-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle multiple security groups and security group rules across regions #20
Comments
I think its OK. We can enhance the module for this. We can use type list for "security_group_rule", like:
|
Is type list better, or would a command be cleaner? |
The "command" is better, but i dont know it. Do you mean terraform has a way to define data driven variable? |
Now I think about it — it’s not possible to do it as a module. That would have to be a custom resource to accept such syntax. Your approach is good enough indeed; let’s do it. Thanks! |
@phuonghuynh any updates so far? Thanks! |
I still working on it, the syntax might be different. Terraform not support dynamic create module using "count" as its resources. Also, i dont know how to get provider attribute to generate arn for lambda permission, so i keep "aws_account_id" & "aws_region" for now. |
Got it. Provider attribute account arn can be retrieved via https://www.terraform.io/docs/providers/aws/d/caller_identity.html which already includes account ID and region code. |
Hi @phuonghuynh , any updates on the syntax? We are kind of stuck here without a method to specify multiple ports. Thanks! |
@ronaldtse the terraform v11 not support syntax to allow configure provider by variable, hashicorp/terraform#11578 This is the syntax that implementing,
Sample resource using provider alias
Or we might try with this, hashicorp/terraform#11578 (comment) . However, i not sure how could we use "assume_role" here. |
@ronaldtse Its easier to do support multiple ports with the old config (not support multiple account_id) |
@phuonghuynh but this kind of provider support is good enough, right? module "dynamic-secgroup" {
source = "../.."
name_prefix = "getting-started-"
# Description of this secgroup
description = "${var.description}"
security_groups = [
{
group_ids = [
"sg-df7a88a3",
"sg-c9c72eb5"
]
# SEE THIS >>>
providers {
"aws" = "aws.eu"
}
# <<<
rules = [
{
secgroup_rule_type = "ingress"
secgroup_rule_from_port = 22
secgroup_rule_to_port = 22
secgroup_rule_protocol = "tcp"
},
{
secgroup_rule_type = "ingress"
secgroup_rule_from_port = 443
secgroup_rule_to_port = 443
secgroup_rule_protocol = "tcp"
}
]
},
]
// time_to_expire = 600
} |
@phuonghuynh we don't need to use multiple account-ids, but if possible we want to use one dynamic secgroup module to handle multiple regions. But if it can't, we can separate per-region, too. |
Rest API Region is an enhancement now hashicorp/terraform-provider-aws#2167 So i will make it work with multi-ports first. |
Done and closed. |
Here's an enhancement we need for the module.
For each security group, we want to handle rules (and ports) separately. These security groups may belong to different regions (different providers)
providers
as argument, don't passaws_account_id
andaws_region
into module anymoreThis is how the new structure should be used:
Let me know what you think!
The text was updated successfully, but these errors were encountered: