From 06704f9657e31a191d24a5e6c42db7d9db93226c Mon Sep 17 00:00:00 2001
From: Vladimir <26582191+SweetOps@users.noreply.github.com>
Date: Tue, 15 Jun 2021 22:19:16 +0300
Subject: [PATCH] feat: use security-group module instead of resource (#32)
* feat: use security-group module instead of resource
---
README.md | 62 +++++++++++++++---------------
README.yaml | 37 +++++++++---------
docs/terraform.md | 18 ++++-----
examples/complete/main.tf | 55 +++++++++++++++++---------
examples/complete/outputs.tf | 15 ++++++++
examples/complete/versions.tf | 22 +++++++++++
main.tf | 10 ++++-
outputs.tf | 14 ++++++-
sg.tf | 45 +++++-----------------
test/src/examples_complete_test.go | 16 ++++++++
variables.tf | 55 +++++++++++++++++---------
11 files changed, 216 insertions(+), 133 deletions(-)
create mode 100644 examples/complete/versions.tf
diff --git a/README.md b/README.md
index 7b17d21..65c85ab 100644
--- a/README.md
+++ b/README.md
@@ -114,24 +114,23 @@ For automated tests of the complete example using [bats](https://github.com/bats
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
- namespace = "eg"
- stage = "test"
- name = "mq-broker"
- apply_immediately = true
- auto_minor_version_upgrade = true
- deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
- engine_type = "ActiveMQ"
- engine_version = "5.15.14"
- host_instance_type = "mq.t3.micro"
- publicly_accessible = false
- general_log_enabled = true
- audit_log_enabled = true
- use_existing_security_groups = false
- encryption_enabled = true
- use_aws_owned_key = true
- vpc_id = var.vpc_id
- subnet_ids = var.subnet_ids
- allowed_security_groups = var.allowed_security_groups
+ namespace = "eg"
+ stage = "test"
+ name = "mq-broker"
+ apply_immediately = true
+ auto_minor_version_upgrade = true
+ deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
+ engine_type = "ActiveMQ"
+ engine_version = "5.15.14"
+ host_instance_type = "mq.t3.micro"
+ publicly_accessible = false
+ general_log_enabled = true
+ audit_log_enabled = true
+ encryption_enabled = true
+ use_aws_owned_key = true
+ vpc_id = var.vpc_id
+ subnet_ids = var.subnet_ids
+ security_groups = var.security_groups
}
```
@@ -174,6 +173,7 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
+| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 0.3.1 |
| [this](#module\_this) | cloudposse/label/null | 0.24.1 |
## Resources
@@ -181,10 +181,6 @@ Available targets:
| Name | Type |
|------|------|
| [aws_mq_broker.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) | resource |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_ssm_parameter.mq_application_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_ssm_parameter.mq_application_username](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_ssm_parameter.mq_master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
@@ -199,8 +195,6 @@ Available targets:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
-| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks that are allowed ingress to the broker's Security Group created in the module | `list(string)` | `[]` | no |
-| [allowed\_security\_groups](#input\_allowed\_security\_groups) | List of security groups to be allowed to connect to the broker instance | `list(string)` | `[]` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [audit\_log\_enabled](#input\_audit\_log\_enabled) | Enables audit logging. User management action made using JMX or the ActiveMQ Web Console is logged | `bool` | `true` | no |
@@ -213,7 +207,6 @@ Available targets:
| [engine\_type](#input\_engine\_type) | Type of broker engine, `ActiveMQ` or `RabbitMQ` | `string` | `"ActiveMQ"` | no |
| [engine\_version](#input\_engine\_version) | The version of the broker engine. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html for more details | `string` | `"5.15.14"` | no |
| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| [existing\_security\_groups](#input\_existing\_security\_groups) | List of existing Security Group IDs to place the broker into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the broker | `list(string)` | `[]` | no |
| [general\_log\_enabled](#input\_general\_log\_enabled) | Enables general logging via CloudWatch | `bool` | `true` | no |
| [host\_instance\_type](#input\_host\_instance\_type) | The broker's instance type. e.g. mq.t2.micro or mq.m4.large | `string` | `"mq.t3.micro"` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
@@ -234,13 +227,17 @@ Available targets:
| [overwrite\_ssm\_parameter](#input\_overwrite\_ssm\_parameter) | Whether to overwrite an existing SSM parameter | `bool` | `true` | no |
| [publicly\_accessible](#input\_publicly\_accessible) | Whether to enable connections from applications outside of the VPC that hosts the broker's subnets | `bool` | `false` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| [security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"AmazonMQ Security Group"` | no |
+| [security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create Security Group. | `bool` | `true` | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules.
The values of map is fully complated with `aws_security_group_rule` resource.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow all outbound traffic",
"from_port": 0,
"protocol": "-1",
"to_port": 65535,
"type": "egress"
}
]
| no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no |
+| [security\_groups](#input\_security\_groups) | A list of Security Group IDs to associate with AmazonMQ. | `list(string)` | `[]` | no |
| [ssm\_parameter\_name\_format](#input\_ssm\_parameter\_name\_format) | SSM parameter name format | `string` | `"/%s/%s"` | no |
| [ssm\_path](#input\_ssm\_path) | SSM path | `string` | `"mq"` | no |
| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [subnet\_ids](#input\_subnet\_ids) | List of VPC subnet IDs | `list(string)` | n/a | yes |
| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
| [use\_aws\_owned\_key](#input\_use\_aws\_owned\_key) | Boolean to enable an AWS owned Key Management Service (KMS) Customer Master Key (CMK) for Amazon MQ encryption that is not in your account | `bool` | `true` | no |
-| [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | Flag to enable/disable creation of Security Group in the module. Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the broker into | `bool` | `false` | no |
| [vpc\_id](#input\_vpc\_id) | VPC ID to create the broker in | `string` | n/a | yes |
## Outputs
@@ -265,7 +262,9 @@ Available targets:
| [secondary\_ssl\_endpoint](#output\_secondary\_ssl\_endpoint) | AmazonMQ secondary SSL endpoint |
| [secondary\_stomp\_ssl\_endpoint](#output\_secondary\_stomp\_ssl\_endpoint) | AmazonMQ secondary STOMP+SSL endpoint |
| [secondary\_wss\_endpoint](#output\_secondary\_wss\_endpoint) | AmazonMQ secondary WSS endpoint |
-| [security\_group\_id](#output\_security\_group\_id) | The security group created by this module. |
+| [security\_group\_arn](#output\_security\_group\_arn) | AmazonMQ Security Group ARN |
+| [security\_group\_id](#output\_security\_group\_id) | AmazonMQ Security Group ID |
+| [security\_group\_name](#output\_security\_group\_name) | AmazonMQ Security Group name |
@@ -277,14 +276,13 @@ Like this project? Please give it a ★ on [our GitHub](https://github.com/cloud
Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)
+
## Related Projects
Check out these related projects.
- [terraform-aws-codefresh-backing-services](https://github.com/cloudposse/terraform-aws-codefresh-backing-services) - Terraform module to provision CodeFresh Enterprise backing services
