-
Notifications
You must be signed in to change notification settings - Fork 480
Bugfix for value of 'count' cannot be computed issue when passing all… #83
Bugfix for value of 'count' cannot be computed issue when passing all… #83
Conversation
…owed_inbound_security_group_count Similar to change 707c87 in terraform-aws-vault
Ah, good fix. This is quite a frustrating Terraform gotcha. Thank you! Can you describe how you tested this? We can't run automated tests on external PRs for security reasons, so I'm trying to get a sense of what you checked before merging. |
Last week I set all of the allowed_inbound_cidr_blocks lists to the empty list for both our consul and vault nodes' security groups and attempted to use allowed_inbound_security_group_ids instead. Vault went fine but consul gave me the dreaded value of 'count' cannot be computed error. In my code I use the consul-cluster module with empty lists for allowed_inbound_cidr_blocks and allowed_inbound_security_group_ids.
I then use consul-security-group-rules to allow access to other members of the cluster as well as the vault nodes that are clients of the cluster:
Similarly, my vault cluster uses consul-client-security-group-rules to give the consul cluster access to the consul clients on the vault nodes:
At a high-level, it is structured thusly:
So, my internal testing, is:
There may still be an issue with the consul-security-group-rules use of consul-client-security-group-rules ( |
Yes please! In fact, please search for any usage of the |
Will do! |
…ty group ids so that our nodes can communicate
OK, that's done. I also found a nasty little bug in consul-cluster's use of consul-security-group-rules: consul-cluster is not adding its own aws_security_group.lc_security_group.id to the list of allowed_inbound_security_group_ids (and consul-security-group-rules does not automatically add its security_group_id input to the allowed inbound security group ids). Unless that was intentional? I discovered the bug when I removed my consul_security_group_rules module and let my consul_cluster module pass allowed_inbound_security_group_ids and allowed_inbound_security_group_count itself. It looks like terraform-aws-vault//modules/vault-cluster has the same problem with its use of vault-security-group-rules. I'm testing the same fix for this locally & will PR it later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could've sworn we already added self
rules to the security group rules modules...
modules/consul-cluster/main.tf
Outdated
allowed_inbound_security_group_ids = ["${var.allowed_inbound_security_group_ids}"] | ||
security_group_id = "${aws_security_group.lc_security_group.id}" | ||
allowed_inbound_cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] | ||
allowed_inbound_security_group_ids = "${concat(list(aws_security_group.lc_security_group.id), var.allowed_inbound_security_group_ids)}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, perhaps instead of doing this, the consul-security-group-rules
module should explicitly add a separate rule that allows connections from self
?
61a1d65
to
00454de
Compare
I didn't find any reference to 'self' in consul-security-group-rules or consul-client-security-group-rules so I've added them following the pattern in terraform-aws-vault. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for these fixes! I'll merge now and let the tests run. When they pass, I'll issue a new release and paste the link here.
Adding optional health_check_port variable to vault-elb
…owed_inbound_security_group_count
Similar to change 707c87 in terraform-aws-vault
Tested internally.
Cannot execute the test suite due to corporate restrictions.
Addresses issue #84