search

cloudposse / terraform-aws-security-group

Terraform module to provision an AWS Security Group
https://cloudposse.com/accelerate
Apache License 2.0
36 stars 35 forks source link

`sync_rules_and_sg_lifecycles` doesn't take in account module `enabled = false` #43

Closed syphernl closed 1 year ago

syphernl commented 1 year ago

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

We have a SG which only needs to be created in specific environments. For this we use enabled = <condition>. However, it seems that one resource is not looking at the enabled as it wants to create a null_resource even with enabled = false.

  # module.vpn_sg_azure.null_resource.sync_rules_and_sg_lifecycles[0] will be created
+ resource "null_resource" "sync_rules_and_sg_lifecycles" {
    + id       = (known after apply)
    + triggers = {
        + "sg_ids" = null
        }
    }

Not a big problem as this is a null_resource and doesn't create anything in the AWS environment, but since the module is disabled for this environment it should not create this.

Expected Behavior

This module should not be creating any resources if enabled = false.

Steps to Reproduce

Based off the example:

module "sg" {
  source = "cloudposse/security-group/aws"
  version = "2.0.0"

  # Security Group names must be unique within a VPC.
  # This module follows Cloud Posse naming conventions and generates the name
  # based on the inputs to the null-label module, which means you cannot
  # reuse the label as-is for more than one security group in the VPC.
  #
  # Here we add an attribute to give the security group a unique name.
  attributes = ["primary"]

  # Allow unlimited egress
  allow_all_egress = true

  rules = [
    {
      key         = "ssh"
      type        = "ingress"
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      cidr_blocks = ["0.0.0.0/0"]
      self        = null  # preferable to self = false
      description = "Allow SSH from anywhere"
    },
    {
      key         = "HTTP"
      type        = "ingress"
      from_port   = 80
      to_port     = 80
      protocol    = "tcp"
      cidr_blocks = []
      self        = true
      description = "Allow HTTP from inside the security group"
    }
  ]

  vpc_id  = module.vpc.vpc_id

  # Disable this module
  enabled = false

  context = module.label.context
}
karaluh commented 1 year ago

Same thing happens to me too.