-
-
## Help
**Got a question?** We got answers.
@@ -414,8 +412,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
### Contributors
-| [![Josh Myers][joshmyers_avatar]][joshmyers_homepage]
[Josh Myers][joshmyers_homepage] | [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] |
-|---|---|---|
+| [![Josh Myers][joshmyers_avatar]][joshmyers_homepage]
[Josh Myers][joshmyers_homepage] | [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Vladimir Syromyatnikov][SweetOps_avatar]][SweetOps_homepage]
[Vladimir Syromyatnikov][SweetOps_homepage] |
+|---|---|---|---|
[joshmyers_homepage]: https://github.com/joshmyers
@@ -424,6 +422,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
[osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png
[aknysh_homepage]: https://github.com/aknysh
[aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png
+ [SweetOps_homepage]: https://github.com/SweetOps
+ [SweetOps_avatar]: https://img.cloudposse.com/150x150/https://github.com/SweetOps.png
[![README Footer][readme_footer_img]][readme_footer_link]
[![Beacon][beacon]][website]
diff --git a/README.yaml b/README.yaml
index 5b7a60d..ed575fd 100644
--- a/README.yaml
+++ b/README.yaml
@@ -72,24 +72,23 @@ usage: |-
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
- namespace = "eg"
- stage = "test"
- name = "mq-broker"
- apply_immediately = true
- auto_minor_version_upgrade = true
- deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
- engine_type = "ActiveMQ"
- engine_version = "5.15.14"
- host_instance_type = "mq.t3.micro"
- publicly_accessible = false
- general_log_enabled = true
- audit_log_enabled = true
- use_existing_security_groups = false
- encryption_enabled = true
- use_aws_owned_key = true
- vpc_id = var.vpc_id
- subnet_ids = var.subnet_ids
- allowed_security_groups = var.allowed_security_groups
+ namespace = "eg"
+ stage = "test"
+ name = "mq-broker"
+ apply_immediately = true
+ auto_minor_version_upgrade = true
+ deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
+ engine_type = "ActiveMQ"
+ engine_version = "5.15.14"
+ host_instance_type = "mq.t3.micro"
+ publicly_accessible = false
+ general_log_enabled = true
+ audit_log_enabled = true
+ encryption_enabled = true
+ use_aws_owned_key = true
+ vpc_id = var.vpc_id
+ subnet_ids = var.subnet_ids
+ security_groups = var.security_groups
}
```
@@ -105,3 +104,5 @@ contributors:
github: osterman
- name: Andriy Knysh
github: aknysh
+ - name: Vladimir Syromyatnikov
+ github: SweetOps
diff --git a/docs/terraform.md b/docs/terraform.md
index a00a534..80e4ee1 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -20,6 +20,7 @@
| Name | Source | Version |
|------|--------|---------|
+| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 0.3.1 |
| [this](#module\_this) | cloudposse/label/null | 0.24.1 |
## Resources
@@ -27,10 +28,6 @@
| Name | Type |
|------|------|
| [aws_mq_broker.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) | resource |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
-| [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_ssm_parameter.mq_application_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_ssm_parameter.mq_application_username](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [aws_ssm_parameter.mq_master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
@@ -45,8 +42,6 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
-| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks that are allowed ingress to the broker's Security Group created in the module | `list(string)` | `[]` | no |
-| [allowed\_security\_groups](#input\_allowed\_security\_groups) | List of security groups to be allowed to connect to the broker instance | `list(string)` | `[]` | no |
| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
| [audit\_log\_enabled](#input\_audit\_log\_enabled) | Enables audit logging. User management action made using JMX or the ActiveMQ Web Console is logged | `bool` | `true` | no |
@@ -59,7 +54,6 @@
| [engine\_type](#input\_engine\_type) | Type of broker engine, `ActiveMQ` or `RabbitMQ` | `string` | `"ActiveMQ"` | no |
| [engine\_version](#input\_engine\_version) | The version of the broker engine. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html for more details | `string` | `"5.15.14"` | no |
| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| [existing\_security\_groups](#input\_existing\_security\_groups) | List of existing Security Group IDs to place the broker into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the broker | `list(string)` | `[]` | no |
| [general\_log\_enabled](#input\_general\_log\_enabled) | Enables general logging via CloudWatch | `bool` | `true` | no |
| [host\_instance\_type](#input\_host\_instance\_type) | The broker's instance type. e.g. mq.t2.micro or mq.m4.large | `string` | `"mq.t3.micro"` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no |
@@ -80,13 +74,17 @@
| [overwrite\_ssm\_parameter](#input\_overwrite\_ssm\_parameter) | Whether to overwrite an existing SSM parameter | `bool` | `true` | no |
| [publicly\_accessible](#input\_publicly\_accessible) | Whether to enable connections from applications outside of the VPC that hosts the broker's subnets | `bool` | `false` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| [security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"AmazonMQ Security Group"` | no |
+| [security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create Security Group. | `bool` | `true` | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules.
