New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v0.40.0 vs v0.39.0 security group behavior #122
Comments
Apologies for the changes. We're reviewing internally on release notes and how to better manage the upgrade process. Notable changes
It looks like this may be the culprit in your example. {
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = join(",", module.bastion.security_group_ids)
description = "Allow inbound Redis traffic from Bastion"
}, You can only pass in a single security group (see cloudposse/terraform-aws-security-group) to Also the module used to add allowed_security_groups = [module.vpc.vpc_default_security_group_id] Try this terraform and see if it works for you hclNote: Untested locals {
bastion_allowed_security_groups = [
for sg in module.bastion.security_group_ids :
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = sg
description = "Allow inbound Redis traffic from Bastion"
}
]
}
module "redis" {
source = "cloudposse/elasticache-redis/aws"
# ...
security_group_rules = concat([
{
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] # previously var.egress_cidr_blocks
source_security_group_id = null
description = "Allow outbound traffic from existing cidr blocks"
},
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = module.api.ecs_service_security_group_id
description = "Allow inbound Redis traffic from ECS"
},
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
# note: vpc 0.26.0 removed this output by mistake so use 0.25.0 or > 0.26.0 when it's released
source_security_group_id = module.vpc.vpc_default_security_group_id
description = "Allow inbound Redis traffic from VPC"
}
], local.bastion_allowed_security_groups)
} |
cc: @syphernl |
@nitrocode The rules I posted in my initial message (2nd code block) works for us as our With your example however I could technically remove the specific rules for ECS and Bastion, since they both exist within the VPC. The reason why I opened this issue is the fact that the usage of the module has been made a bit more complicated switching to this new approach. I fully understand the reasoning behind standardization and while it does add flexibility, it also takes some away we had in versions prior to 0.40.0. |
Apologies for the trouble @syphernl. I wrote up some release notes here on We'll try to provide breaking change release notes on future upgrades across our modules. |
@syphernl We are taking feedback like yours into account and have marked v0.40.0 pre-release. We recommend using 0.39.0 for now and waiting for a later release which will provide better backward compatibility and clearer migration instructions. |
With 0.40.0 the setup process of this module has become a little more complex.
Prior to 0.40.0 (e.g. with 0.39.0) one could simply tell the module to allow which SG's like so:
It would allow any of these SG's to connect to
var.port
. Easy.With v0.40.0 this has changed and now requires explicit declaration of rules like this:
I have tried to define them as such:
While they do get added to the Redis instance, it does not allow to connect from them.
The README shows a nice "allow all outbound" and a "allow all from VPC" example but the default value of the
security_group_rules
only contains the former.Am I using this module the wrong way or is this actually they way it is supposed to work (now)? If so, is there something we can do to improve this behavior?
The text was updated successfully, but these errors were encountered: