Closed renovate[bot] closed 8 months ago
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
β Warning: custom changes will be lost.
/terratest
Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x
releases. But if you manually upgrade to 2.x
then Renovate will re-enable minor
and patch
updates automatically.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
0.3.3
->2.2.0
Release Notes
cloudposse/terraform-aws-security-group (cloudposse/security-group/aws)
### [`v2.2.0`](https://togithub.com/cloudposse/terraform-aws-security-group/releases/tag/2.2.0) [Compare Source](https://togithub.com/cloudposse/terraform-aws-security-group/compare/2.1.0...2.2.0)`.editorconfig` Typo @milldr (#50)
##### what fixed intent typo ##### why should be spelled "indent" ##### references https://cloudposse.slack.com/archives/C01EY65H1PA/p1685638634845009Sync github @max-lobur (#47)
Rebuild github dir from the templateProperly handle enabled = false @Nuru (#45)
#### what * Properly handle `enabled = false` #### why * Fixes #43Document migration from v1 to v2 @Nuru (#42)
#### what - Document migration from v1 to v2 of this module - Fix [#40](https://togithub.com/cloudposse/terraform-aws-security-group/issues/40) #### why - Serious issues exist in v1, causing v2 to have different defaults and new settings. Documentation is needed to guide users on how to upgrade while minimizing service interruptions. #### references - Closes [#40](https://togithub.com/cloudposse/terraform-aws-security-group/issues/40)Fixes the link for examples/complete/main.tf @jdmedeiros (#41)
Fixes the link for examples/complete/main.tf on the README.md file.Handle `self = false`, add warning about `compact` and `sort` @Nuru (#33)
#### what - Handle `self = false` - Add warning about `compact` and `sort` #### why - Setting `self = false` in a rule (meaning the rule does not apply to the security group it is being associated with) was causing an empty rule to be created and/or causing conflicts with other rule elements. Now it works like `self = null` works. - Explain some causes of the dreaded "Invalid for_each argument" error and what to do to fix it. #### references - [https://github.com/hashicorp/terraform/issues/31035](https://togithub.com/hashicorp/terraform/issues/31035) - [https://github.com/hashicorp/terraform/issues/30937#issuecomment-1123089348](https://togithub.com/hashicorp/terraform/issues/30937#issuecomment-1123089348)git.io->cloudposse.tools update and test framework update @dylanbannon (#32)
#### what and why Change all references to `git.io/build-harness` into `cloudposse.tools/build-harness`, since `git.io` redirects will stop working on April 29th, 2022. #### References - DEV-143Rename the exported `security-group-inputs` file to `security-group-variables` @aknysh (#31)
#### what * Rename the exported `security-group-inputs.tf` file to `security-group-variables.tf` #### why * Standardize on file names with variables for specific resources. For example, we have `spotinst-variables.tf` for Spot, `security-group-variables.tf` for SG, etc.Update recommended inputs and outputs @Nuru (#26)
#### what - Update recommended inputs and outputs #### why - Changes based on experience implementing several modulesRename the exported `security_group_inputs.tf` file to `security-group-inputs.tf` @aknysh (#30)
#### what * Rename the exported `security_group_inputs.tf` file to `security-group-inputs.tf` * Update GitHub workflows and LICENSE #### why * Our naming convention is to use `kebab-case` for all files. Having a file in `snake_case` (after adding it to a repo) together with all the other files in `kebab-case` in the same repo does not look correct * Keep up to dateCorrectly extract security group name for tags @Nuru (#25)
#### what - Correctly extract security group name from `var.security_group_name` list when setting tags #### why - Type mismatch error otherwiseFix bad markup (unclosed `details` block) in README.yaml @Nuru (#24)
#### what - Fix bad markup (unclosed `details` block) in README.yaml #### why - Incorrectly hides most of READMEOverhaul Module to New Standards @Nuru (#17) (click to see details)
#### what - Input `use_name_prefix` replaced with `create_before_destroy`. Previously, `create_before_destroy` was always set to `true` but of course that fails if you are not using a name prefix, because the names must be unique. Now the name is automatically a prefix if `create_before_destroy` is `true` and not if it is not. - Input `security_group_enabled` renamed to `create_security_group`. Whether the security group is created or not, it will be enabled, and setting `security_group_enabled` to false does not disable the entire module, even though the module is named "security-group", which makes the old name terribly confusing. The new name is more descriptive. - Input `id` renamed to `target_security_group_id`. Again `id` by itself is too vague. Converted to list to conform to new standard pattern that optional inputs which are used in conditionals are passed as list elements. See [Hashicorp recommendation](https://togithub.com/hashicorp/terraform/issues/26755#issuecomment-719103775) - Added a `security_group_name` input, which, if set, will set the security group name. If not set, name will be derived from `null-label`. Because the security group name must be unique within an account, we should provide some way for people to set/override it other than forcing them to create a customized `null-label`. - As a convenience, added `rule_matrix` . Many of our modules allow users to simply give a list of security groups to allow access to the new resource, typically called `allowed_security_groups`. This variable allows for easy migration by closely paralleling the existing resource creation code. It allows any number of rules to be applied to any combined list of security groups and CIDRs. See [example](https://togithub.com/cloudposse/terraform-aws-security-group/blob/9cfe55a4572eaff6a89eefa760628e684665dda2/examples/complete/main.tf#L21-L43). - As a convenience, added `allow_all_egress`. AWS by default allows full egress to newly created security groups. Terraform removes this when taking over a security group, but our modules frequently want to restore it. Historically, though, the modules have implemented this slightly differently, and few or none have allowed IPv6 egress. Adding this boolean gives us a way to enable it simply and consistently (as opposed to every module writing its own egress rule). - Abandoned the attempt to create stable keys for `rules` to use in `for_each`. Existing generated keys were not guaranteed unique, and keys that were generated and guaranteed to be unique would not be known at plan time and thus could not be used. Instead, provide option for user to provide stable keys and, if not provided, generate keys knowing they might not be stable. #### why * This module is the foundation for how we'll handle security groups across all of our modules and we need to