search

cloudposse / terraform-aws-security-group

Terraform module to provision an AWS Security Group
https://cloudposse.com/accelerate
Apache License 2.0
36 stars 35 forks source link

exports: Expose security group rule description #29

Closed nitrocode closed 2 years ago

nitrocode commented 2 years ago

Have a question? Please checkout our Slack Community or visit our Slack Archive.

Slack Community

Describe the Feature

This is more of a feature for exports than for the sg module itself

For security groups in cloudposse/modules, the var.allowed_cidr_blocks is exposed to add a rule per cidr block. This works well but when viewing this in the AWS console, the unexposed sg rule description is repeated.

e.g.

https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster/blob/3fe23c402cc420799ae721186812482335f78d24/main.tf#L74-L77

It would be nice to have a unique description per security rule (per cidr block).

Perhaps with an interface like this ?

  rule_matrix = [
    {
      source_security_group_ids = local.allowed_security_group_ids
      cidr_blocks               = var.allowed_cidr_blocks
      rules = [
        for protocol_key, protocol in local.protocols : {
          # description = format("Allow inbound traffic %s", var.description_suffix)
          description = var.security_group_rule_description_template

where security_group_rule_description_template is a string or list(string)

allowed_cidr_blocks = [ "10.72.0.0/18", "10.74.0.0/18" ]

security_group_rule_description_template = "Allow inbound traffic from auto, corp"

Resulting in a plan

  # module.msk_cluster.module.broker_security_group.aws_security_group_rule.keyed["_m[0]#zookeeper_tls#cidr"] will be created
  + resource "aws_security_group_rule" "keyed" {
      + cidr_blocks              = [
          + "10.72.0.0/18",
          + "10.74.0.0/18",
        ]
      + description              = "Allow inbound traffic from auto, corp"
      + from_port                = 2182
      + id                       = (known after apply)
      + prefix_list_ids          = []
      + protocol                 = "tcp"
      + security_group_id        = "sg-snip"
      + self                     = false
      + source_security_group_id = (known after apply)
      + to_port                  = 2182
      + type                     = "ingress"
}

References

Nuru commented 2 years ago

Closing because this module allows a description per rule, so there is nothing to do.