The values of map is fully complated with `aws_security_group_rule` resource.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow all outbound traffic",
"from_port": 0,
"protocol": "-1",
"to_port": 65535,
"type": "egress"
}
]
| no |
+| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no |
+| [security\_groups](#input\_security\_groups) | A list of Security Group IDs to associate with AmazonMQ. | `list(string)` | `[]` | no |
| [ssm\_parameter\_name\_format](#input\_ssm\_parameter\_name\_format) | SSM parameter name format | `string` | `"/%s/%s"` | no |
| [ssm\_path](#input\_ssm\_path) | SSM path | `string` | `"mq"` | no |
| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [subnet\_ids](#input\_subnet\_ids) | List of VPC subnet IDs | `list(string)` | n/a | yes |
| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
| [use\_aws\_owned\_key](#input\_use\_aws\_owned\_key) | Boolean to enable an AWS owned Key Management Service (KMS) Customer Master Key (CMK) for Amazon MQ encryption that is not in your account | `bool` | `true` | no |
-| [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | Flag to enable/disable creation of Security Group in the module. Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the broker into | `bool` | `false` | no |
| [vpc\_id](#input\_vpc\_id) | VPC ID to create the broker in | `string` | n/a | yes |
## Outputs
@@ -111,5 +109,7 @@
| [secondary\_ssl\_endpoint](#output\_secondary\_ssl\_endpoint) | AmazonMQ secondary SSL endpoint |
| [secondary\_stomp\_ssl\_endpoint](#output\_secondary\_stomp\_ssl\_endpoint) | AmazonMQ secondary STOMP+SSL endpoint |
| [secondary\_wss\_endpoint](#output\_secondary\_wss\_endpoint) | AmazonMQ secondary WSS endpoint |
-| [security\_group\_id](#output\_security\_group\_id) | The security group created by this module. |
+| [security\_group\_arn](#output\_security\_group\_arn) | AmazonMQ Security Group ARN |
+| [security\_group\_id](#output\_security\_group\_id) | AmazonMQ Security Group ID |
+| [security\_group\_name](#output\_security\_group\_name) | AmazonMQ Security Group name |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 39dda42..643f0db 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -28,24 +28,43 @@ module "subnets" {
module "mq_broker" {
source = "../../"
- vpc_id = module.vpc.vpc_id
- subnet_ids = module.subnets.private_subnet_ids
- allowed_security_groups = [module.vpc.vpc_default_security_group_id]
-
- apply_immediately = var.apply_immediately
- auto_minor_version_upgrade = var.auto_minor_version_upgrade
- deployment_mode = var.deployment_mode
- engine_type = var.engine_type
- engine_version = var.engine_version
- host_instance_type = var.host_instance_type
- publicly_accessible = var.publicly_accessible
- general_log_enabled = var.general_log_enabled
- audit_log_enabled = var.audit_log_enabled
- use_existing_security_groups = var.use_existing_security_groups
- kms_ssm_key_arn = var.kms_ssm_key_arn
- encryption_enabled = var.encryption_enabled
- kms_mq_key_arn = var.kms_mq_key_arn
- use_aws_owned_key = var.use_aws_owned_key
+ vpc_id = module.vpc.vpc_id
+ subnet_ids = module.subnets.private_subnet_ids
+
+ security_group_rules = [
+ {
+ type = "egress"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ source_security_group_id = null
+ description = "Allow all outbound trafic"
+ },
+ {
+ type = "ingress"
+ from_port = 0
+ to_port = 65535
+ protocol = "tcp"
+ cidr_blocks = []
+ source_security_group_id = module.vpc.vpc_default_security_group_id
+ description = "Allow ingress traffic to AmazonMQ from trusted Security Groups"
+ }
+ ]
+
+ apply_immediately = var.apply_immediately
+ auto_minor_version_upgrade = var.auto_minor_version_upgrade
+ deployment_mode = var.deployment_mode
+ engine_type = var.engine_type
+ engine_version = var.engine_version
+ host_instance_type = var.host_instance_type
+ publicly_accessible = var.publicly_accessible
+ general_log_enabled = var.general_log_enabled
+ audit_log_enabled = var.audit_log_enabled
+ kms_ssm_key_arn = var.kms_ssm_key_arn
+ encryption_enabled = var.encryption_enabled
+ kms_mq_key_arn = var.kms_mq_key_arn
+ use_aws_owned_key = var.use_aws_owned_key
context = module.this.context
}
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index 2353574..3a3787b 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -92,3 +92,18 @@ output "secondary_ip_address" {
value = module.mq_broker.secondary_ip_address
description = "AmazonMQ secondary IP address"
}
+
+output "security_group_id" {
+ value = module.mq_broker.security_group_id
+ description = "AmazonMQ Security Group ID"
+}
+
+output "security_group_arn" {
+ value = module.mq_broker.security_group_arn
+ description = "AmazonMQ Security Group ARN"
+}
+
+output "security_group_name" {
+ value = module.mq_broker.security_group_name
+ description = "AmazonMQ Security Group name"
+}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
new file mode 100644
index 0000000..b7b870f
--- /dev/null
+++ b/examples/complete/versions.tf
@@ -0,0 +1,22 @@
+terraform {
+ required_version = ">= 0.13.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 2.0"
+ }
+ template = {
+ source = "hashicorp/template"
+ version = ">= 2.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = ">= 2.0"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 2.2.0"
+ }
+ }
+}
diff --git a/main.tf b/main.tf
index 73ff96f..aa184f1 100644
--- a/main.tf
+++ b/main.tf
@@ -14,6 +14,8 @@ locals {
mq_application_password_is_set = var.mq_application_password != null && var.mq_application_password != ""
mq_application_password = local.mq_application_password_is_set ? var.mq_application_password : join("", random_password.mq_application_password.*.result)
mq_logs = { logs = { "general_log_enabled" : var.general_log_enabled, "audit_log_enabled" : var.audit_log_enabled } }
+
+ security_group_enabled = module.this.enabled && var.security_group_enabled
}
resource "random_string" "mq_admin_user" {
@@ -94,10 +96,16 @@ resource "aws_mq_broker" "default" {
auto_minor_version_upgrade = var.auto_minor_version_upgrade
apply_immediately = var.apply_immediately
publicly_accessible = var.publicly_accessible
- security_groups = var.use_existing_security_groups ? var.existing_security_groups : [join("", aws_security_group.default.*.id)]
subnet_ids = var.subnet_ids
tags = module.this.tags
+ security_groups = compact(
+ sort(concat(
+ [module.security_group.id],
+ var.security_groups
+ ))
+ )
+
dynamic "encryption_options" {
for_each = var.encryption_enabled ? ["true"] : []
content {
diff --git a/outputs.tf b/outputs.tf
index a4de0f8..4c6d780 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -9,8 +9,18 @@ output "broker_arn" {
}
output "security_group_id" {
- value = var.use_existing_security_groups ? null : aws_security_group.default.0.id
- description = "The security group created by this module."
+ value = module.security_group.id
+ description = "AmazonMQ Security Group ID"
+}
+
+output "security_group_arn" {
+ value = module.security_group.arn
+ description = "AmazonMQ Security Group ARN"
+}
+
+output "security_group_name" {
+ value = module.security_group.name
+ description = "AmazonMQ Security Group name"
}
output "primary_console_url" {
diff --git a/sg.tf b/sg.tf
index 2aa233e..7db3c76 100644
--- a/sg.tf
+++ b/sg.tf
@@ -1,39 +1,12 @@
-resource "aws_security_group" "default" {
- count = module.this.enabled && var.use_existing_security_groups == false ? 1 : 0
- vpc_id = var.vpc_id
- name = module.this.id
- tags = module.this.tags
-}
-
-resource "aws_security_group_rule" "egress" {
- count = module.this.enabled && var.use_existing_security_groups == false ? 1 : 0
- description = "Allow outbound traffic"
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- security_group_id = join("", aws_security_group.default.*.id)
- type = "egress"
-}
+module "security_group" {
+ source = "cloudposse/security-group/aws"
+ version = "0.3.1"
-resource "aws_security_group_rule" "ingress_security_groups" {
- count = module.this.enabled && var.use_existing_security_groups == false ? length(var.allowed_security_groups) : 0
- description = "Allow inbound traffic from existing Security Groups"
- from_port = 0
- to_port = 65535
- protocol = "tcp"
- source_security_group_id = var.allowed_security_groups[count.index]
- security_group_id = join("", aws_security_group.default.*.id)
- type = "ingress"
-}
+ use_name_prefix = var.security_group_use_name_prefix
+ rules = var.security_group_rules
+ vpc_id = var.vpc_id
+ description = var.security_group_description
-resource "aws_security_group_rule" "ingress_cidr_blocks" {
- count = module.this.enabled && var.use_existing_security_groups == false && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
- description = "Allow inbound traffic from CIDR blocks"
- from_port = 0
- to_port = 65535
- protocol = "tcp"
- cidr_blocks = var.allowed_cidr_blocks
- security_group_id = join("", aws_security_group.default.*.id)
- type = "ingress"
+ enabled = local.security_group_enabled
+ context = module.this.context
}
diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go
index 4d68932..04677f8 100644
--- a/test/src/examples_complete_test.go
+++ b/test/src/examples_complete_test.go
@@ -61,4 +61,20 @@ func TestExamplesComplete(t *testing.T) {
// Verify we're getting back the outputs we expect
assert.Contains(t, brokerArn, "broker:eg-test-mq-broker-"+randId)
assert.Contains(t, brokerArn, brokerId)
+
+ // Run `terraform output` to get the value of an output variable
+ securityGroupName := terraform.Output(t, terraformOptions, "security_group_name")
+ expectedSecurityGroupName := "eg-test-mq-broker-" + randId
+ // Verify we're getting back the outputs we expect
+ assert.Equal(t, expectedSecurityGroupName, securityGroupName)
+
+ // Run `terraform output` to get the value of an output variable
+ securityGroupID := terraform.Output(t, terraformOptions, "security_group_id")
+ // Verify we're getting back the outputs we expect
+ assert.Contains(t, securityGroupID, "sg-", "SG ID should contains substring 'sg-'")
+
+ // Run `terraform output` to get the value of an output variable
+ securityGroupARN := terraform.Output(t, terraformOptions, "security_group_arn")
+ // Verify we're getting back the outputs we expect
+ assert.Contains(t, securityGroupARN, "arn:aws:ec2", "SG ID should contains substring 'arn:aws:ec2'")
}
diff --git a/variables.tf b/variables.tf
index 44c48c5..8dbad15 100644
--- a/variables.tf
+++ b/variables.tf
@@ -94,16 +94,47 @@ variable "mq_application_password" {
description = "Application password"
}
-variable "allowed_security_groups" {
- type = list(string)
- default = []
- description = "List of security groups to be allowed to connect to the broker instance"
+variable "security_group_enabled" {
+ type = bool
+ description = "Whether to create Security Group."
+ default = true
}
-variable "allowed_cidr_blocks" {
+variable "security_group_description" {
+ type = string
+ default = "AmazonMQ Security Group"
+ description = "The Security Group description."
+}
+
+variable "security_group_use_name_prefix" {
+ type = bool
+ default = false
+ description = "Whether to create a default Security Group with unique name beginning with the normalized prefix."
+}
+
+variable "security_group_rules" {
+ type = list(any)
+ default = [
+ {
+ type = "egress"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Allow all outbound traffic"
+ }
+ ]
+ description = <<-EOT
+ A list of maps of Security Group rules.
+ The values of map is fully complated with `aws_security_group_rule` resource.
+ To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
+ EOT
+}
+
+variable "security_groups" {
+ description = "A list of Security Group IDs to associate with AmazonMQ."
type = list(string)
default = []
- description = "List of CIDR blocks that are allowed ingress to the broker's Security Group created in the module"
}
variable "vpc_id" {
@@ -122,18 +153,6 @@ variable "overwrite_ssm_parameter" {
description = "Whether to overwrite an existing SSM parameter"
}
-variable "use_existing_security_groups" {
- type = bool
- default = false
- description = "Flag to enable/disable creation of Security Group in the module. Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the broker into"
-}
-
-variable "existing_security_groups" {
- type = list(string)
- default = []
- description = "List of existing Security Group IDs to place the broker into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the broker"
-}
-
variable "ssm_parameter_name_format" {
type = string
default = "/%s/%s"