Merge pull request #538 from meshuga/separate_sg_rules

#493 split sg and rules
GoogleCloudPlatform · Jul 1, 2020 · 0895094 · 0895094
2 parents f17d289 + 74ef0ce
commit 0895094
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -661,6 +661,10 @@ Due to fact API Gateway generates a lot of resources, it's possible to issue a f
 
 Terraformer uses AWS [ListQueues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListQueues.html) API call to fetch available queues. The API is able to return only up to 1000 queues and an additional name prefix should be passed to filter the list results. It's possible to pass `QueueNamePrefix` parameter by environmental variable `SQS_PREFIX`.
 
+#### Security groups and rules
+
+Terraformer by default will try to keep rules in security groups as long as no circular dependencies are detected. This approach is implemented to keep the rules as tidy as possible but there can be cases when this behaviour is not desirable (see [GoogleCloudPlatform/terraformer#493](https://github.com/GoogleCloudPlatform/terraformer/issues/493)). To make Terraformer split rules from security groups, add `SPLIT_SG_RULES` environmental variable with any value.
+
 ### Use with Azure
 Support [Azure CLI](https://www.terraform.io/docs/providers/azurerm/guides/azure_cli.html), [Service Principal with Client Certificate](https://www.terraform.io/docs/providers/azurerm/guides/service_principal_client_certificate.html) & [Service Principal with Client Secret](https://www.terraform.io/docs/providers/azurerm/guides/service_principal_client_secret.html)
 

diff --git a/providers/aws/sg.go b/providers/aws/sg.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"os"
 	"sort"
 	"strings"
 
@@ -56,7 +57,15 @@ func (b ByGroupPair) Less(i, j int) bool {
 }
 
 func (SecurityGenerator) createResources(securityGroups []ec2.SecurityGroup) []terraformutils.Resource {
-	sgIDsToMoveOut := findSgsToMoveOut(securityGroups)
+	var sgIDsToMoveOut []string
+	_, shouldSplitRules := os.LookupEnv("SPLIT_SG_RULES")
+	if shouldSplitRules {
+		for _, sg := range securityGroups {
+			sgIDsToMoveOut = append(sgIDsToMoveOut, *sg.GroupId)
+		}
+	} else {
+		sgIDsToMoveOut = findSgsToMoveOut(securityGroups)
+	}
 
 	var resources []terraformutils.Resource
 	for _, sg := range securityGroups {