terraform-community-modules / tf_aws_sg Goto Github PK

In most modules here, tags are not used, so we don't really see this issue.

When using the new module sg_default (#44), you will have issue to define the tags.

In terraform resource aws_autoscaling_group

tags is defined as list ( not map)

tags (Optional) A list of tag blocks (maps). Tags documented below.

Would be cool to allow SGs ingress definition to use other SGs.

It was a confusing thing to do

but it might be worth adding a note to the SG that it is only for 0.8.0 and 0.8.1 (or have separate modules for 6667 and 9092 )

I'm setting up a VPC in my terraform template and would like to pass the output ID to the sg_web module. This module requires the vpc_id to be set explicitly, but since I'm dynamically creating the vpc, I don't have this information. I would rather use variable interpolation, but because the internals of the module seem to require the variable to be set explicitly, this will not work.

I just realized that probably what's going on is terraform isn't able to determine that the module depends on the vpc resource. And since it's a module, it doesn't use the depends_on property, so I can't force it.

Is there another way I can work around this?

It might be a very big security issue to have 0.0.0.0 cidr_block by defalt.

Hi there - Just wondering how you feel about me adding support for a Postgresql security group? I wanted to discuss it before doing the work and submitting a PR.

Support for Instance creation across Availability Zones with count. So for example specify what AZ's are in play and set count to 2. During resource creation terraform will evenly create resources across AZ's.

Hi there - brilliant work on tf_aws_sg!
I am getting the error

3 error(s) occurred:

* module.cassandra.module.cassandra_security_group.aws_security_group_rule.ingress_tcp_7199_self: cidr_blocks: should be a list
* module.cassandra.module.cassandra_security_group.aws_security_group_rule.ingress_tcp_9042_self: cidr_blocks: should be a list
* module.cassandra.module.cassandra_security_group.aws_security_group_rule.ingress_tcp_9160_self: cidr_blocks: should be a list

I created a PR, this is kind of blocking me so if you don't want to approve that's fine but let me know so i can recreate the sg groups locally in my project.
PR: #40

It would be worthy to add default security group names.
Let's say:

• tf-sg-ssh
• tf-sg-ldap

Hi Group owner,

I am not sure who I can talk with in terraform-community-modules. I start from here.

This will be good idea for all repos in this group.

I recommend generating REAME file via useful tool terraform-docs (https://github.com/segmentio/terraform-docs) more than manually edit README.md.

$ brew install terraform-docs
$ terraform-docs md . > README.md

$ cat README.md

## Inputs

| Name | Description | Default | Required |
|------|-------------|:-----:|:-----:|
| security_group_name | The name for the security group | - | yes |
| source_cidr_block | The source CIDR block to allow traffic from | - | yes |
| vpc_id | The VPC this security group will go in | - | yes |

## Outputs

| Name | Description |
|------|-------------|
| security_group_id_web | Output ID of sg_web SG we made |

I wrote terraform best practices (https://github.com/BWITS/terraform-best-practices#generate-readme-for-each-module-about-input-and-output-variables). This is one of the best practices I recommended. Hope you like this idea.

We can create another file USAGE.md to give the details on how to use this module.

Add tcp/udp 8301 and tcp 8300 for external Serf communication to sg_consul

I'm not sure if I understand how this works.

I'm seeing this error:

aws_security_group.main_security_group: Error creating Security Group: InvalidGroup.Duplicate: The security group 'x_x_x' already exists for VPC 'vpc-00000000'
	status code: 400, request id: bcbf6e06-f159-44a6-b281-2be2628c3b98

I want one security group to provide egress for all traffic and ingress for ping/ICMP (seemingly missing in this library) and tcp:22 for ssh.

It isn't clear how to use all of these from a module without repeating the security group name.

Also, how about tags for the group? How might I create tags for a name attribute?

Thanks,
Chris.

Question; wouldn't it be better to keep specific security groups specific and remove SSH connections there? There is no reason to keep SSH connection in application-specific security group. What do you think?

• description = "Security Group ${var.security_group_name}"

• description = "tf-sg-${var.security_group_name}"

Wouldn't it be better to simply use:
description = "${var.security_group_name}"

letting users of the community rules choose their own names.

How can I specify a list of CIDR blocks to use in the security group? I am trying the zookeeper configuration.

I have a list fo CIDR blocks to pass to the security group, for example:

variable "private_cidr_blocks" {
    description = "The IP blocks for the private subnet"
    type        = "list"
    default     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
}

When I apply the plan using the following:

...
source_cidr_block = "${join(",", var.private_cidr_block)}"
...

I receive a malformed CIDR block error

* aws_security_group.main_security_group: Error authorizing security group ingress rules: InvalidParameterValue: CIDR block 10.0.1.0/24,10.0.2.0/24,10.0.3.0/24 is malformed