Merge pull request #83 from EFXCIA/bugfix/security-group-count

Bugfix for value of 'count' cannot be computed issue when passing all…
hashicorp · Sep 20, 2018 · cd8c0b2 · cd8c0b2
2 parents f703f54 + 7a9cba5
commit cd8c0b2
Show file tree

Hide file tree

Showing 6 changed files with 128 additions and 17 deletions.
diff --git a/modules/consul-client-security-group-rules/main.tf b/modules/consul-client-security-group-rules/main.tf
@@ -25,7 +25,7 @@ resource "aws_security_group_rule" "allow_serf_lan_udp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.serf_lan_port}"
   to_port                  = "${var.serf_lan_port}"
@@ -36,7 +36,7 @@ resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_security_gro
 }
 
 resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.serf_lan_port}"
   to_port                  = "${var.serf_lan_port}"
@@ -45,3 +45,25 @@ resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_security_gro
 
   security_group_id = "${var.security_group_id}"
 }
+
+# Similar to the *_inbound_from_security_group_ids rules, allow inbound from ourself
+
+resource "aws_security_group_rule" "allow_serf_lan_tcp_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.serf_lan_port}"
+  to_port   = "${var.serf_lan_port}"
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_lan_udp_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.serf_lan_port}"
+  to_port   = "${var.serf_lan_port}"
+  protocol  = "udp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
diff --git a/modules/consul-client-security-group-rules/variables.tf b/modules/consul-client-security-group-rules/variables.tf
@@ -23,6 +23,11 @@ variable "allowed_inbound_security_group_ids" {
   default     = []
 }
 
+variable "allowed_inbound_security_group_count" {
+  description = "The number of entries in var.allowed_inbound_security_group_ids. Ideally, this value could be computed dynamically, but we pass this variable to a Terraform resource's 'count' property and Terraform requires that 'count' be computed with literals or data sources only."
+  default     = 0
+}
+
 variable "serf_lan_port" {
   description = "The port used to handle gossip in the LAN. Required by all agents."
   default     = 8301

diff --git a/modules/consul-cluster/main.tf b/modules/consul-cluster/main.tf
@@ -39,7 +39,7 @@ resource "aws_autoscaling_group" "autoscaling_group" {
       value               = "${var.cluster_tag_value}"
       propagate_at_launch = true
     },
-    "${var.tags}"
+    "${var.tags}",
   ]
 }
 
@@ -138,9 +138,10 @@ resource "aws_security_group_rule" "allow_all_outbound" {
 module "security_group_rules" {
   source = "../consul-security-group-rules"
 
-  security_group_id                  = "${aws_security_group.lc_security_group.id}"
-  allowed_inbound_cidr_blocks        = ["${var.allowed_inbound_cidr_blocks}"]
-  allowed_inbound_security_group_ids = ["${var.allowed_inbound_security_group_ids}"]
+  security_group_id                    = "${aws_security_group.lc_security_group.id}"
+  allowed_inbound_cidr_blocks          = ["${var.allowed_inbound_cidr_blocks}"]
+  allowed_inbound_security_group_ids   = "${var.allowed_inbound_security_group_ids}"
+  allowed_inbound_security_group_count = "${var.allowed_inbound_security_group_count}"
 
   server_rpc_port = "${var.server_rpc_port}"
   cli_rpc_port    = "${var.cli_rpc_port}"

diff --git a/modules/consul-cluster/variables.tf b/modules/consul-cluster/variables.tf
@@ -83,6 +83,11 @@ variable "allowed_inbound_security_group_ids" {
   default     = []
 }
 
+variable "allowed_inbound_security_group_count" {
+  description = "The number of entries in var.allowed_inbound_security_group_ids. Ideally, this value could be computed dynamically, but we pass this variable to a Terraform resource's 'count' property and Terraform requires that 'count' be computed with literals or data sources only."
+  default     = 0
+}
+
 variable "additional_security_group_ids" {
   description = "A list of additional security group IDs to add to Consul EC2 Instances"
   type        = "list"

diff --git a/modules/consul-security-group-rules/main.tf b/modules/consul-security-group-rules/main.tf
@@ -80,7 +80,7 @@ resource "aws_security_group_rule" "allow_dns_udp_inbound" {
 }
 
 resource "aws_security_group_rule" "allow_server_rpc_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.server_rpc_port}"
   to_port                  = "${var.server_rpc_port}"
@@ -91,7 +91,7 @@ resource "aws_security_group_rule" "allow_server_rpc_inbound_from_security_group
 }
 
