Upgrade to new Security Group standards (use security_group_inputs.tf export).

Author: korenyoni

README.yaml

@@ -90,11 +90,11 @@ usage: |-
     kafka_version          = "2.4.1"
     number_of_broker_nodes = 2 # this has to be a multiple of the # of subnet_ids
     broker_instance_type   = "kafka.m5.large"
-    
+
     # security groups to put on the cluster itself
-    broker_node_security_groups = ["sg-XXXXXXXXX", "sg-YYYYYYYY"]
+    associated_security_group_ids = ["sg-XXXXXXXXX", "sg-YYYYYYYY"]
     # security groups to give access to the cluster
-    security_groups             = ["sg-XXXXXXXXX", "sg-YYYYYYYY"]
+    associated_security_group_ids = ["sg-XXXXXXXXX", "sg-YYYYYYYY"]
   }
   ```
 

main.tf

@@ -66,11 +66,18 @@ module "broker_security_group" {
 
   attributes = ["broker"]
 
-  security_group_description = "Allow inbound MSK-related traffic from Security Groups and CIDRs. Allow all outbound traffic"
+  enabled                       = local.enabled && var.create_security_group
+  security_group_name           = var.security_group_name
+  create_before_destroy         = var.security_group_create_before_destroy
+  security_group_create_timeout = var.security_group_create_timeout
+  security_group_delete_timeout = var.security_group_delete_timeout
+
+  security_group_description = coalesce(var.security_group_description, "Allow inbound MSK-related traffic from Security Groups and CIDRs. Allow all outbound traffic")
   allow_all_egress           = true
+  rules                      = var.additional_security_group_rules
   rule_matrix = [
     {
-      source_security_group_ids = var.security_groups
+      source_security_group_ids = local.allowed_security_group_ids
       cidr_blocks               = var.allowed_cidr_blocks
       rules = [
         for protocol_key, protocol in local.protocols : {
@@ -110,7 +117,7 @@ resource "aws_msk_cluster" "default" {
     instance_type   = var.broker_instance_type
     ebs_volume_size = var.broker_volume_size
     client_subnets  = var.subnet_ids
-    security_groups = concat(var.broker_node_security_groups, [module.broker_security_group.id])
+    security_groups = concat(var.associated_security_group_ids, [module.broker_security_group.id])
   }
 
   configuration_info {

security_group_inputs.tf

@@ -0,0 +1,106 @@
+# security_group_inputs Version: 1
+#
+# Copy this file from https://github.com/cloudposse/terraform-aws-security-group/blob/master/exports/security_group_inputs.tf
+# and EDIT IT TO SUIT YOUR PROJECT. Update the version number above if you update this file from a later version.
+#
+# KEEP this top comment block, but REMOVE COMMENTS below that are intended
+# for the initial implementor and not maintainers or end users.
+#
+# This file provides the standard inputs that all Cloud Posse Open Source
+# Terraform module that create AWS Security Groups should implement.
+# This file does NOT provide implementation of the inputs, as that
+# of course varies with each module.
+#
+# This file documents, but does not declare, the standard outputs modules should create,
+# again because the implementation will vary with modules.
+#
+# Unlike null-label context.tf, this file cannot be automatically updated
+# because of the tight integration with the module using it.
+#
+
+
+variable "create_security_group" {
+  type        = bool
+  default     = true
+  description = "Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided."
+}
+
+variable "associated_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = <<-EOT
+    A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
+    These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access.
+    EOT
+}
+
+variable "allowed_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = <<-EOT
+    A list of IDs of Security Groups to allow access to the security group created by this module.
+    EOT
+}
+
+locals {
+  allowed_security_group_ids = concat(var.security_groups, var.allowed_security_group_ids)
+}
+
+variable "security_group_name" {
+  type        = list(string)
+  default     = []
+  description = <<-EOT
+    The name to assign to the created security group. Must be unique within the VPC.
+    If not provided, will be derived from the `null-label.context` passed in.
+    If `create_before_destroy` is true, will be used as a name prefix.
+    EOT
+}
+
+variable "security_group_description" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    The description to assign to the created Security Group.
+    Warning: Changing the description causes the security group to be replaced.
+    EOT
+}
+
+variable "security_group_create_before_destroy" {
+  type = bool
+
+  default     = false
+  description = <<-EOT
+    Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
+    We recommend setting this `true` on new security groups, but default it to `false` because `true`
+    will cause existing security groups to be replaced, possibly requiring the cluster to be deleted and recreated.
+    Note that changing this value will always cause the security group to be replaced.
+    EOT
+}
+
+variable "security_group_create_timeout" {
+  type        = string
+  default     = "10m"
+  description = "How long to wait for the security group to be created."
+}
+
+variable "security_group_delete_timeout" {
+  type        = string
+  default     = "15m"
+  description = <<-EOT
+    How long to retry on `DependencyViolation` errors during security group deletion from
+    lingering ENIs left by certain AWS services such as Elastic Load Balancing.
+    EOT
+}
+
+variable "additional_security_group_rules" {
+  type        = list(any)
+  default     = []
+  description = <<-EOT
+    A list of Security Group rule objects to add to the created security group, in addition to the ones
+    this module normally creates. (To suppress the module's rules, set `create_security_group` to false
+    and supply your own security group via `associated_security_group_ids`.)
+    The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
+    for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
+    To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
+    EOT
+}

test/src/examples_complete_test.go

@@ -34,5 +34,5 @@ func TestExamplesComplete(t *testing.T) {
 	outputSecurityGroupName := terraform.Output(t, terraformOptions, "security_group_name")
 
 	// Verify we're getting back the outputs we expect
-	assert.Regexp(t, "^eg-ue2-test-msk-test-[0-9a-fA-F]+$", outputSecurityGroupName)
+	assert.Regexp(t, "^eg-ue2-test-msk-test-[0-9a-fA-F]+broker$", outputSecurityGroupName)
 }

variables-deprecated.tf

@@ -0,0 +1,8 @@
+variable "security_groups" {
+  type        = list(string)
+  default     = []
+  description = <<-EOT
+  DEPRECATED: Use `allowed_security_group_ids` instead.
+  List of security group IDs to be allowed to connect to the cluster
+  EOT
+}

variables.tf

@@ -35,18 +35,9 @@ variable "zone_id" {
   default     = null
 }
 
-variable "security_groups" {
-  type        = list(string)
-  default     = []
-  description = "List of security group IDs to be allowed to connect to the cluster"
-}
-
-variable "broker_node_security_groups" {
-  type        = list(string)
-  default     = []
-  description = "List of broker node security group IDs to be associated with the elastic network interfaces to control who can communicate with the cluster"
-}
-
+# Intentionally not deprecated via security_group_inputs.tf since it cannot effectively be replaced via var.additional_security_group_rules.
+# This is because the logic to create these rules exists within this module, and should not be passed in by the consumer
+# of this module.
 variable "allowed_cidr_blocks" {
   type        = list(string)
   default     = []

versions.tf

@@ -6,9 +6,5 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 3.0"
     }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.2"
-    }
   }
 }