Allow more flexibility with SG rules and IAM policies #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* In Terraform the aws_iam_instance_profile resource requires the name instead of the ARN
* This allows attachment of additional policies
distilledtee
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains a few changes to add flexibility in managing the Security Group and Instance Role attached to the satellite instances.
Changes
Move Ingress/Egress fields in SG definition to explicit resources
AWS deprecated the use of the
ingressandegressfields in theaws_security_groupresource. On the reference page there are both a Warning and Note discussing how the resource configured to use these fields may have issues managing multiple CIDRs and explicitly warns not to use these fields with specific Ingress/Egress rules. Since we want to be able to attach additional rules I've moved the existing rules into specific resources.Added an override variable for SG rule CIDRs
By default the ingress rules use the subnet's CIDR. In our use case this was too restrictive so I've added a new variable,
sg_cidr_overridethat if specified will be used as the rule's CIDR instead of the subnet's CIDRChanged the
instance_profileoutput to the name instead of ARNIn order to read an
instance_profileas data you need to specify the name of it instead of its ARN. See the data reference pageChanged the policy attachment method to an explicit attachment resource
AWS notes in the aws_iam_role reference that
managed_policy_arnsis not compatible withaws_iam_role_policy_attachments. Since we're adding additional policies, the module can't usemanaged_policy_arns