Skip to content

v0.15.0 Unstable Pre-Release

Pre-release
Pre-release
Compare
Choose a tag to compare
@cloudpossebot cloudpossebot released this 15 Jun 19:19
0.15.0
06704f9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

We are revising and standardizing our handling of security groups and security group rules across all our Terraform modules. This is an early attempt with significant breaking changes. We will make further breaking changes soon, so using this version is not recommended.

Breaking changes

If there is something not documented here, please let us know by filing a ticket.

  • var.allowed_security_groups is removed in favor of the security group module's var.security_group_rules which can contain a single source_security_group_id per rule

  • var.allowed_cidr_blocks is removed in favor of the security group module's var.security_group_rules which can contain a cidr_blocks

  • var.use_existing_security_groups is replaced with var.security_group_enabled (note that if the former was true, the latter should be false)

  • var.existing_security_groups is replaced with var.security_groups

  • security group has moved

    terraform state mv \
  "module.mq_broker.aws_security_group.default[0]" \
  "module.mq_broker.module.security_group.aws_security_group.default[0]"

  • default security_group_rules does not allow ingress but this can be added manually.

    Note: The list must have the same json keys per index

    security_group_rules = [
  {
    type                     = "egress"
    from_port                = 0
    to_port                  = 65535
    protocol                 = "-1"
    cidr_blocks              = ["0.0.0.0/0"]
    source_security_group_id = null
    description              = "Allow all outbound traffic"
  },
  {
    type                     = "ingress"
    from_port                = 0
    to_port                  = 65535
    protocol                 = "-1"
    cidr_blocks              = []
    source_security_group_id = local.security_group_id # provide existing security group or comment out this rule
    description              = "Allow inbound traffic from existing security groups"
  },
  {
    type                     = "ingress"
    from_port                = 0
    to_port                  = 65535
    protocol                 = "-1"
    cidr_blocks              = [] # provide cidr blocks or comment out this rule
    source_security_group_id = null 
    description              = "Allow inbound traffic from CIDR blocks"
  }
]

  • security group rules have been moved

    Note: since the new security group rule names are generated upon a plan, the plan will need to be run first to generate the new names in order to move the rules. Replace someguid with the appropriate value.

    terraform state mv \
  'module.mq_broker.aws_security_group_rule.egress[0]' \
  'module.mq_broker.module.security_group.aws_security_group_rule.default["egress--1-0-65535-someguid"]'
terraform state mv \
  'module.mq_broker.aws_security_group_rule.ingress_security_groups[0]' \
  'module.mq_broker.module.security_group.aws_security_group_rule.default["ingress-tcp--1-0-65535-someguid"]'
terraform state mv \
  'module.mq_broker.aws_security_group_rule.ingress_cidr_blocks[0]' \
  'module.mq_broker.module.security_group.aws_security_group_rule.default["ingress-tcp--1-0-65535-someguid"]'
feat: use security-group module instead of resource @SweetOps (#32)

what

  • use security-group module instead of resource
  • update tests

why

  • more flexible than current implementation
  • bring configuration of security group/rules to one standard

references

  • CPCO-409
Assets 2
Loading