feat: Create group optionally (#218)

antonbabenko · web-flow · commit ac988ca2ee1f · 2021-05-27T17:19:22.000+02:00
diff --git a/README.md b/README.md
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -35,6 +35,7 @@ No requirements.
 | <a name="module_fixed_name_sg"></a> [fixed\_name\_sg](#module\_fixed\_name\_sg) | ../../ |  |
 | <a name="module_ipv4_ipv6_example"></a> [ipv4\_ipv6\_example](#module\_ipv4\_ipv6\_example) | ../../ |  |
 | <a name="module_main_sg"></a> [main\_sg](#module\_main\_sg) | ../../ |  |
+| <a name="module_only_rules"></a> [only\_rules](#module\_only\_rules) | ../../ |  |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws |  |
 
 ## Resources
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -380,3 +380,20 @@ module "fixed_name_sg" {
   ingress_rules       = ["https-443-tcp"]
 }
 
+############################
+# Only security group rules
+############################
+module "only_rules" {
+  source = "../../"
+
+  create_sg         = false
+  security_group_id = module.complete_sg.security_group_id
+  ingress_with_source_security_group_id = [
+    {
+      description              = "http from service one"
+      rule                     = "http-80-tcp"
+      source_security_group_id = data.aws_security_group.default.id
+    },
+  ]
+}
+
diff --git a/examples/rules-only/README.md b/examples/rules-only/README.md
@@ -0,0 +1,56 @@
+# Create rules only
+
+Configuration in this directory creates two security groups using native Terraform resources, and then uses the module to add rules.
+
+Data sources are used to discover existing VPC resources (VPC and default security group).
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_rules_one"></a> [rules\_one](#module\_rules\_one) | ../../ |  |
+| <a name="module_rules_two"></a> [rules\_two](#module\_rules\_two) | ../../ |  |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.service_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.service_two](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
+| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_service_one_security_group_id"></a> [service\_one\_security\_group\_id](#output\_service\_one\_security\_group\_id) | The ID of the security group for service one |
+| <a name="output_service_two_security_group_id"></a> [service\_two\_security\_group\_id](#output\_service\_two\_security\_group\_id) | The ID of the security group for service two |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/rules-only/main.tf b/examples/rules-only/main.tf
@@ -0,0 +1,62 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#############################################################
+# Data sources to get VPC and default security group details
+#############################################################
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = data.aws_vpc.default.id
+}
+
+########################################################
+# Create SGs
+########################################################
+
+resource "aws_security_group" "service_one" {
+  name        = "service_one"
+  description = "Allow access from service two"
+}
+
+resource "aws_security_group" "service_two" {
+  name        = "service_two"
+  description = "Allow access from service one"
+}
+
+########################################################
+# Add SG rules
+########################################################
+
+module "rules_one" {
+  source = "../../"
+
+  create_sg         = false
+  security_group_id = aws_security_group.service_one.id
+  ingress_with_source_security_group_id = [
+    {
+      description              = "http from service two"
+      rule                     = "http-80-tcp"
+      source_security_group_id = aws_security_group.service_two.id
+    },
+  ]
+}
+
+module "rules_two" {
+  source = "../../"
+
+  create_sg         = false
+  security_group_id = aws_security_group.service_two.id
+  ingress_with_source_security_group_id = [
+    {
+      description              = "http from service one"
+      rule                     = "http-80-tcp"
+      source_security_group_id = aws_security_group.service_one.id
+    },
+  ]
+}
+
diff --git a/examples/rules-only/outputs.tf b/examples/rules-only/outputs.tf
@@ -0,0 +1,9 @@
+output "service_one_security_group_id" {
+  description = "The ID of the security group for service one"
+  value       = aws_security_group.service_one.id
+}
+
+output "service_two_security_group_id" {
+  description = "The ID of the security group for service two"
+  value       = aws_security_group.service_two.id
+}
diff --git a/main.tf b/main.tf
@@ -2,18 +2,14 @@
 # Get ID of created Security Group
 ##################################
 locals {
-  this_sg_id = concat(
-    aws_security_group.this.*.id,
-    aws_security_group.this_name_prefix.*.id,
-    [""],
-  )[0]
+  this_sg_id = var.create_sg ? concat(aws_security_group.this.*.id, aws_security_group.this_name_prefix.*.id, [""])[0] : var.security_group_id
 }
 
 ##########################
 # Security group with name
 ##########################
 resource "aws_security_group" "this" {
-  count = var.create && false == var.use_name_prefix ? 1 : 0
+  count = var.create && var.create_sg && !var.use_name_prefix ? 1 : 0
 
   name                   = var.name
   description            = var.description
@@ -32,7 +28,7 @@ resource "aws_security_group" "this" {
 # Security group with name_prefix
 #################################
 resource "aws_security_group" "this_name_prefix" {
-  count = var.create && var.use_name_prefix ? 1 : 0
+  count = var.create && var.create_sg && var.use_name_prefix ? 1 : 0
 
   name_prefix            = "${var.name}-"
   description            = var.description
diff --git a/variables.tf b/variables.tf
@@ -7,14 +7,28 @@ variable "create" {
   default     = true
 }
 
+variable "create_sg" {
+  description = "Whether to create security group"
+  type        = bool
+  default     = true
+}
+
+variable "security_group_id" {
+  description = "ID of existing security group whose rules we will manage"
+  type        = string
+  default     = null
+}
+
 variable "vpc_id" {
   description = "ID of the VPC where to create security group"
   type        = string
+  default     = null
 }
 
 variable "name" {
-  description = "Name of security group"
+  description = "Name of security group - not required if create_group is false"
   type        = string
+  default     = null
 }
 
 variable "use_name_prefix" {
