target\_security\_group\_id) | The ID of an existing Security Group to which Security Group rules will be assigned.
The Security Group's name and description will not be changed.
Not compatible with `inline_rules_enabled` or `revoke_rules_on_delete`.
If not provided (the default), this module will create a security group. | `list(string)` | `[]` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | | [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no | | [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.
Historical description: Flag to enable/disable creation of Security Group in the module.
Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.
Historical default: `false` | `bool` | `null` | no | diff --git a/main.tf b/main.tf index 16751c56..7eed8e6c 100644 --- a/main.tf +++ b/main.tf @@ -32,10 +32,12 @@ locals { module "aws_security_group" { source = "cloudposse/security-group/aws" - version = "1.0.1" + version = "2.2.0" enabled = local.create_security_group + target_security_group_id = var.target_security_group_id + allow_all_egress = local.allow_all_egress security_group_name = var.security_group_name rules_map = local.sg_rules @@ -57,7 +59,10 @@ module "aws_security_group" { security_group_description = local.security_group_description - create_before_destroy = var.security_group_create_before_destroy + create_before_destroy = var.security_group_create_before_destroy + preserve_security_group_id = var.preserve_security_group_id + inline_rules_enabled = var.inline_rules_enabled + revoke_rules_on_delete = var.revoke_rules_on_delete security_group_create_timeout = var.security_group_create_timeout security_group_delete_timeout = var.security_group_delete_timeout diff --git a/security_group_inputs.tf b/security_group_inputs.tf index 5958bada..ed02ac8f 100644 --- a/security_group_inputs.tf +++ b/security_group_inputs.tf @@ -37,15 +37,18 @@ locals { allowed_security_group_ids = concat(var.allowed_security_groups, var.allowed_security_group_ids) } - variable "security_group_name" { type = list(string) - default = [] description = <<-EOT - The name to assign to the created security group. Must be unique within the VPC. + The name to assign to the security group. Must be unique within the VPC. If not provided, will be derived from the `null-label.context` passed in. If `create_before_destroy` is true, will be used as a name prefix. EOT + default = [] + validation { + condition = length(var.security_group_name) < 2 + error_message = "Only 1 security group name can be provided." + } } variable "security_group_description" { @@ -110,3 +113,54 @@ variable "additional_security_group_rules" { To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . EOT } + +# Security Group Inputs (v2) +variable "target_security_group_id" { + type = list(string) + description = <<-EOT + The ID of an existing Security Group to which Security Group rules will be assigned. + The Security Group's name and description will not be changed. + Not compatible with `inline_rules_enabled` or `revoke_rules_on_delete`. + If not provided (the default), this module will create a security group. + EOT + default = [] + validation { + condition = length(var.target_security_group_id) < 2 + error_message = "Only 1 security group can be targeted." + } +} + +variable "preserve_security_group_id" { + type = bool + description = <<-EOT + When `false` and `create_before_destroy` is `true`, changes to security group rules + cause a new security group to be created with the new rules, and the existing security group is then + replaced with the new one, eliminating any service interruption. + When `true` or when changing the value (from `false` to `true` or from `true` to `false`), + existing security group rules will be deleted before new ones are created, resulting in a service interruption, + but preserving the security group itself. + **NOTE:** Setting this to `true` does not guarantee the security group will never be replaced, + it only keeps changes to the security group rules from triggering a replacement. + See the README for further discussion. + EOT + default = false +} + +variable "revoke_rules_on_delete" { + type = bool + description = <<-EOT + Instruct Terraform to revoke all of the Security Group's attached ingress and egress rules before deleting + the security group itself. This is normally not needed. + EOT + default = false +} + +variable "inline_rules_enabled" { + type = bool + description = <<-EOT + NOT RECOMMENDED. Create rules "inline" instead of as separate `aws_security_group_rule` resources. + See [#20046](https://github.com/hashicorp/terraform-provider-aws/issues/20046) for one of several issues with inline rules. + See [this post](https://github.com/hashicorp/terraform-provider-aws/pull/9032#issuecomment-639545250) for details on the difference between inline rules and rule resources. + EOT + default = false +}