ensure greater consistency from the onset #### naming conventions We want to migrate to a consistent set of name across modules. However, it is also quite painful to be forced to rename, so where possible I would like to maintain existing names but mark them deprecated and feed them into the new names in `main.tf locals{}`. We have also already seen issues with the most recent set of name changes. Therefore I propose these names with these meanings: ##### associated_security_group_ids `associated_security_group_ids` is a list of IDs of Security Group that are "associated" (AWS' term) with the resource being created. In other words, the new resource is placed in or becomes a member of the Security Groups identified by the ID. Most often our modules got this information as `existing_security_groups` and a boolean `use_existing_security_groups`, and the recent change was to call this input simply `security_groups`. However, there is no consistency in naming in the AWS provider (redshift_cluster calls it `cluster_security_groups`, elasticache_replication_group calls it `security_group_ids`, ec2\_instance calls it just `security_groups` but accepts legacy security group names as well as IDs) and in our modules we typically have several lists of security groups (see below), so just calling this `security_groups` is very confusing. Using "associated" makes it clear the purpose, and suffixing with "ids" makes it clear the type. Since AWS in inconsistent and variously uses ARNs, IDs, and Names to identify resources, I think including the type is very helpful. ##### allowed_security_group_ids `allowed_security_group_ids` are security groups that are allowed ingress to the resource being created. Typically rules allowing this are added to the single created security group, as it should be unnecessary for an existing security group, but where desired, these rules can be added to the first in the list of "associated" security groups ##### allow_all_egress AWS by default creates security groups that allow no ingress but allow all egress. When Terraform starts managing rules for the security group, it removes this default egress rule. Modules should include an `allow_all_egress` boolean to restore that rule when `true`. ##### security_group_description Our modules have evolved over time (at community request) to provide more useful descriptions of Security Groups. Unfortunately, Terraform cannot change the description of an existing security group; instead it must replace the SG with a new one with the new description. For this reason, changes to the description field, while beneficial for new users, can be too disruptive on existing infrastructure to be worth it. In order to provide users with control over the description and thus mitigate the impact of changes, all modules that create security groups should include a `security_group_description` input which, if set, overrides any other kind of generated or default description. ##### Instance Metadata Services Although not actually part of the Security Group module, since we are covering consistent naming of inputs, we document here that we are using the following inputs and defaults to configure the AWS Instance Metadata Service. Note that our inputs do not exactly match the Terraform resource inputs because we have chosen to use boolean inputs rather than string inputs to toggle features. Our standard `metadata_options` block looks like this metadata_options { http_endpoint = (var.metadata_http_endpoint_enabled) ? "enabled" : "disabled" http_put_response_hop_limit = var.metadata_http_put_response_hop_limit http_tokens = (var.metadata_http_tokens_required) ? "required" : "optional" } and defaults are metadata_http_endpoint_enabled = true metadata_http_put_response_hop_limit = 2 metadata_http_tokens_required = true We picked these defaults so that we default to best security practices with a concession (hop limit 2 instead of 1) to running containerized services. However, `metadata_http_tokens_required = true` may break some existing applications and is a breaking change, so when implemented, it should be noted in the release notes, along with how to preserve the previous settings. #### Optional Inputs This module is among the first to implement the new Cloud Posse standard for optional inputs in Terraform. Because of issues like [this](https://togithub.com/cloudposse/terraform-aws-eks-node-group/issues/67) (just one of many, many examples) we are going to follow [Hashicorp's advice](https://togithub.com/hashicorp/terraform/issues/26755#issuecomment-719103775) and prohibit the conditional creation of resources based on values of inputs. If you want to condition the creation of a resource (e.g. `count = xxx ? 1 : 0`) based on whether the input is supplied or not, the way we are going to do it is to make the optional input a list. A supplied value will be in a list with 1 element. An omitted value will use the default list of 0 elements. It will remain standard practice to depend on the *value* of `enabled`, but otherwise we should avoid conditional creation of resources based on input values. Unfortunately, this also means we cannot use `for_each` when the values might be generated during apply. This appears to be a consequence of the fact that `for_each` requires a `set` and the cardinality of the set depends on the values generated (adding 2 of the same value to a set only increases the size of the set by 1). So we can only use `for_each` when we can guarantee the user is hard coding the values so they are all known an plan time. Otherwise use `count`. #### references Issues with Terraform management of Security Group Rules: drift detection, cyclical dependencies, and competing for control: a [post from a Hashicorp engineer](https://togithub.com/hashicorp/terraform-provider-aws/pull/9032#issuecomment-639545250) Bug in Terraform AWS provider requires multiple `apply` cycles to update `aws_elasticache_replication_group` security groups: - [https://github.com/hashicorp/terraform-provider-aws/issues/20139](https://togithub.com/hashicorp/terraform-provider-aws/issues/20139) - [https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/121](https://togithub.com/cloudposse/terraform-aws-elasticache-redis/issues/121) Some problems with the previous version: - [https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/122](https://togithub.com/cloudposse/terraform-aws-elasticache-redis/issues/122) - [https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/123](https://togithub.com/cloudposse/terraform-aws-elasticache-redis/issues/123) - [https://github.com/cloudposse/terraform-aws-elasticache-redis/pull/119#issuecomment-866221257](https://togithub.com/cloudposse/terraform-aws-elasticache-redis/pull/119#issuecomment-866221257) - [https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/123](https://togithub.com/cloudposse/terraform-aws-elasticache-redis/issues/123)Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.