search

terraform-aws-modules / terraform-aws-atlantis

Terraform module to deploy Atlantis on AWS Fargate πŸ‡ΊπŸ‡¦
https://registry.terraform.io/modules/terraform-aws-modules/atlantis/aws
Apache License 2.0
520 stars 351 forks source link

Allow custom ALB Security Group rules #378

Closed igorjanevski closed 11 months ago

igorjanevski commented 11 months ago

Currently the module creates ALB with a security group that's opened towards the world.

Would be nice to be able to provide custom rules or even our own SG so we can restrict that access.

At the moment you only allow this if we choose to not create ALB:

create_alb = false

We'd still like to handle the ALB through the module, just have a custom SG.

bryantbiggs commented 11 months ago

this is already supported today - we provide default values but users should specify their required security_group_ingress_rules to suite their needs. You can also provide your own security groups via security_groups

igorjanevski commented 11 months ago

I don't think you provide those options. You maybe do on the ALB module but not on the Atlantis module. Check your variables.tf file and see for yourself.

If I add them, terraform validate doesn't pass:

igor.janevski@l-igojan-0q05n preprod % tfvalid 
β•·
β”‚ Error: Unsupported argument
β”‚ 
β”‚   on shared/atlantis.tf line 60, in module "atlantis":
β”‚   60:   security_groups         = ""
β”‚ 
β”‚ An argument named "security_groups" is not expected here.
β•΅
igor.janevski@l-igojan-0q05n preprod % tfvalid
β•·
β”‚ Error: Unsupported argument
β”‚ 
β”‚   on shared/atlantis.tf line 60, in module "atlantis":
β”‚   60:   security_group_ingress_rules         = ""
β”‚ 
β”‚ An argument named "security_group_ingress_rules" is not expected here.
β•΅
igor.janevski@l-igojan-0q05n preprod %
bryantbiggs commented 11 months ago

You haven't provided much, if any, information - this is what I went off of Currently the module creates ALB with a security group that's opened towards the world.

What I showed above is that we do support both setting custom security group rules, custom security groups, and replacing the default rules provided by the module. If you would like any further assistance, please provide a reproduction so we can properly triage and troubleshoot

igorjanevski commented 11 months ago

If I use this module for Atlantis, I'd probably provide a configuration like the one below:

module "atlantis" {
  source  = "terraform-aws-modules/atlantis/aws"

  name = "atlantis"

  # ECS Container Definition
  atlantis = {
    environment = [
      {
        name  = "ATLANTIS_GH_USER"
        value = "myuser"
      },
      {
        name  = "ATLANTIS_REPO_ALLOWLIST"
        value = "github.com/terraform-aws-modules/*"
      },
    ]
    secrets = [
      {
        name      = "ATLANTIS_GH_TOKEN"
        valueFrom = "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes256-7g8H9i"
      },
      {
        name      = "ATLANTIS_GH_WEBHOOK_SECRET"
        valueFrom = "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes192-4D5e6F"
      },
    ]
  }

  # ECS Service
  service = {
    task_exec_secret_arns = [
      "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes256-7g8H9i",
      "arn:aws:secretsmanager:eu-west-1:111122223333:secret:aes192-4D5e6F",
    ]
    # Provide Atlantis permission necessary to create/destroy resources
    tasks_iam_role_policies = {
      AdministratorAccess = "arn:aws:iam::aws:policy/AdministratorAccess"
    }
  }
  service_subnets = ["subnet-xyzde987", "subnet-slkjf456", "subnet-qeiru789"]
  vpc_id          = "vpc-1234556abcdef"

  # ALB
  alb_subnets             = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
  certificate_domain_name = "example.com"
  route53_zone_id         = "Z2ES7B9AZ6SHAE"

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

This code would create the ALB along with the Security Group for the ALB, not allowing an option to provide security group rules. Right?

From your documentation, the only scenario where I can provide a custom Security Group is by using the following block:

  create_alb            = false
  alb_target_group_arn  = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/bluegreentarget1/209a844cd01825a4"
  alb_security_group_id = "sg-12345678"

which would also mean that the module will not create the ALB.

My question is, is there a scenario where the module will create the ALB and also allow me to provide the Security Group or Security Group rules for the same?

bryantbiggs commented 11 months ago

and as I have stated, yes:

module "atlantis" {
  source = "terraform-aws-modules/atlantis/aws"

  ...

  alb = {
    security_groups = {
      example = "sg-1234567890"
    }
    security_group_ingress_rules = {
      http = {
        from_port   = 1234
        to_port     = 1234
        ip_protocol = "tcp"
        cidr_ipv4   = "10.0.0.0/24"
      }
    }
    security_group_egress_rules = {
      all = {
        ip_protocol = "-1"
        cidr_ipv4   = "10.0.0.0/16"
      }
    }
  }
}
igorjanevski commented 11 months ago

Got it, thx.

github-actions[bot] commented 10 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.