feat: add ability to skip specific ip sg

[matttrach]

By default the access mod will generate a security group for the IP that is running terraform with the expectation that it will be necessary to deploy software on the servers. This feature allows you to disable that behavior to have fully air-gapped projects.

Summary by CodeRabbit

• New Features
  • Introduced a feature to enhance project security by allowing the option to skip creating a security group for client IP access, useful for air-gapped environments.
  • Added Terraform module examples for creating VPC, subnet, and security groups with the option to skip certain IP-related settings.
  • New outputs for VPC, subnet, security group, and SSH key are now available in the example module.
• Tests
  • Added a new test to verify the functionality of skipping the creation of a security group for the runner's IP.

[coderabbitai]

Walkthrough

The latest update introduces a feature that enhances security by allowing the option to skip creating security groups for client IP access. This is particularly beneficial for projects in air-gapped environments, aiming to minimize unnecessary ingress and egress access. The changes span across Terraform configurations and modules, including the introduction of a new test to validate the functionality, and adjustments in variable naming to better reflect their purpose.

Changes

File(s)	Summary
README.md, main.tf, variables.tf	Introduced a feature to skip creating security groups for client IP, including variable renaming for clarity.
examples/skipip/...	Added new example with AWS provider configuration, a Terraform module for VPC setup, and output definitions.
modules/security_group/main.tf, modules/security_group/variables.tf	Modified to add skip_runner_ip variable and adjust IP ingress and egress rules.
tests/skip_test.go	Added a test for the new skip IP feature, including unique identifier generation.

"In the realm of code, where security is key,

🐰 A hop, a skip, a jump, we're free.

No unwanted access, no open gate,

With skip_runner_ip, we celebrate.

🌟 Through fields of data, safe and sound,

Our project's fortress, now tightly bound.

Cheers to the team, for a job well-done,

In the glow of the binary, setting sun."

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 065fa6a and 43946a2.

Files selected for processing (10)

• README.md (1 hunks)
• examples/skipip/main.tf (1 hunks)
• examples/skipip/outputs.tf (1 hunks)
• examples/skipip/variables.tf (1 hunks)
• examples/skipip/versions.tf (1 hunks)
• main.tf (2 hunks)
• modules/security_group/main.tf (2 hunks)
• modules/security_group/variables.tf (1 hunks)
• tests/skip_test.go (1 hunks)
• variables.tf (1 hunks)

Files skipped from review due to trivial changes (1)

• examples/skipip/variables.tf

Additional comments: 10

examples/skipip/outputs.tf (1)

• 1-15: The outputs defined in examples/skipip/outputs.tf are clear and follow Terraform best practices by providing essential information about the created resources. This is crucial for users to reference these resources in other parts of their Terraform configuration or for debugging purposes.

examples/skipip/versions.tf (1)

• 1-17: The version constraints in examples/skipip/versions.tf are well-defined, ensuring compatibility and predictable behavior across Terraform and provider versions. Specifying both minimum and maximum versions for Terraform and each provider is a good practice for maintaining stability in infrastructure projects.

examples/skipip/main.tf (1)

• 1-26: The configuration in examples/skipip/main.tf effectively demonstrates the use of the new skip_runner_ip feature by setting it to true. This example is valuable for users looking to implement air-gapped environments. However, ensure that the comments are updated to reflect the purpose and usage of each variable clearly, especially for users less familiar with Terraform or the specific project setup.

modules/security_group/variables.tf (1)

• 60-62: The addition of the skip_runner_ip variable in modules/security_group/variables.tf is correctly implemented with a clear description. This variable is essential for the new feature allowing users to skip creating a security group for the runner's IP, enhancing security for air-gapped environments.

main.tf (1)

• 48-63: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [21-60]

The implementation of the skip_runner_ip variable in main.tf is correctly integrated into the local variables and passed to the security_group module. This change effectively allows users to control the creation of security groups based on the runner's IP, aligning with the PR's objectives to enhance security for air-gapped environments. Ensure that all references and dependencies related to this new variable are updated accordingly across the project to maintain consistency.

tests/skip_test.go (1)

• 94-110: The addition of the TestSkipIp function in tests/skip_test.go is a crucial step in validating the new feature's functionality. This test ensures that the feature to skip creating a security group for the runner's IP works as expected. It's well-structured and follows best practices for Terraform testing with Terratest. Ensure that the test covers all necessary scenarios and edge cases to guarantee the feature's reliability.

README.md (1)

• 3-11: The update to the README.md file effectively communicates the purpose and usage of the new skip_runner_ip feature. This documentation is crucial for users to understand how to utilize the feature to enhance the security of their Terraform-managed infrastructure. Consider adding a more detailed example or a link to the examples/skipip directory for users to quickly reference a practical implementation.

modules/security_group/main.tf (2)

• 2-12: The implementation of skip_runner_ip and allow_runner variables in modules/security_group/main.tf is correctly done, providing flexibility in configuring security group rules based on the runner's IP. This change supports the feature's goal of enhancing security for air-gapped environments. Ensure that the logic correctly handles all scenarios, especially in complex configurations where multiple conditions might affect the security group's behavior.
• 42-49: The conditional creation of ingress and egress rules based on skip_runner_ip and allow_runner variables is a smart approach to dynamically adjust security group configurations. This ensures that unnecessary rules are not created when the feature is enabled, adhering to the principle of least privilege. Double-check that these conditions are thoroughly tested to prevent any unintended security gaps.

variables.tf (1)

• 128-132: The introduction of the skip_runner_ip variable in variables.tf is well-documented and aligns with the PR's objectives to enhance security by allowing the omission of a security group for the Terraform runner's IP. This variable is essential for enabling the feature across the project. Ensure that the default value (false) is the intended behavior, as it maintains backward compatibility with existing configurations.