Upgrade security group module

.github/auto-release.yml

@@ -17,7 +17,6 @@ version-resolver:
     - 'bugfix'
     - 'bug'
     - 'hotfix'
-    - 'no-release'
   default: 'minor'
 
 categories:

.github/renovate.json

@@ -4,9 +4,9 @@
     ":preserveSemverRanges"
   ],
   "labels": ["auto-update"],
+  "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
     "ignorePaths": ["**/context.tf", "examples/**"]
   }
 }
-

README.yaml

@@ -71,10 +71,19 @@ usage: |-
   For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
   (which tests and deploys the example on AWS), see [test](test).
 
+  **NOTE**: Release `0.7.0` contains breaking changes. To preserve the SG, follow the instructions in the [0.6.0 to 0.7.x+ migration path](./docs/migration-0.6.0-0.7.x+.md).
+
   ```hcl
-  module "example" {
-    source = "https://github.com/cloudposse/terraform-aws-transfer-sftp.git?ref=master"
-    example = "Hello world!"
+  module "sftp" {
+    source = "cloudposse/sftp-transfer/aws"
+    # Cloud Posse recommends pinning every module to a specific version
+    # version     = "x.x.x"
+
+    sftp_users = var.sftp_users
+
+    s3_bucket_name = module.s3_bucket.bucket_id
+
+    context = module.this.context
   }
   ```
 
@@ -96,3 +105,5 @@ include:
 contributors:
   - name: "Erik Osterman"
     github: "osterman"
+  - name: "RB"
+    github: "nitrocode"

docs/migration-0.6.0-0.7.x+.md

@@ -0,0 +1,11 @@
+# Migration from 0.6.0 to 0.7.x+
+
+Change the following
+
+- `security_group_enabled` to `create_security_group`
+- `security_group_use_name_prefix` to `security_group_create_before_destroy`. This now defaults to `true`.
+- `security_group_rules` to `additional_security_group_rules` and omit the port `22` rules since those are added by the new version of the module.
+- `security_group_description` may need to be set to `The Security Group description.` which was the original description in version 0.6.0.
+- `vpc_security_group_ids` to `associated_security_group_ids`
+
+A terraform state move may be needed in case the security group resource has moved between versions.

examples/complete/fixtures.us-east-2.tfvars

@@ -16,6 +16,5 @@ sftp_users = {
   "kenny" = {
     user_name  = "kenny",
     public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYN8IRq10gKJj5/y2IHYFFRXHctJ+VblcsOnwvsbUIB+PKMLLWd5ySpW30s8OFVcxpMu2VXzXVKRGGbOUbZEN7MqH9xkW8eV6tSfXsZK2osLdIQ3QG3eSyoN4gPFlDBkZSzmkb2oaaclGPGRezbzDnp+oz8IiC5ZE8aprq3Xk850fifIEEOhJtVsrL84uwgx4LGZMMQmLdf6xm2SMSMx53zDPtSnlSeMlC2qUz6LBC41gwObQDoh0j3svsENf8FS8iIkdX50NaRoZvhJU0Oud5A7bj3zz0xtKn6uQZnL9hb6ttvp2/mNe1CKBZt9hUdrn4SHPs0sbWYbQLTzp+9okcg8LCe7qnFdHH7xQGp17SAgi5f91RPOUWtqvkOC5yoVaveR82KZObU+HSCfT/PObLjdUDtWrZABp4VM/u5t9Fn6BQ+eRSAiCIqLQlizs9kpKO8LYX7CagxRJz8KtRXfhndA3nTFq35vml8rD5hKsTrtbSkycmytQZ8TF7IwuN0amRfZ7Iwb3/eLTEv6jp5PKKVprBvnjDH1ipn/AwidsKrbCCVquKg0X/7rwVLrvMuYAtlxPLqjqZpvfTwXBwLlHTEuCvuh/Y/TpjJqqxCnbY/6R4TcabHVGsA4b1kVajRbvVPZPGVcWs+XvycO4Y8KR/hZZGGxK16SVFGbrnhX1D2Q== [email protected]"
-
   }
 }

examples/complete/main.tf

@@ -13,7 +13,7 @@ module "s3_bucket" {
   context = module.this.context
 }
 
-module "example" {
+module "sftp" {
   source = "../.."
 
