feat: Allow security group rules to reference the security group created by the module (#51)

FlorinAndrei · bryantbiggs · web-flow · commit 42ccd2429c92 · 2025-09-25T15:45:18.000-05:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.5
+    rev: v1.100.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -23,7 +23,7 @@ repos:
           - '--args=--only=terraform_workspace_remote'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
diff --git a/examples/redis-cluster/main.tf b/examples/redis-cluster/main.tf
@@ -38,11 +38,10 @@ module "elasticache" {
   # Security Group
   vpc_id = module.vpc.vpc_id
   security_group_rules = {
-    ingress_vpc = {
-      # Default type is `ingress`
-      # Default port is based on the default engine port
-      description = "VPC traffic"
-      cidr_ipv4   = module.vpc.vpc_cidr_block
+    ingress-self-redis = {
+      type                         = "ingress"
+      referenced_security_group_id = "self"
+      description                  = "Allow traffic from this security group to itself."
     }
   }
 
diff --git a/main.tf b/main.tf
@@ -330,7 +330,7 @@ resource "aws_vpc_security_group_ingress_rule" "this" {
   description                  = try(each.value.description, null)
   from_port                    = try(each.value.from_port, local.port)
   prefix_list_id               = lookup(each.value, "prefix_list_id", null)
-  referenced_security_group_id = lookup(each.value, "referenced_security_group_id", null)
+  referenced_security_group_id = lookup(each.value, "referenced_security_group_id", null) == "self" ? aws_security_group.this[0].id : lookup(each.value, "referenced_security_group_id", null)
   to_port                      = try(each.value.to_port, local.port)
 
   tags = merge(local.tags, var.security_group_tags, try(each.value.tags, {}))
@@ -349,7 +349,7 @@ resource "aws_vpc_security_group_egress_rule" "this" {
   description                  = try(each.value.description, null)
   from_port                    = try(each.value.from_port, null)
   prefix_list_id               = lookup(each.value, "prefix_list_id", null)
-  referenced_security_group_id = lookup(each.value, "referenced_security_group_id", null)
+  referenced_security_group_id = lookup(each.value, "referenced_security_group_id", null) == "self" ? aws_security_group.this[0].id : lookup(each.value, "referenced_security_group_id", null)
   to_port                      = try(each.value.to_port, null)
 
   tags = merge(local.tags, var.security_group_tags, try(each.value.tags, {}))
