Comments (5)
Apologies for the changes. We're reviewing internally on release notes and how to better manage the upgrade process.
Notable changes
- These resources were removed since the module requires passing in the sg rules via
var.security_group_rules
aws_security_group.default
sg itselfaws_security_group_rule.egress
(previously usingvar.egress_cidr_blocks
for all ports)aws_security_group_rule.ingress_security_groups
(previously usingvar.allowed_security_groups
forvar.port
)aws_security_group_rule.ingress_cidr_blocks
(previously usingvar.allowed_cidr_blocks
forvar.port
)
It looks like this may be the culprit in your example.
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = join(",", module.bastion.security_group_ids)
description = "Allow inbound Redis traffic from Bastion"
},
You can only pass in a single security group (see cloudposse/terraform-aws-security-group) to source_security_group_id
Also the module used to add
allowed_security_groups = [module.vpc.vpc_default_security_group_id]
Try this terraform and see if it works for you
hcl
Note: Untested
locals {
bastion_allowed_security_groups = [
for sg in module.bastion.security_group_ids :
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = sg
description = "Allow inbound Redis traffic from Bastion"
}
]
}
module "redis" {
source = "cloudposse/elasticache-redis/aws"
# ...
security_group_rules = concat([
{
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] # previously var.egress_cidr_blocks
source_security_group_id = null
description = "Allow outbound traffic from existing cidr blocks"
},
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = module.api.ecs_service_security_group_id
description = "Allow inbound Redis traffic from ECS"
},
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
# note: vpc 0.26.0 removed this output by mistake so use 0.25.0 or > 0.26.0 when it's released
source_security_group_id = module.vpc.vpc_default_security_group_id
description = "Allow inbound Redis traffic from VPC"
}
], local.bastion_allowed_security_groups)
}
from terraform-aws-elasticache-redis.
cc: @syphernl
from terraform-aws-elasticache-redis.
@nitrocode The rules I posted in my initial message (2nd code block) works for us as our module.bastion.security_group_ids
only contains one entry. It would however be a bit more complex if it did contain more than one.
With your example however I could technically remove the specific rules for ECS and Bastion, since they both exist within the VPC.
But that would also allow anything in the VPC to connect to Redis, which might not be desired.
The reason why I opened this issue is the fact that the usage of the module has been made a bit more complicated switching to this new approach.
Before I could just tell it to allow security group X and Y (ECS + Bastion), now I have to explicitly add the rules for each of them in there.
I fully understand the reasoning behind standardization and while it does add flexibility, it also takes some away we had in versions prior to 0.40.0.
from terraform-aws-elasticache-redis.
Apologies for the trouble @syphernl.
I wrote up some release notes here on 0.40.0
on the breaking changes and the upgrade procedure. Let us know if we should include additional details or if it doesn't work for you. If you have additional suggestions, please feel free to comment here.
We'll try to provide breaking change release notes on future upgrades across our modules.
from terraform-aws-elasticache-redis.
@syphernl We are taking feedback like yours into account and have marked v0.40.0 pre-release. We recommend using 0.39.0 for now and waiting for a later release which will provide better backward compatibility and clearer migration instructions.
from terraform-aws-elasticache-redis.
Related Issues (20)
- Support log delivery configuration
- invalid value for replication_group_id HOT 1
- Add aws_elasticache_user_group var HOT 1
- v0.43.0 should require aws >=4.0, because it uses root level "replicas_per_node_group"
- Module Fails if Description is not added.
- Upgrading from 0.39.0 to 0.44.0 fails with lots of errors HOT 4
- Use preferred_cache_cluster_azs for availability zones HOT 1
- aws_elasticache_parameter_group should have create_before_destroy set to `true` HOT 7
- Default `user_group_ids` conflicts with `auth_token` HOT 2
- Cannot Disable Cluster Mode HOT 1
- Option to set auto_minor_version_upgrade parameter
- Dualstack Redis cluster
- `host` output variable empty HOT 1
- `endpoint` output variable has no port HOT 2
- Enable encryption in transit preferred HOT 1
- random_password as auth_token rotation causes destroy and create because of transit_encryption handling != nuill HOT 1
- AWS API breaking change HOT 2
- An argument named "availability_zones" is not expected here. HOT 9
- Can't import existing aws_elasticache_replication_group without recreate resource HOT 3
- Unable to enable cluster mode HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-elasticache-redis.