From f1cb219c5e412fa7ddd07b0db184bfdaca49e76c Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 11:38:19 +0000 Subject: [PATCH 1/8] add option to pass in existing security group --- README.md | 6 +++++- main.tf | 3 ++- variables.tf | 11 +++++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b2eb2c9c..841124b0 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,11 @@ A Terraform module that creates application loadbalancer (with loadbalancer secu An s3 bucket name can be provided in the module by adding the `existing_bucket_name` variable and adding the bucket name. Otherwise, if no bucket exists one will be created and no variable needs to be set in the module. -A locals for the loadbalancer security group is necessary to satisfy the `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables and creates security group rules for the loadbalancer security group. Below is an example: +Either pass in existing security group(s) to attach to the load balancer using the `security_groups` variable, or define `loadbalancer_ingress_rules` and `loadbalancer_egre +ss_rules` variables to create a new security group within the module. + +If using the module to create the security group, you can use locals to define the rules for the `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables as i +n the below example. ``` locals { diff --git a/main.tf b/main.tf index d779f65d..6c39c55d 100644 --- a/main.tf +++ b/main.tf @@ -125,7 +125,7 @@ resource "aws_lb" "loadbalancer" { name = "${var.application_name}-lb" internal = var.internal_lb load_balancer_type = "application" - security_groups = [aws_security_group.lb.id] + security_groups = var.security_groups == null ? [aws_security_group.lb.id] : var.security_groups subnets = [var.public_subnets[0], var.public_subnets[1], var.public_subnets[2]] enable_deletion_protection = var.enable_deletion_protection idle_timeout = var.idle_timeout @@ -146,6 +146,7 @@ resource "aws_lb" "loadbalancer" { } resource "aws_security_group" "lb" { + count = var.security_groups == null ? 1 : 0 name = "${var.application_name}-lb-security-group" description = "Controls access to the loadbalancer" vpc_id = data.aws_vpc.shared.id diff --git a/variables.tf b/variables.tf index daa1c1c7..3f6cfbe5 100644 --- a/variables.tf +++ b/variables.tf @@ -15,7 +15,7 @@ variable "public_subnets" { description = "Public subnets" } variable "loadbalancer_ingress_rules" { - description = "Security group ingress rules for the loadbalancer" + description = "Create new security group with these ingress rules for the loadbalancer. Or use the security_groups var to attach existing group(s)" type = map(object({ description = string from_port = number @@ -24,10 +24,11 @@ variable "loadbalancer_ingress_rules" { security_groups = list(string) cidr_blocks = list(string) })) + default = {} } variable "loadbalancer_egress_rules" { - description = "Security group egress rules for the loadbalancer" + description = "Create new security group with these egress rules for the loadbalancer. Or use the security_groups var to attach existing group(s)" type = map(object({ description = string from_port = number @@ -36,6 +37,12 @@ variable "loadbalancer_egress_rules" { security_groups = list(string) cidr_blocks = list(string) })) + default = {} +} +variable "security_groups" { + description = "List of existing security group ids to attach to the load balancer. You can use this instead of loadbalancer_ingress_rules,loadbalancer_egress_rules vars" + type = list(string) + default = null } variable "vpc_all" { type = string From 1d2734d8c1e1b6a681300f7b46c9a3156bba137a Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 13:54:19 +0000 Subject: [PATCH 2/8] fix --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6c39c55d..a7eaae80 100644 --- a/main.tf +++ b/main.tf @@ -125,7 +125,7 @@ resource "aws_lb" "loadbalancer" { name = "${var.application_name}-lb" internal = var.internal_lb load_balancer_type = "application" - security_groups = var.security_groups == null ? [aws_security_group.lb.id] : var.security_groups + security_groups = length(aws_security_group.lb) > 0 ? [aws_security_group.lb[0].id] : var.security_groups subnets = [var.public_subnets[0], var.public_subnets[1], var.public_subnets[2]] enable_deletion_protection = var.enable_deletion_protection idle_timeout = var.idle_timeout From f5a2793532722e100e3e51b54a3d7c58660dc28b Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 14:12:35 +0000 Subject: [PATCH 3/8] fix --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index c9eb5e9b..2b863e1c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,7 +3,7 @@ output "athena_db" { } output "security_group" { - value = aws_security_group.lb + value = len(aws_security_group.lb) > 0 ? aws_security_group.lb[0] : null } output "load_balancer" { From 971702f1a5c4bd404d7c36f46a7dddf6db7080b8 Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 14:13:40 +0000 Subject: [PATCH 4/8] fix --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 2b863e1c..96f8ab80 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,7 +3,7 @@ output "athena_db" { } output "security_group" { - value = len(aws_security_group.lb) > 0 ? aws_security_group.lb[0] : null + value = length(aws_security_group.lb) > 0 ? aws_security_group.lb[0] : null } output "load_balancer" { From 34707f42b99e975f9948e9e9c3ee3c06ebc762fe Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 14:39:08 +0000 Subject: [PATCH 5/8] fix --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 841124b0..4ea674f4 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,7 @@ A Terraform module that creates application loadbalancer (with loadbalancer secu An s3 bucket name can be provided in the module by adding the `existing_bucket_name` variable and adding the bucket name. Otherwise, if no bucket exists one will be created and no variable needs to be set in the module. -Either pass in existing security group(s) to attach to the load balancer using the `security_groups` variable, or define `loadbalancer_ingress_rules` and `loadbalancer_egre -ss_rules` variables to create a new security group within the module. +Either pass in existing security group(s) to attach to the load balancer using the `security_groups` variable, or define `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables to create a new security group within the module. If using the module to create the security group, you can use locals to define the rules for the `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables as i n the below example. From 5475e3620b6f41f12c8aff8c4402f6eabd243aa2 Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 14:39:44 +0000 Subject: [PATCH 6/8] fix --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 4ea674f4..5c6a6d25 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,7 @@ An s3 bucket name can be provided in the module by adding the `existing_bucket_n Either pass in existing security group(s) to attach to the load balancer using the `security_groups` variable, or define `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables to create a new security group within the module. -If using the module to create the security group, you can use locals to define the rules for the `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables as i -n the below example. +If using the module to create the security group, you can use locals to define the rules for the `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables as in the below example. ``` locals { From 618616627724e8d6fd87d9f836b36a2ac9d949f0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 26 Jan 2023 14:44:23 +0000 Subject: [PATCH 7/8] terraform-docs: automated action --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5c6a6d25..68ce04a4 100644 --- a/README.md +++ b/README.md @@ -189,10 +189,11 @@ If you're looking to raise an issue with this module, please create a new issue | [force\_destroy\_bucket](#input\_force\_destroy\_bucket) | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | | [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `string` | n/a | yes | | [internal\_lb](#input\_internal\_lb) | A boolean that determines whether the load balancer is internal or internet-facing. | `bool` | `false` | no | -| [loadbalancer\_egress\_rules](#input\_loadbalancer\_egress\_rules) | Security group egress rules for the loadbalancer | 
map(object({
    description     = string
    from_port       = number
    to_port         = number
    protocol        = string
    security_groups = list(string)
    cidr_blocks     = list(string)
  }))
| n/a | yes | -| [loadbalancer\_ingress\_rules](#input\_loadbalancer\_ingress\_rules) | Security group ingress rules for the loadbalancer | 
map(object({
    description     = string
    from_port       = number
    to_port         = number
    protocol        = string
    security_groups = list(string)
    cidr_blocks     = list(string)
  }))
| n/a | yes | +| [loadbalancer\_egress\_rules](#input\_loadbalancer\_egress\_rules) | Create new security group with these egress rules for the loadbalancer. Or use the security\_groups var to attach existing group(s) | 
map(object({
    description     = string
    from_port       = number
    to_port         = number
    protocol        = string
    security_groups = list(string)
    cidr_blocks     = list(string)
  }))
| `{}` | no | +| [loadbalancer\_ingress\_rules](#input\_loadbalancer\_ingress\_rules) | Create new security group with these ingress rules for the loadbalancer. Or use the security\_groups var to attach existing group(s) | 
map(object({
    description     = string
    from_port       = number
    to_port         = number
    protocol        = string
    security_groups = list(string)
    cidr_blocks     = list(string)
  }))
| `{}` | no | | [public\_subnets](#input\_public\_subnets) | Public subnets | `list(string)` | n/a | yes | | [region](#input\_region) | AWS Region where resources are to be created | `string` | n/a | yes | +| [security\_groups](#input\_security\_groups) | List of existing security group ids to attach to the load balancer. You can use this instead of loadbalancer\_ingress\_rules,loadbalancer\_egress\_rules vars | `list(string)` | `null` | no | | [tags](#input\_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes | | [vpc\_all](#input\_vpc\_all) | The full name of the VPC (including environment) used to create resources | `string` | n/a | yes | From 566b0ac27f3a2f79c6784ad73b14d68ec15f2944 Mon Sep 17 00:00:00 2001 From: Dominic Robinson Date: Thu, 26 Jan 2023 15:12:50 +0000 Subject: [PATCH 8/8] dummy change to re-trigger go tests --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 68ce04a4..e9299bd6 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,6 @@ locals { security_groups = [] } } - loadbalancer_egress_rules = { "cluster_ec2_lb_egress" = { description = "Cluster EC2 loadbalancer egress rule"