   sftp_users = var.sftp_users

examples/complete/outputs.tf

@@ -1,9 +1,9 @@
 output "id" {
   description = "ID of the created example"
-  value       = module.example.id
+  value       = module.sftp.id
 }
 
 output "transfer_endpoint" {
   description = "Endpoint for your SFTP connection"
-  value       = module.example.transfer_endpoint
+  value       = module.sftp.transfer_endpoint
 }

examples/complete/versions.tf

@@ -1,5 +1,11 @@
 terraform {
-  required_version = ">= 0.13.7"
+  required_version = ">= 1.0.0"
 
-  required_providers {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+  }
 }
+

examples/vpc/main.tf

@@ -34,11 +34,11 @@ module "s3_bucket" {
   context = module.this.context
 }
 
-module "example" {
+module "sftp" {
   source = "../.."
 
-  eip_enabled            = true
-  security_group_enabled = true
+  eip_enabled           = true
+  create_security_group = true
   security_group_rules = [{
     type        = "ingress"
     from_port   = 22

examples/vpc/outputs.tf

@@ -1,9 +1,9 @@
 output "id" {
   description = "ID of the created example"
-  value       = module.example.id
+  value       = module.sftp.id
 }
 
 output "transfer_endpoint" {
   description = "Endpoint for your SFTP connection"
-  value       = module.example.transfer_endpoint
+  value       = module.sftp.transfer_endpoint
 }

examples/vpc/versions.tf

@@ -1,5 +1,11 @@
 terraform {
-  required_version = ">= 0.13.7"
+  required_version = ">= 1.0.0"
 
-  required_providers {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+  }
 }
+

main.tf

@@ -1,8 +1,10 @@
 locals {
   enabled = module.this.enabled
 
-  is_vpc                 = var.vpc_id != null
-  security_group_enabled = module.this.enabled && var.security_group_enabled
+  is_vpc        = var.vpc_id != null
+  endpoint_type = var.vpc_endpoint_id != null ? "VPC_ENDPOINT" : (local.is_vpc ? "VPC" : "PUBLIC")
+
+  security_group_enabled = module.this.enabled && (var.create_security_group && var.security_group_enabled) && local.is_vpc
   user_names             = keys(var.sftp_users)
   user_names_map         = { for idx, user in local.user_names : idx => user }
 }
@@ -19,7 +21,7 @@ resource "aws_transfer_server" "default" {
   identity_provider_type = "SERVICE_MANAGED"
   protocols              = ["SFTP"]
   domain                 = var.domain
-  endpoint_type          = local.is_vpc ? "VPC" : "PUBLIC"
+  endpoint_type          = local.endpoint_type
   force_destroy          = var.force_destroy
   security_policy_name   = var.security_policy_name
   logging_role           = join("", aws_iam_role.logging[*].arn)
@@ -29,9 +31,10 @@ resource "aws_transfer_server" "default" {
 
     content {
       subnet_ids             = var.subnet_ids
-      security_group_ids     = local.security_group_enabled ? module.security_group.*.id : var.vpc_security_group_ids
+      security_group_ids     = local.security_group_enabled ? module.security_group.*.id : concat(var.associated_security_group_ids, var.vpc_security_group_ids)
       vpc_id                 = var.vpc_id
       address_allocation_ids = var.eip_enabled ? aws_eip.sftp.*.id : var.address_allocation_ids
+      vpc_endpoint_id        = var.vpc_endpoint_id
     }
   }
 