 resource "aws_security_group_rule" "allow_cli_rpc_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.cli_rpc_port}"
   to_port                  = "${var.cli_rpc_port}"
@@ -102,7 +102,7 @@ resource "aws_security_group_rule" "allow_cli_rpc_inbound_from_security_group_id
 }
 
 resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.serf_wan_port}"
   to_port                  = "${var.serf_wan_port}"
@@ -113,7 +113,7 @@ resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound_from_security_gro
 }
 
 resource "aws_security_group_rule" "allow_serf_wan_udp_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.serf_wan_port}"
   to_port                  = "${var.serf_wan_port}"
@@ -124,7 +124,7 @@ resource "aws_security_group_rule" "allow_serf_wan_udp_inbound_from_security_gro
 }
 
 resource "aws_security_group_rule" "allow_http_api_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.http_api_port}"
   to_port                  = "${var.http_api_port}"
@@ -135,7 +135,7 @@ resource "aws_security_group_rule" "allow_http_api_inbound_from_security_group_i
 }
 
 resource "aws_security_group_rule" "allow_dns_tcp_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.dns_port}"
   to_port                  = "${var.dns_port}"
@@ -146,7 +146,7 @@ resource "aws_security_group_rule" "allow_dns_tcp_inbound_from_security_group_id
 }
 
 resource "aws_security_group_rule" "allow_dns_udp_inbound_from_security_group_ids" {
-  count                    = "${length(var.allowed_inbound_security_group_ids)}"
+  count                    = "${var.allowed_inbound_security_group_count}"
   type                     = "ingress"
   from_port                = "${var.dns_port}"
   to_port                  = "${var.dns_port}"
@@ -156,16 +156,89 @@ resource "aws_security_group_rule" "allow_dns_udp_inbound_from_security_group_id
   security_group_id = "${var.security_group_id}"
 }
 
+# Similar to the *_inbound_from_security_group_ids rules, allow inbound from ourself
+
+resource "aws_security_group_rule" "allow_server_rpc_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.server_rpc_port}"
+  to_port   = "${var.server_rpc_port}"
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_cli_rpc_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.cli_rpc_port}"
+  to_port   = "${var.cli_rpc_port}"
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_wan_tcp_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.serf_wan_port}"
+  to_port   = "${var.serf_wan_port}"
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_serf_wan_udp_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.serf_wan_port}"
+  to_port   = "${var.serf_wan_port}"
+  protocol  = "udp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_http_api_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.http_api_port}"
+  to_port   = "${var.http_api_port}"
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_dns_tcp_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.dns_port}"
+  to_port   = "${var.dns_port}"
+  protocol  = "tcp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
+resource "aws_security_group_rule" "allow_dns_udp_inbound_from_self" {
+  type      = "ingress"
+  from_port = "${var.dns_port}"
+  to_port   = "${var.dns_port}"
+  protocol  = "udp"
+  self      = true
+
+  security_group_id = "${var.security_group_id}"
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # THE CONSUL-CLIENT SPECIFIC INBOUND/OUTBOUND RULES COME FROM THE CONSUL-CLIENT-SECURITY-GROUP-RULES MODULE
 # ---------------------------------------------------------------------------------------------------------------------
 
 module "client_security_group_rules" {
   source = "../consul-client-security-group-rules"
 
-  security_group_id                  = "${var.security_group_id}"
-  allowed_inbound_cidr_blocks        = ["${var.allowed_inbound_cidr_blocks}"]
-  allowed_inbound_security_group_ids = ["${var.allowed_inbound_security_group_ids}"]
+  security_group_id                    = "${var.security_group_id}"
+  allowed_inbound_cidr_blocks          = ["${var.allowed_inbound_cidr_blocks}"]
+  allowed_inbound_security_group_ids   = ["${var.allowed_inbound_security_group_ids}"]
+  allowed_inbound_security_group_count = "${var.allowed_inbound_security_group_count}"
 
-  serf_lan_port   = "${var.serf_lan_port}"
+  serf_lan_port = "${var.serf_lan_port}"
 }
diff --git a/modules/consul-security-group-rules/variables.tf b/modules/consul-security-group-rules/variables.tf
@@ -23,6 +23,11 @@ variable "allowed_inbound_security_group_ids" {
   default     = []
 }
 
+variable "allowed_inbound_security_group_count" {
+  description = "The number of entries in var.allowed_inbound_security_group_ids. Ideally, this value could be computed dynamically, but we pass this variable to a Terraform resource's 'count' property and Terraform requires that 'count' be computed with literals or data sources only."
+  default     = 0
+}
+
 variable "server_rpc_port" {
   description = "The port used by servers to handle incoming requests from other agents."
   default     = 8300