Skip to content

v0.32.0

Compare
Choose a tag to compare
@cloudpossebot cloudpossebot released this 10 Nov 00:55
e790c87

🚀 Enhancements

Feat: Use Security Group 4.x Module @nitrocode (#94)

what

  • Use standardized Cloud Posse Security Group convention
  • Bump cloudposse/terraform-aws-route53-cluster-hostname module
  • Bump example/complete vpc and subnet modules
  • Remove unnecessary provider pins
  • Bump aws provider to 3.x
  • Run make github/init

why

  • update GHA-related files to their latest distribution from build-harness
  • new Security Group standards
  • Unblock new PRs from entering this repo

references

commands

Verified enabled=false
⨠ terraform plan -var-file=fixtures.us-east-2.tfvars -var="enabled=false"

Changes to Outputs:
  + efs_mount_target_dns_names = [
      + "",
    ]
  + efs_mount_target_ids       = [
      + "",
    ]
  + efs_mount_target_ips       = [
      + "",
    ]
  + efs_network_interface_ids  = [
      + "",
    ]
  + private_subnet_cidrs       = []
  + public_subnet_cidrs        = []
Backwards compatibility with 0.30.1 and earlier using security_group_name override

This is to avoid recreation of the efs file system due to the name change

⨠ terraform plan -var-file=fixtures.us-east-2.tfvars -var=security_group_name=snip -var=security_group_change_before_destroy=false

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.efs.aws_efs_file_system.default[0] will be created
  + resource "aws_efs_file_system" "default" {
      + arn                             = (known after apply)
      + availability_zone_id            = (known after apply)
      + availability_zone_name          = (known after apply)
      + creation_token                  = (known after apply)
      + dns_name                        = (known after apply)
      + encrypted                       = true
      + id                              = (known after apply)
      + kms_key_id                      = (known after apply)
      + number_of_mount_targets         = (known after apply)
      + owner_id                        = (known after apply)
      + performance_mode                = "generalPurpose"
      + provisioned_throughput_in_mibps = 0
      + size_in_bytes                   = (known after apply)
      + tags                            = {
          + "Name"      = "eg-test-efs-test"
          + "Namespace" = "eg"
          + "Stage"     = "test"
        }
      + tags_all                        = {
          + "Name"      = "eg-test-efs-test"
          + "Namespace" = "eg"
          + "Stage"     = "test"
        }
      + throughput_mode                 = "bursting"
    }

  # module.efs.module.security_group.aws_security_group.default[0] will be created
  + resource "aws_security_group" "default" {
      + arn                    = (known after apply)
      + description            = "MSK broker access"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = "eg-test-efs-test-efs"
      + name_prefix            = (known after apply)
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Attributes" = "efs"
          + "Name"       = "eg-test-efs-test-efs"
          + "Namespace"  = "eg"
          + "Stage"      = "test"
        }
      + tags_all               = {
          + "Attributes" = "efs"
          + "Name"       = "eg-test-efs-test-efs"
          + "Namespace"  = "eg"
          + "Stage"      = "test"
        }
      + vpc_id                 = (known after apply)

      + timeouts {
          + create = "10m"
          + delete = "15m"
        }
    }

...

Plan: 24 to add, 0 to change, 0 to destroy.

Changes to Outputs:
...
  + security_group_name        = "eg-test-efs-test-efs"
Deployed 0.30.1, performed `state mv`s, and then ran a plan to ensure nothing would break
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.efs.aws_efs_backup_policy.policy[0] will be created
  + resource "aws_efs_backup_policy" "policy" {
      + file_system_id = "fs-snip"
      + id             = (known after apply)

      + backup_policy {
          + status = "DISABLED"
        }
    }

  # module.efs.aws_efs_file_system.default[0] will be updated in-place
  ~ resource "aws_efs_file_system" "default" {
        id                              = "fs-snip"
        tags                            = {
            "Environment" = "snip"
            "Name"        = "snip-snip-snip-snip-efs"
            "Namespace"   = "snip"
            "Stage"       = "snip"
            "Tenant"      = "snip"
        }
        # (12 unchanged attributes hidden)

      + lifecycle_policy {}
    }

  # module.efs.aws_efs_mount_target.default[0] will be updated in-place
  ~ resource "aws_efs_mount_target" "default" {
        id                     = "fsmt-snip"
      ~ security_groups        = [
          + "sg-snip",
            # (1 unchanged element hidden)
        ]
        # (10 unchanged attributes hidden)
    }

  # module.efs.aws_efs_mount_target.default[1] will be updated in-place
  ~ resource "aws_efs_mount_target" "default" {
        id                     = "fsmt-snip"
      ~ security_groups        = [
          + "sg-snip",
            # (1 unchanged element hidden)
        ]
        # (10 unchanged attributes hidden)
    }

  # module.efs.aws_efs_mount_target.default[2] will be updated in-place
  ~ resource "aws_efs_mount_target" "default" {
        id                     = "fsmt-snip"
      ~ security_groups        = [
          + "sg-snip",
            # (1 unchanged element hidden)
        ]
        # (10 unchanged attributes hidden)
    }

  # module.efs.module.security_group.aws_security_group.default[0] will be updated in-place
  ~ resource "aws_security_group" "default" {
        id                     = "sg-snip"
        name                   = "snip-snip-snip-snip-efs-efs"
      ~ tags                   = {
          ~ "Name"        = "snip-snip-snip-snip-efs" -> "snip-snip-snip-snip-efs-efs"
            # (4 unchanged elements hidden)
        }
      ~ tags_all               = {
          ~ "Name"        = "snip-snip-snip-snip-efs" -> "snip-snip-snip-snip-efs-efs"
            # (4 unchanged elements hidden)
        }
        # (7 unchanged attributes hidden)

      + timeouts {
          + create = "10m"
          + delete = "15m"
        }
    }

  # module.efs.module.security_group.aws_security_group_rule.keyed["_allow_all_egress_"] must be replaced
+/- resource "aws_security_group_rule" "keyed" {
      + description              = "Allow all egress"
      ~ id                       = "sgrule-2361699180" -> (known after apply)
      ~ ipv6_cidr_blocks         = [ # forces replacement
          + "::/0",
        ]
      + source_security_group_id = (known after apply)
        # (8 unchanged attributes hidden)
    }

  # module.efs.module.security_group.aws_security_group_rule.keyed["_m[0]#[0]#sg#0"] will be updated in-place
  ~ resource "aws_security_group_rule" "keyed" {
      ~ description              = "Allow inbound traffic from existing security groups" -> "Allow ingress EFS traffic"
        id                       = "sgrule-snip"
        # (10 unchanged attributes hidden)
    }

Plan: 2 to add, 6 to change, 1 to destroy.