@@ -47,7 +50,7 @@ resource "aws_transfer_user" "default" {
   user_name = each.value.user_name
 
   home_directory_type = var.restricted_home ? "LOGICAL" : "PATH"
-  home_directory      = ! var.restricted_home ? "/${var.s3_bucket_name}" : null
+  home_directory      = !var.restricted_home ? "/${var.s3_bucket_name}" : null
 
   dynamic "home_directory_mappings" {
     for_each = var.restricted_home ? [1] : []
@@ -78,18 +81,45 @@ resource "aws_eip" "sftp" {
   count = local.enabled && var.eip_enabled ? length(var.subnet_ids) : 0
 
   vpc = local.is_vpc
+
+  tags = module.this.tags
 }
 
 module "security_group" {
-  source  = "cloudposse/security-group/aws"
-  version = "0.3.1"
-
-  use_name_prefix = var.security_group_use_name_prefix
-  rules           = var.security_group_rules
-  description     = var.security_group_description
-  vpc_id          = local.is_vpc ? var.vpc_id : null
+  source = "git::https://github.com/cloudposse/terraform-aws-security-group?ref=2.0.0-rc1"
+  # source  = "cloudposse/security-group/aws"
+  # version = "1.0.1"
+
+  enabled                       = local.security_group_enabled
+  security_group_name           = var.security_group_name
+  create_before_destroy         = var.security_group_create_before_destroy
+  security_group_create_timeout = var.security_group_create_timeout
+  security_group_delete_timeout = var.security_group_delete_timeout
+  security_group_description    = var.security_group_description
+  preserve_security_group_id    = var.preserve_security_group_id
+  allow_all_egress              = var.allow_all_egress
+
+  rules = var.additional_security_group_rules
+  rule_matrix = [
+    {
+      source_security_group_ids = var.allowed_security_group_ids
+      cidr_blocks               = var.allowed_cidr_blocks
+      ipv6_cidr_blocks          = var.allowed_ipv6_cidr_blocks
+      prefix_list_ids           = var.allowed_ipv6_prefix_list_ids
+      rules = [
+        {
+          key         = "in"
+          type        = "ingress"
+          from_port   = 22
+          to_port     = 22
+          protocol    = "tcp"
+          description = "Allow ingress EFS traffic"
+        }
+      ]
+    }
+  ]
+  vpc_id = local.is_vpc ? var.vpc_id : null
 
-  enabled = local.security_group_enabled
   context = module.this.context
 }
 
@@ -199,6 +229,8 @@ resource "aws_iam_policy" "s3_access_for_sftp_users" {
 
   name   = module.iam_label[index(local.user_names, each.value)].id
   policy = data.aws_iam_policy_document.s3_access_for_sftp_users[index(local.user_names, each.value)].json
+
+  tags = module.this.tags
 }
 
 resource "aws_iam_role" "s3_access_for_sftp_users" {
@@ -208,13 +240,17 @@ resource "aws_iam_role" "s3_access_for_sftp_users" {
 
   assume_role_policy  = join("", data.aws_iam_policy_document.assume_role_policy[*].json)
   managed_policy_arns = [aws_iam_policy.s3_access_for_sftp_users[index(local.user_names, each.value)].arn]
+
+  tags = module.this.tags
 }
 
 resource "aws_iam_policy" "logging" {
   count = local.enabled ? 1 : 0
 
   name   = module.logging_label.id
   policy = join("", data.aws_iam_policy_document.logging[*].json)
+
+  tags = module.this.tags
 }
 
 resource "aws_iam_role" "logging" {
@@ -223,4 +259,6 @@ resource "aws_iam_role" "logging" {
   name                = module.logging_label.id
   assume_role_policy  = join("", data.aws_iam_policy_document.assume_role_policy[*].json)
   managed_policy_arns = [join("", aws_iam_policy.logging[*].arn)]
+
+  tags = module.this.tags
 }

outputs.tf

@@ -1,6 +1,6 @@
 output "id" {
-  description = "ID of the created example"
-  value       = module.this.enabled ? module.this.id : null
+  description = "The ID of the Transfer Server"
+  value       = module.this.enabled ? join("", aws_transfer_server.default.*.id) : null
 }
 
 output "transfer_endpoint" {