Move ingress/egress to aws_security_group_rule in rds

thattommyhall · thattommyhall · commit 032afe3937d0 · 2017-04-19T16:14:27.000+01:00
When I make an RDS instance, it kept saying it needed to change stuff.
This is also best practice from what I can tell (if users of the module
need to add rules to the SG also)
diff --git a/rds/main.tf b/rds/main.tf
@@ -87,32 +87,40 @@ variable "subnet_ids" {
   type        = "list"
 }
 
-resource "aws_security_group" "main" {
-  name        = "${var.name}-rds"
-  description = "Allows traffic to RDS from other security groups"
-  vpc_id      = "${var.vpc_id}"
+resource "aws_security_group_rule" "main-ingress-cidrs" {
+  security_group_id = "${aws_security_group.main.id}"
+  type              = "ingress"
+  cidr_blocks       = ["${var.ingress_allow_cidr_blocks}"]
+  from_port         = "${var.port}"
+  to_port           = "${var.port}"
+  protocol          = "TCP"
+}
 
-  ingress {
-    from_port       = "${var.port}"
-    to_port         = "${var.port}"
-    protocol        = "TCP"
-    security_groups = ["${var.ingress_allow_security_groups}"]
-  }
+resource "aws_security_group_rule" "main-ingress-sgs" {
+  security_group_id        = "${aws_security_group.main.id}"
+  type                     = "ingress"
+  count                    = "${length(var.ingress_allow_security_groups)}"
+  source_security_group_id = "${element(var.ingress_allow_security_groups, count.index)}"
 
-  ingress {
-    from_port   = "${var.port}"
-    to_port     = "${var.port}"
-    protocol    = "TCP"
-    cidr_blocks = ["${var.ingress_allow_cidr_blocks}"]
-  }
+  from_port                = "${var.port}"
+  to_port                  = "${var.port}"
+  protocol                 = "TCP"
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = -1
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_security_group_rule" "main-egress-all" {
+  security_group_id = "${aws_security_group.main.id}"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = -1
+  cidr_blocks       = ["0.0.0.0/0"]
+}
 
+
+resource "aws_security_group" "main" {
+  name        = "${var.name}-rds"
+  description = "Allows traffic to RDS from other security groups"
+  vpc_id      = "${var.vpc_id}"
   tags {
     Name = "RDS (${var.name})"
   }
