Skip to content

v0.40.0 Unstable Pre-Release

Pre-release
Pre-release

Choose a tag to compare

View all tags
@cloudpossebot cloudpossebot released this 15 Jun 17:02
0.40.0
03eec08
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

We are revising and standardizing our handling of security groups and security group rules across all our Terraform modules. This is an early attempt with significant breaking changes. We will make further breaking changes soon, so using this version is not recommended.

BREAKING CHANGES

Click for details and migration guidance

If there is something not documented here, please let us know by filing a ticket.

  • var.allowed_security_groups is removed in favor of the security group module's var.security_group_rules which can contain a single source_security_group_id per rule

  • var.allowed_cidr_blocks is removed in favor of the security group module's var.security_group_rules which can contain a cidr_blocks

  • var.use_existing_security_groups is replaced with var.security_group_enabled (note that if the former was true, the latter should be false)

  • var.existing_security_groups is replaced with var.security_groups

  • security group has moved

    terraform state mv \
  "module.redis.aws_security_group.default[0]" \
  "module.redis.module.security_group.aws_security_group.default[0]"

  • default security_group_rules does not allow ingress but this can be added manually.

    Note: The list must have the same json keys per index

    security_group_rules = [
  {
    type                     = "egress"
    from_port                = 0
    to_port                  = 65535
    protocol                 = "-1"
    cidr_blocks              = ["0.0.0.0/0"]
    source_security_group_id = null
    description              = "Allow all outbound traffic"
  },
  {
    type                     = "ingress"
    from_port                = 6379
    to_port                  = 6379
    protocol                 = "tcp"
    cidr_blocks              = []
    source_security_group_id = local.security_group_id # provide existing security group or comment out this rule
    description              = "Allow inbound traffic from existing Security Groups"
  },
  {
    type                     = "ingress"
    from_port                = 6379
    to_port                  = 6379
    protocol                 = "tcp"
    cidr_blocks              = [] # provide cidr blocks or comment out this rule
    source_security_group_id = null
    description              = "Allow inbound traffic from CIDR blocks"
  }
]

  • security group rules have been moved

    Note: since the new security group rule names are generated upon a plan, the plan will need to be run first to generate the new names in order to move the rules. Replace someguid with the appropriate value.

    terraform state mv \
  'module.redis.aws_security_group_rule.egress[0]' \
  'module.redis.module.security_group.aws_security_group_rule.default["egress--1-0-65535-someguid"]'
terraform state mv \
  'module.redis.aws_security_group_rule.ingress_security_groups[0]' \
  'module.redis.module.security_group.aws_security_group_rule.default["ingress-tcp-6379-6379-someguid"]'
terraform state mv \
  'module.redis.aws_security_group_rule.ingress_cidr_blocks[0]' \
  'module.redis.module.security_group.aws_security_group_rule.default["ingress-tcp-6379-6379-someguid"]'
feat: use security-group module instead of resource @SweetOps (#119)

what

  • use security-group module instead of resource
  • update tests

why

  • more flexible than current implementation
  • bring configuration of security group/rules to one standard

references

  • CPCO-409
Assets 2
Loading