Migrating to new org and terraform registry

[brandonjbjelland]

Many small improvements made for this move and release:

Added

• moved data sources to dedicated data.tf file.
• aws_caller_identity now used to gather account_id rather than using a variable.
• tests added for target_group and expanded for alb.

Changed

• altered structure of module to conform to the new Terraform registry standards
• principle_account_id (sp) moved to a data source rather than variable map. Spelling corrected.
• removed redundant /test/alb directory which had module contents copied. Test kitchen now uses the module itself.
• pinned examples to provider and terraform versions to harden versioning.
• self signed cert added to the test fixtures, eliminating the need for manual upload and terraform.tfvars configuration of ssl cert arn.

[brandonjbjelland]

Bumping the review here. I've still yet to test pulling this from the terraform registry (can't do that until it's published here and updated there) and I'm eager to test that functionality and make sure it aligns with the docs included.

[brandonjbjelland]

Bumping once more, hoping for review here. I have tests working elsewhere and would like to get it in this repo under that model as well but can't do that until this is merged in. @antonbabenko

[antonbabenko]

Link to the new/supported repositories: https://github.com/terraform-aws-modules/terraform-aws-security-group and https://github.com/terraform-aws-modules/terraform-aws-elb

[brandonjbjelland]

Hmmm, I feel like it's a distinct and different task to alter all examples/tests to leverage the terraform registry modules. I'll do the work here but we should really strive for incremental changes where possible going forward.

[antonbabenko]

Terraform registry is parsing variables defined in *.tf files, so there is no need to put it here and remember to update it every time when something is changed in them.

[brandonjbjelland]

Will remove. Thanks!

[antonbabenko]

Same for outputs

[brandonjbjelland]

Done

[antonbabenko]

I usually put the highest-impact attributes at the top. In this case vpc_id and subnets at the most required.

Use complete values instead of references to data sources, var, other resources. This example should show exactly what is expected, but not how you will pass it into.

[brandonjbjelland]

done.

[antonbabenko]

Will do tomorrow! :)

[antonbabenko]

Do you actually need a specific version?

[antonbabenko]

Make sure it works with the latest stable version.

[brandonjbjelland]

Again moved to optimistic. Version constraints are important and will only become more important moving forward. I would only feel comfortable unsetting this if the module were actually tested against those previous versions.

[antonbabenko]

Use new repo for security group

[brandonjbjelland]

Done.

[antonbabenko]

Can you rely on default VPC which is already created? I use it in other examples and I think it will work for your example too.

[brandonjbjelland]

I'd prefer to bring with my module an example that creates everything it needs. That way it's self-sufficient. Some default resources are inherently insecure (e.g. security groups) and I don't think it's a good idea to rely on them being in any particular state or existing at all especially since this is core to the test suite.

I'll be migrating this to the registry VPC module instead.

[antonbabenko]

What does this do? :)

[brandonjbjelland]

I've deleted the puts. It was debugging info.

[antonbabenko]

Should not be possible to customize in the module itself.

[brandonjbjelland]

Unsure what's meant by this. Can you explain?

[antonbabenko]

So, list or string. Update description.

[brandonjbjelland]

Updated.

[antonbabenko]

Don't make defaults for critical things like name.

[brandonjbjelland]

Done

[antonbabenko]

Usually there is o need to write what is the default value, because it is visible 1 line below.

[brandonjbjelland]

Removed where relevant.

[antonbabenko]

Can you make it to accept list natively and join to string, if resource expect string.

[brandonjbjelland]

Sure.

[antonbabenko]

No assumption. Make it fail, if user put bad value.

[brandonjbjelland]

Again here, providing a default of what many if not most people would use (and a collection of defaults that work together) is not a bad approach. Following "make no assumptions " to a logical conclusion leaves a module consumer requiring to specify every last variable which strips some of the value of modules. Modules are intended to enable people to get started quickly with bundled resources. Part of that is adding defaults that are likely to fit many use cases.

[antonbabenko]

Same here, don't use default.

[brandonjbjelland]

I don't completely follow the logic of not providing any defaults... sane and often used defaults are a good thing to offer as they are in part what adds value to modules. If literally every variable is stripped of defaults, the result is a module that is pretty well as long as specifying all the components by hand without a module.

Can you make a better case for not providing defaults like this?

[antonbabenko]

blank, eg: 300. So what?

[brandonjbjelland]

An example value that would work is "300". I've clarified the description.

[antonbabenko]

no default

[brandonjbjelland]

Removed.

[antonbabenko]

Put all outputs available from Terraform along with description which comes from documentation page.

[brandonjbjelland]

Not sure what's meant by this. All outputs have descriptions and values. Can you clarify?

[antonbabenko]

Sorry for the delay in response.

[brandonjbjelland]

All feedback addressed locally and I'll push up the branch in the next couple hours. A few questions to your comments are above.

In the spirit of fairness I need a couple things if I'm going to keep maintaining the repo within this org:

1. I want to be listed as the maintainer of this project on the terraform registry. If that means we need to delete and resubmit alb or transfer ownership, let's do that. I started the project, have grown it, and I would like credit as its primary maintainer.
2. I need the ability to publish changes here (to github) and not be blocked by review just as you're not blocked on your repos. Probably just a permissions oversight. It doesn't really make sense for the primary maintainer (me) to not be allowed to actually own the repo and control its direction.

I hope you can agree and make those adjustments. I would guess were likely just wanting to get naming right and consistent for this set of AWS modules and that you're striving for quality, but it's only fair for me to be credited with my work and have the ability to continue it as the maintainer. Sound good? 🤝

[antonbabenko]

@brandoconnor I respect your contributions, ownership and completely agree with all you are saying. Also, small iterations are important, and we needed to make it fit the registry standards. This was mostly what I was trying to comment about. I will do my review during today and you can merge it when you want and publish to the registry.

After that let's review each other code as normal.

[antonbabenko]

"instead"

[antonbabenko]

I think this can be generated using data-source, or load from template file (similar to how you do with certificates) to be more consistent throught the code.

[brandonjbjelland]

Can you find a doc or the source code for it? I looked but didn't see it.

[antonbabenko]

https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html - this is it

[brandonjbjelland]

Hmmm so that's what I looked at but I thought an IAM policy was distinct from an S3 bucket policy. Turns out, they are different (S3 contains a principal and IAM doesn't) however that's an argument for this resource. That's all to say, if this can be used to generate more than IAM policy, it's probably badly named.

Will fix tonight.

[antonbabenko]

I had exactly the same feeling when I first discovered that data source.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.