feat: support network_stack parameter

[dudymas]

what

• feat(external-net): added
• chore(remote-state): tidy unused module
• chore(external-net): update parameters
• chore(src): format changes
• chore(docs): updated for network_stack

why

• Configuring external networking is simpler when using brownfield or
  customized VPCs

• Transit Gateway setup can be difficult to troubleshoot

Summary by CodeRabbit

• New Features

  • Added support for configuring networking as either "embedded" (managed automatically) or "external" (using existing VPC, subnets, and security groups).
  • Introduced new variables for specifying VPC ID, subnet IDs, security group ID, and custom security group rules.
  • Outputs now include the security group ID for easier reference.
  • Enabled conditional creation and management of security groups and rules based on configuration.

• Documentation

  • Expanded and restructured documentation to clarify networking configuration options, usage patterns, and deprecation of older methods.
  • Updated examples and input/output descriptions for improved clarity.
  • Removed detailed autogenerated Terraform documentation and references for simplicity.

• Chores

  • Removed deprecated variables and modules related to VPC peering.
  • Updated module versions and improved formatting for consistency.

[coderabbitai]

Walkthrough

The documentation and Terraform configuration were updated to clarify and expand networking options for the "runs-on" component. New variables and outputs were added for flexible networking and security group management, including support for embedded or external VPCs. Deprecated sections and unused modules were removed. Documentation was reorganized and expanded accordingly.

Changes

File(s)	Change Summary
README.md, README.yaml	Updated usage instructions, clarified networking options, added/renamed sections, improved formatting.
src/README.md	Expanded and restructured documentation; added sections for networking modes; updated module info.
src/main.tf, src/outputs.tf	Added networking/security group variables, resource, and output; extended parameterization.
src/variables.tf	Removed vpc_peering_component; added/validated networking-related variables.
src/remote-state.tf	Removed conditional remote state module for VPC peering.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Terraform
    participant AWS

    User->>Terraform: Configure runs-on with networking_stack ("embedded" or "external")
    Terraform->>AWS: If "embedded", create VPC, subnets, security group via CloudFormation
    Terraform->>AWS: If "external", use provided vpc_id, subnet_ids, security_group_id
    alt security_group_id not provided and "external"
        Terraform->>AWS: Create security group using module
        Terraform->>AWS: Apply security_group_rules if provided
    end
    AWS-->>Terraform: Return outputs (including security_group_id)
    Terraform-->>User: Output networking and security group info

Loading

Poem

A rabbit hopped through docs anew,
With networks clear—external too!
Security groups and rules in tow,
Embedded or not, you choose the flow.
Out with the old, in with the neat,
This change makes our setup sweet!
🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f7b1fb and a7ab479.

📒 Files selected for processing (4)

• README.yaml (6 hunks)
• src/README.md (5 hunks)
• src/main.tf (3 hunks)
• src/outputs.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/outputs.tf

🧰 Additional context used

🧠 Learnings (1)

src/main.tf (1)

Learnt from: dudymas
PR: cloudposse-terraform-components/aws-runs-on#19
File: src/main.tf:82-92
Timestamp: 2025-05-27T16:32:35.310Z
Learning: In the aws-runs-on Terraform component, the CloudFormation stack receives either an external security group ID (via ExternalVpcSecurityGroupId parameter) or a newly created security group ID and outputs the security group ID it's using via RunsOnSecurityGroupId. This means local.security_group_id from the CloudFormation output is the correct unified reference for security group rules in all deployment modes (embedded/external networking), eliminating the need for complex conditional logic in Terraform locals.

🪛 LanguageTool

src/README.md

[uncategorized] ~291-~291: A period might be missing here.
Context: ...s_list_of_maps. Not added to tagsorid`.
This is for some rare cases wher...

(AI_EN_LECTOR_MISSING_PUNCTUATION_PERIOD)

---

[uncategorized] ~292-~292: A comma might be missing here.
Context: ...(e.g. workers or cluster) to add to id,
in the order they appear in the ...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

[grammar] ~297-~297: Did you mean “too false to”?
Context: ..."> enabled | Set to false to prevent the module from creating any re...

(TOO_ADJECTIVE_TO)

---

[grammar] ~299-~299: The verb ‘keep’ seems to be in the wrong form here.
Context: ... for unlimited length.
Set to null for keep the existing setting, which defaults to...

(FOR_VB)

---

[typographical] ~304-~304: Consider adding a comma after ‘Usually’ for more clarity.
Context: ... name | ID element. Usually the component or solution name, e.g. 'a...

(RB_LY_COMMA)

---

[uncategorized] ~304-~304: Possible missing preposition found.
Context: ...ID element not also included as a tag.
The "name" tag is set to the full id s...

(AI_EN_LECTOR_MISSING_PREPOSITION)

---

[typographical] ~305-~305: Consider adding a comma after ‘Usually’ for more clarity.
Context: ...space](#input_namespace) | ID element. Usually an abbreviation of your organization na...

(RB_LY_COMMA)

---

[typographical] ~307-~307: Do not use a colon (:) before a series that is introduced by a preposition (‘of’). Remove the colon or add a noun or a noun phrase after the preposition.
Context: ... stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE |...

(RP_COLON)

🪛 markdownlint-cli2 (0.17.2)

src/README.md

306-306: Bare URL used
null

(MD034, no-bare-urls)

🪛 Checkov (3.2.334)

src/main.tf

[MEDIUM] 71-80: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Mergify Merge Protections
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (24)

README.yaml (10)

5-13: Metadata enhancement looks good
The newly added tags and categories fields enrich project metadata and align with the standardized component/layer/provider taxonomy.

---

15-23: License and badges updated appropriately
The license field uses the project’s SPDX-style identifier and the badges correctly point to the latest release and Slack community.

---

40-43: Compatibility section added
Clearly specifies the minimum compatible version of the RunsOn CloudFormation template.

---

48-75: Defaults section is comprehensive and clear
The baseline configuration snippet covers common parameters and matches the new abstract component approach.

---

79-84: Embedded networking documentation is clear
The example of networking_stack: embedded with the VpcCidrBlock parameter aligns with the Terraform implementation.

---

233-243: External networking documentation is accurate
The instructions for setting vpc_id, subnet_ids, and security_group_id are clear and correspond to the new Terraform variables and logic.

---

296-300: Modules table updated correctly
Module versions have been bumped and the new security_group module is properly listed.

---

306-311: Resources table reflects new data sources
The added aws_subnets and aws_vpc data sources match the implementation in src/main.tf.

---

331-345: Inputs table updated with networking variables
The descriptions for networking_stack, vpc_id, subnet_ids, security_group_id, and security_group_rules are clear and align with the code.

---

359-359: New output security_group_id documented
The addition of the security_group_id output completes the mapping of Terraform outputs to the CloudFormation stack’s outputs.

src/README.md (8)

15-18: Compatibility section added
Specifies the minimum required RunsOn template version (2.8.2+), making upgrade requirements explicit.

---

23-36: Defaults section documented clearly
The abstract component snippet provides a solid baseline configuration and matches patterns in other Cloud Posse components.

---

54-61: Embedded networking section is well-explained
The example with networking_stack: embedded and the VpcCidrBlock parameter aligns with implementation details.

---

208-247: External networking section is thorough
Examples for setting vpc_id, subnet_ids, and security_group_id map directly to the new Terraform variables.

---

271-275: Modules table versions updated
Upgraded iam-policy, iam-roles, and added security-group; the table accurately reflects module version changes.

---

281-286: Resources table reflects new Terraform resources and data sources
The addition of aws_security_group_rule.this, subnet, and VPC data sources matches the code.

---

291-319: Inputs section includes new networking parameters
Clear descriptions for all new networking-related inputs ensure user-friendly configuration.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~291-~291: A period might be missing here.
Context: ...s_list_of_maps. Not added to tagsorid`.
This is for some rare cases wher...

(AI_EN_LECTOR_MISSING_PUNCTUATION_PERIOD)

---

[uncategorized] ~292-~292: A comma might be missing here.
Context: ...(e.g. workers or cluster) to add to id,
in the order they appear in the ...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

[grammar] ~297-~297: Did you mean “too false to”?
Context: ..."> enabled | Set to false to prevent the module from creating any re...

(TOO_ADJECTIVE_TO)

---

[grammar] ~299-~299: The verb ‘keep’ seems to be in the wrong form here.
Context: ... for unlimited length.
Set to null for keep the existing setting, which defaults to...

(FOR_VB)

---

[typographical] ~304-~304: Consider adding a comma after ‘Usually’ for more clarity.
Context: ... name | ID element. Usually the component or solution name, e.g. 'a...

(RB_LY_COMMA)

---

[uncategorized] ~304-~304: Possible missing preposition found.
Context: ...ID element not also included as a tag.
The "name" tag is set to the full id s...

(AI_EN_LECTOR_MISSING_PREPOSITION)

---

[typographical] ~305-~305: Consider adding a comma after ‘Usually’ for more clarity.
Context: ...space](#input_namespace) | ID element. Usually an abbreviation of your organization na...

(RB_LY_COMMA)

---

[typographical] ~307-~307: Do not use a colon (:) before a series that is introduced by a preposition (‘of’). Remove the colon or add a noun or a noun phrase after the preposition.
Context: ... stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE |...

(RP_COLON)

🪛 markdownlint-cli2 (0.17.2)

306-306: Bare URL used
null

(MD034, no-bare-urls)

---

334-336: Output security_group_id section added
The documentation now covers the new output, completing the Terraform docs.

src/main.tf (6)

4-9: Introduce parameterized networking locals
The new external_vpc_id, networking_stack, subnet_ids, and security group locals cleanly map Terraform inputs into CloudFormation parameters using conditional expressions.

---

71-80: Add security_group module for external networking
The module is properly gated by networking_stack == "external" and var.security_group_id == null, with vpc_id driven by conditional locals.

🧰 Tools

🪛 Checkov (3.2.334)

[MEDIUM] 71-80: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

---

82-92: Create security group rules dynamically
Using for_each with md5(jsonencode(rule)) ensures uniqueness, and targeting the unified local.security_group_id is correct per design.

---

113-140: New data sources for VPC and subnets
The aws_vpc, aws_subnets.private, and aws_subnets.public data blocks correctly support external networking by using local.vpc_id.

---

142-153: Conditional locals for network outputs
The bottom locals block elegantly selects between CloudFormation outputs and Terraform data sources based on networking_stack, ensuring consistent values for vpc_id, CIDR block, subnet IDs, and security_group_id.

---

155-159: Data source for NAT Gateways added
Including aws_nat_gateways complements the VPC context and is consistent with existing networking data resources.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

There are no real tests for this component. So we set terratest statuses to successful execution without running any tests

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (6)

README.yaml (1)

47-53: Fill in the external networking example
The "Usage with external networking" section is currently empty. To guide users switching to an external VPC, please add a concrete YAML snippet demonstrating how to set networking_stack = "external", provide vpc_id, subnet_ids, and optionally security_group_id and rules.

README.md (1)

71-76: Populate external networking example block
The new "Usage with external networking" placeholder needs a real-world example. Consider illustrating how to set networking_stack: external, and pass vpc_id, subnet_ids, and security_group_id. Would you like assistance drafting this snippet?

src/variables.tf (1)

81-92: Suggest adding validation for security_group_rules
Currently any string is allowed in the type field. To prevent user errors, add a validation block to ensure type is either "ingress" or "egress".

Example diff:

 variable "security_group_rules" {
   type = list(object({
     type        = string
     from_port   = number
     to_port     = number
     protocol    = string
     cidr_blocks = list(string)
   }))
   description = "Security group rules..."
   nullable    = true
   default     = null
+  validation {
+    condition     = alltrue([for r in var.security_group_rules : contains(["ingress","egress"], r.type)])
+    error_message = "Each security_group_rules.type must be either 'ingress' or 'egress'."
+  }
 }

src/README.md (3)

19-46: Clarify inline comment verbosity in Defaults snippet
The Private: always inline comment in the example (lines 39–45) is quite verbose and may distract from the core snippet. Consider moving this explanation to the variable’s description further down (Inputs table) or simplifying it, for example:

-          Private: always # always | true | false - Always will default place in private subnet...
+          Private: always  # Placement strategy: always | true | false

---

283-299: Minor grammar & punctuation improvements
Several input descriptions (lines 283–299) have missing commas/periods or colon usage issues. A quick proofread to ensure each sentence ends with a period and prepositions/colons follow style guidelines will improve readability.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~283-~283: A period might be missing here.
Context: ...s_list_of_maps. Not added to tagsorid`.
This is for some rare cases wher...

(AI_EN_LECTOR_MISSING_PUNCTUATION_PERIOD)

---

[uncategorized] ~284-~284: A comma might be missing here.
Context: ...(e.g. workers or cluster) to add to id,
in the order they appear in the ...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

[grammar] ~289-~289: Did you mean “too false to”?
Context: ..."> enabled | Set to false to prevent the module from creating any re...

(TOO_ADJECTIVE_TO)

---

[grammar] ~291-~291: The verb ‘keep’ seems to be in the wrong form here.
Context: ... for unlimited length.
Set to null for keep the existing setting, which defaults to...

(FOR_VB)

---

[typographical] ~296-~296: Consider adding a comma after ‘Usually’ for more clarity.
Context: ... name | ID element. Usually the component or solution name, e.g. 'a...

(RB_LY_COMMA)

---

[uncategorized] ~296-~296: Possible missing preposition found.
Context: ...ID element not also included as a tag.
The "name" tag is set to the full id s...

(AI_EN_LECTOR_MISSING_PREPOSITION)

---

[typographical] ~297-~297: Consider adding a comma after ‘Usually’ for more clarity.
Context: ...space](#input_namespace) | ID element. Usually an abbreviation of your organization na...

(RB_LY_COMMA)

---

[typographical] ~299-~299: Do not use a colon (:) before a series that is introduced by a preposition (‘of’). Remove the colon or add a noun or a noun phrase after the preposition.
Context: ... stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE |...

(RP_COLON)

🪛 markdownlint-cli2 (0.17.2)

298-298: Bare URL used
null

(MD034, no-bare-urls)

---

298-306: Group networking inputs for discoverability
The new inputs (networking_stack, vpc_id, subnet_ids, security_group_id, security_group_rules) are spread out in the table. Consider moving them into a contiguous block under an “Networking” sub-section in the Inputs table, and cross-reference the External networking examples to help users find them quickly.

Also applies to: 312-313

🧰 Tools

🪛 LanguageTool

[typographical] ~299-~299: Do not use a colon (:) before a series that is introduced by a preposition (‘of’). Remove the colon or add a noun or a noun phrase after the preposition.
Context: ... stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE |...

(RP_COLON)

🪛 markdownlint-cli2 (0.17.2)

298-298: Bare URL used
null

(MD034, no-bare-urls)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 77ff70c and c04f096.

📒 Files selected for processing (7)

• README.md (4 hunks)
• README.yaml (2 hunks)
• src/README.md (5 hunks)
• src/main.tf (3 hunks)
• src/outputs.tf (1 hunks)
• src/remote-state.tf (0 hunks)
• src/variables.tf (1 hunks)

💤 Files with no reviewable changes (1)

• src/remote-state.tf

🧰 Additional context used

🪛 LanguageTool

src/README.md

[uncategorized] ~283-~283: A period might be missing here.
Context: ...s_list_of_maps. Not added to tagsorid`.
This is for some rare cases wher...

(AI_EN_LECTOR_MISSING_PUNCTUATION_PERIOD)

---

[uncategorized] ~284-~284: A comma might be missing here.
Context: ...(e.g. workers or cluster) to add to id,
in the order they appear in the ...

(AI_EN_LECTOR_MISSING_PUNCTUATION_COMMA)

---

[grammar] ~289-~289: Did you mean “too false to”?
Context: ..."> enabled | Set to false to prevent the module from creating any re...

(TOO_ADJECTIVE_TO)

---

[grammar] ~291-~291: The verb ‘keep’ seems to be in the wrong form here.
Context: ... for unlimited length.
Set to null for keep the existing setting, which defaults to...

(FOR_VB)

---

[typographical] ~296-~296: Consider adding a comma after ‘Usually’ for more clarity.
Context: ... name | ID element. Usually the component or solution name, e.g. 'a...

(RB_LY_COMMA)

---

[uncategorized] ~296-~296: Possible missing preposition found.
Context: ...ID element not also included as a tag.
The "name" tag is set to the full id s...

(AI_EN_LECTOR_MISSING_PREPOSITION)

---

[typographical] ~297-~297: Consider adding a comma after ‘Usually’ for more clarity.
Context: ...space](#input_namespace) | ID element. Usually an abbreviation of your organization na...

(RB_LY_COMMA)

---

[typographical] ~299-~299: Do not use a colon (:) before a series that is introduced by a preposition (‘of’). Remove the colon or add a noun or a noun phrase after the preposition.
Context: ... stack creation fails. This must be one of: DO_NOTHING, ROLLBACK, or DELETE |...

(RP_COLON)

🪛 markdownlint-cli2 (0.17.2)

src/README.md

298-298: Bare URL used
null

(MD034, no-bare-urls)

🪛 Checkov (3.2.334)

src/main.tf

[MEDIUM] 71-80: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

🪛 GitHub Actions: Branch

src/main.tf

[error] 114-114: Terraform error: Duplicate local value definition 'vpc_id'. A local value named 'vpc_id' was already defined at main.tf:4,3-90. Local value names must be unique within a module.

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (15)

src/outputs.tf (1)

49-52: Approve new security_group_id output
The addition of the security_group_id output correctly exposes the chosen or created security group ID for downstream modules. It aligns with the new networking model.

README.yaml (1)

15-15: Approve clarification of embedded networking example
Updating the snippet introduction to explicitly call out embedded networking improves clarity for users getting started.

README.md (3)

39-39: Approve embedded networking snippet heading
Making it clear that the example is for embedded networking enhances readability.

---

78-78: Approve new embedded refarch heading
Relocating and renaming the Transit Gateway instructions under "Using embedded networking with refarch components" is clear and consistent.

---

80-80: Approve deprecation label for Transit Gateway
Marking the Transit Gateway setup as deprecated and advising external networking simplifies the guidance.

src/variables.tf (4)

41-50: Approve networking_stack variable
The new networking_stack input with validation strictly enforces allowed values and defaults sensibly to "embedded".

---

52-61: Approve vpc_id variable
Making vpc_id nullable with a validation rule ensures external mode can't be misconfigured.

---

63-72: Approve subnet_ids variable
Requiring subnet_ids when using external networking is well-enforced via the validation block.

---

74-79: Approve security_group_id variable
Allowing users to provide an existing security group or default to creation covers both embedded and external scenarios.

src/main.tf (1)

12-18: Approve merging networking locals into parameters
The merge() invocation cleanly extends the CloudFormation parameters map with networking keys only when provided.

src/README.md (5)

49-74: Embedded networking section is clear and comprehensive
The new “Embedded networking” heading, description, and YAML example correctly illustrate how to set networking_stack: embedded and supply VpcCidrBlock. This aligns well with the feature objective.

---

203-243: External networking examples look solid
The “External networking” section and accompanying _defaults.yaml/runs-on.yaml examples demonstrate how to wire up an existing VPC, subnets, and security group via SSM. Consider adding a brief note about using security_group_rules if consumers need to customize ingress/egress on the supplied group.

---

276-276: Resource addition approved
The new aws_security_group_rule.this entry under Resources will enable fine-grained SG rule management.

---

326-326: Output addition approved
Including security_group_id in Outputs completes the round-trip from input → resource → output. Consumers can now reference the SG directly.

---

266-270:

✅ Verification successful

Verify compatibility of bumped module versions
You’ve bumped iam_policy to 2.0.2 and added security_group 2.2.0. Please confirm these releases are compatible and have no breaking changes for existing consumers.

