Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for creating a security group along with the load balancer #273

Merged

Conversation

bryantbiggs
Copy link
Member

Description

  • Add support for creating a security group along with the load balancer

Motivation and Context

  • All ALBs created require a security group which then means another module definition for users. Instead, this now adds the ability to add the necessary rules directly into the ALB module. In the future, I'd like to look at mapping the listeners into rules to where users only need to specify the port and protocol once and this will create the necessary network access (they will still have to add CIDR blocks, etc., to know where that traffic is coming from or going to, but the port and protocol won't be duplicated)

Breaking Changes

  • No

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

Copy link
Member

@antonbabenko antonbabenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments here and there...

main.tf Outdated
name = var.security_group_use_name_prefix ? null : local.security_group_name
name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
description = var.security_group_description
vpc_id = data.aws_subnet.this[0].vpc_id
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is already var.vpc_id, so no need to use data-source aws_subnet.this to fetch it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated in 0ad1649

main.tf Outdated
description = var.security_group_description
vpc_id = data.aws_subnet.this[0].vpc_id

tags = merge(var.tags, var.security_group_tags)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add Name tag at the end, as we do for other resources already (like this one):

    {
      "Name" = ... (something like `var.security_group_use_name_prefix ? null : local.security_group_name` maybe)
    },

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added in 0ad1649

subnets = data.aws_subnets.all.ids
vpc_id = module.vpc.vpc_id
subnets = module.vpc.public_subnets
security_group_rules = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add back the line and the call to security-group module as an example:

security_groups = [module.security_group.security_group_id]

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-added in 0ad1649

user_pool_id = aws_cognito_user_pool.this.id
tags = {
Example = local.name
GithubRepo = "terraform-aws-eks"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
GithubRepo = "terraform-aws-eks"
GithubRepo = "terraform-aws-alb"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoops - how did that get there 😅

@antonbabenko antonbabenko merged commit 8232b47 into terraform-aws-modules:master Feb 7, 2023
antonbabenko pushed a commit that referenced this pull request Feb 7, 2023
## [8.3.0](v8.2.2...v8.3.0) (2023-02-07)

### Features

* Add support for creating a security group along with the load balancer ([#273](#273)) ([8232b47](8232b47))
@antonbabenko
Copy link
Member

This PR is included in version 8.3.0 🎉

@bryantbiggs bryantbiggs deleted the feat/security-group branch February 7, 2023 19:21
@gidimariastorm
Copy link

gidimariastorm commented Feb 8, 2023

please rollback or fix it.
When I'm creating a NLB I'm receiving this error:

│ Error: creating network Load Balancer: InvalidConfigurationRequest: Security groups are not supported for load balancers with type 'network'
│       status code: 400, request id: 81f69f77-12d9-44ec-8cf3-90131a19631d
│ 
│   with module.nlb.aws_lb.this[0],
│   on .terraform/modules/nlb/main.tf line 5, in resource "aws_lb" "this":
│    5: resource "aws_lb" "this" {

@jcolfej
Copy link

jcolfej commented Feb 8, 2023

Why is create_security_group enabled by default ?
This is breaking change for all user that previously use the module.
We need to add create_security_group = false to continue to use the module now...

@bryantbiggs
Copy link
Member Author

This is breaking change for all user that previously use the module.

Could you elaborate on why this is a breaking change? I understand that there was an unfortunate bug which has since been patched in https://github.com/terraform-aws-modules/terraform-aws-alb/releases/tag/v8.3.1, but otherwise its not a breaking change

@jcolfej
Copy link

jcolfej commented Feb 9, 2023

My bad, it's not breaking change, I'm a bit strong with my words...

Just that the change to this new version means that all users of the previous versions will have, on next apply, a creation of a security_group, which is useless, and which will also modify the loadbalancer for nothing.

It would have been better to set create_security_group = false by default to keep the old way of working and to allow new implementations to use this feature if needed.

@falc410
Copy link

falc410 commented Mar 1, 2023

Also broke our projects since we already had a security group and now the module wanted to create another one. So I second that you should set create_security_group = false by default

@github-actions
Copy link

github-actions bot commented Apr 1, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants