From d8ddd054fc24128a836ccfe78060c40e2bd501c4 Mon Sep 17 00:00:00 2001
From: akocbek <106765658+akocbek@users.noreply.github.com>
Date: Thu, 21 Sep 2023 15:24:02 +0100
Subject: [PATCH] fix: add input validation for security group creation (#538)
---
README.md | 2 +-
module-metadata.json | 5 ++---
outputs.tf | 2 +-
security_group.tf | 8 ++++++--
variables.tf | 2 +-
5 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/README.md b/README.md
index b7b5dd2a..1c003c88 100644
--- a/README.md
+++ b/README.md
@@ -164,7 +164,7 @@ No modules.
| [secondary\_security\_groups](#input\_secondary\_security\_groups) | IDs of additional security groups to be added to VSI deployment secondary interfaces. A VSI interface can have a maximum of 5 security groups. | list(
object({
security_group_id = string
interface_name = string
})
)
| `[]` | no |
| [secondary\_subnets](#input\_secondary\_subnets) | List of secondary network interfaces to add to vsi secondary subnets must be in the same zone as VSI. This is only recommended for use with a deployment of 1 VSI. | list(
object({
name = string
id = string
zone = string
cidr = string
})
)
| `[]` | no |
| [secondary\_use\_vsi\_security\_group](#input\_secondary\_use\_vsi\_security\_group) | Use the security group created by this module in the secondary interface | `bool` | `false` | no |
-| [security\_group](#input\_security\_group) | Security group created for VSI | object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
}) | n/a | yes |
+| [security\_group](#input\_security\_group) | Security group created for VSI | object({
name = string
rules = list(
object({
name = string
direction = string
source = string
tcp = optional(
object({
port_max = number
port_min = number
})
)
udp = optional(
object({
port_max = number
port_min = number
})
)
icmp = optional(
object({
type = number
code = number
})
)
})
)
}) | `null` | no |
| [security\_group\_ids](#input\_security\_group\_ids) | IDs of additional security groups to be added to VSI deployment primary interface. A VSI interface can have a maximum of 5 security groups. | `list(string)` | `[]` | no |
| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Storage Blocks to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the existing\_kms\_instance\_guid variable. In addition, no policy is created if var.kms\_encryption\_enabled is set to false. | `bool` | `false` | no |
| [ssh\_key\_ids](#input\_ssh\_key\_ids) | ssh key ids to use in creating vsi | `list(string)` | n/a | yes |
diff --git a/module-metadata.json b/module-metadata.json
index 4dd1f9ed..6546bd7b 100644
--- a/module-metadata.json
+++ b/module-metadata.json
@@ -236,7 +236,6 @@
"name": "security_group",
"type": "object({\n name = string\n rules = list(\n object({\n name = string\n direction = string\n source = string\n tcp = optional(\n object({\n port_max = number\n port_min = number\n })\n )\n udp = optional(\n object({\n port_max = number\n port_min = number\n })\n )\n icmp = optional(\n object({\n type = number\n code = number\n })\n )\n })\n )\n })",
"description": "Security group created for VSI",
- "required": true,
"pos": {
"filename": "variables.tf",
"line": 124
@@ -572,7 +571,7 @@
},
"pos": {
"filename": "security_group.tf",
- "line": 26
+ "line": 32
}
},
"ibm_is_security_group_rule.security_group_rules": {
@@ -584,7 +583,7 @@
},
"pos": {
"filename": "security_group.tf",
- "line": 63
+ "line": 67
}
},
"ibm_is_volume.volume": {
diff --git a/outputs.tf b/outputs.tf
index b509912e..d193b753 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -12,7 +12,7 @@ output "ids" {
output "vsi_security_group" {
description = "Security group for the VSI"
- value = var.security_group == null ? null : ibm_is_security_group.security_group[var.security_group.name]
+ value = var.security_group != null && var.create_security_group == true ? ibm_is_security_group.security_group[var.security_group.name] : null
}
output "list" {
diff --git a/security_group.tf b/security_group.tf
index 98f1466d..b01f2528 100644
--- a/security_group.tf
+++ b/security_group.tf
@@ -21,6 +21,12 @@ locals {
for group in local.security_groups :
(group.name) => group
}
+
+ # input variable validation
+ # tflint-ignore: terraform_unused_declarations
+ validate_security_group = var.create_security_group == false && var.security_group != null ? tobool("var.security_group should be null when var.create_security_group is false. Use var.security_group_ids to add security groups to VSI deployment primary interface.") : true
+ # tflint-ignore: terraform_unused_declarations
+ validate_security_group_2 = var.create_security_group == true && var.security_group == null ? tobool("var.security_group cannot be null when var.create_security_group is true.") : true
}
resource "ibm_is_security_group" "security_group" {
@@ -58,8 +64,6 @@ locals {
}
}
-
-
resource "ibm_is_security_group_rule" "security_group_rules" {
for_each = local.security_group_rules
group = ibm_is_security_group.security_group[each.value.sg_name].id
diff --git a/variables.tf b/variables.tf
index c0e0d78d..22d0cecc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -172,7 +172,7 @@ variable "security_group" {
)
) == 0
}
-
+ default = null
}
variable "security_group_ids" {