---

🏁 Script executed:

#!/usr/bin/env bash
# Check available versions for Cloud Posse modules on Terraform Registry
for module in iam-policy security-group; do
  echo "Available versions of $module/aws:"
  curl -s "https://registry.terraform.io/v1/modules/cloudposse/$module/aws/versions" \
    | jq -r '.modules[0].versions[].version'
done

Length of output: 739

---

🏁 Script executed:

#!/usr/bin/env bash
# Fetch CHANGELOG entries for the bumped versions to check for breaking changes
for module in iam-policy security-group; do
  if [ "$module" = "iam-policy" ]; then
    repo="terraform-aws-iam-policy"
    version="2.0.2"
  else
    repo="terraform-aws-security-group"
    version="2.2.0"
  fi

  echo "=== Changelog for $module (v$version) ==="
  curl -s "https://raw.githubusercontent.com/cloudposse/${repo}/v${version}/CHANGELOG.md" \
    | sed -n '1,50p'
  echo
done

Length of output: 727

---

🏁 Script executed:

#!/usr/bin/env bash
# Check GitHub releases for release notes on the bumped versions
repos=("terraform-aws-iam-policy" "terraform-aws-security-group")
versions=("2.0.2" "2.2.0")

for i in "${!repos[@]}"; do
  repo="${repos[$i]}"
  version="${versions[$i]}"
  echo "=== Checking releases for $repo @ $version ==="

  found=false
  for tag in "v${version}" "${version}"; do
    echo "-- Attempting tag '$tag' --"
    response=$(curl -s "https://api.github.com/repos/cloudposse/$repo/releases/tags/$tag")
    tag_name=$(echo "$response" | jq -r '.tag_name // empty')
    if [ -n "$tag_name" ]; then
      echo "Found release: $tag_name"
      echo "Release notes (first 20 lines):"
      echo "$response" | jq -r '.body' | head -n 20
      found=true
      break
    else
      echo "No release found for tag '$tag'"
    fi
  done

  if ! $found; then
    echo "⚠️  Could not locate a GitHub release for $repo@$version. Please check the repository directly."
  fi
  echo
done

Length of output: 33027

---

Module versions 2.0.2 and 2.2.0 have no breaking changes
Release notes for both bumped modules do not list any breaking changes:

• iam-policy v2.0.2 – adds support for policy attachments (new feature only)
• security-group v2.2.0 – minor fixes (editorconfig typo, template sync)

Both upgrades are safe to merge.

[dudymas]

/terratest

[dudymas]

/terratest

[dudymas]

/terratest

[mergify]

💥 This pull request now has conflicts. Could you fix it @dudymas? 🙏

[Copilot]

Pull Request Overview

This PR introduces support for an external networking stack alongside the existing embedded option, cleans up unused VPC peering state, and updates documentation and outputs to reflect the new parameters.

• Added networking_stack, vpc_id, subnet_ids, security_group_id, and security_group_rules variables with conditional validation
• Removed the VPC peering remote-state module and introduced a security_group module plus associated data sources and rules
• Updated outputs and README (both Markdown and YAML) to document embedded vs. external networking usage

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/variables.tf	Defined new networking variables (networking_stack, vpc_id, subnet_ids, etc.)
src/remote-state.tf	Removed deprecated VPC peering remote-state module
src/main.tf	Added locals for external networking, security group module, AWS data sources, and merge logic
src/outputs.tf	Added security_group_id to outputs
src/README.md	Expanded usage section with embedded/external networking examples
README.yaml	Synced metadata and usage updates for external networking
README.md	Mirrored README changes to root file

Comments suppressed due to low confidence (3)

src/main.tf:77

• local.vpc_id is referenced before it's declared (the later locals block defines it). Consider using var.vpc_id directly or moving the local.vpc_id definition into the first locals block so it's available here.

  vpc_id = local.vpc_id

src/main.tf:85

• local.security_group_id isn't defined in the initial locals block, causing a reference error here. You may want to coalesce var.security_group_id and module.security_group.id or define this local earlier.

  security_group_id = local.security_group_id

src/variables.tf:81

• Add a validation block for security_group_rules to enforce that each rule's type is only "ingress" or "egress", preventing invalid inputs.

variable "security_group_rules" {

[Benbentwo]

Marking this as major label because we are deprecating (with no backwards compatibility) the vpc_peering_component and this introduces a new way to set up runs-on with pre-built networking

[milldr]

LGTM, but merge is blocked until we add tests

[github-actions]

These changes were released in v2.0.0.