v2.1.2

Fixes

Fix the issue where the module will report that Note: Objects have changed outside of Terraform on second plan/apply even though no changes were made.

data.aws_vpc.default: Reading...
data.aws_vpc.default: Read complete after 0s [id=vpc-111111111]
module.security_group.aws_security_group.self[0]: Refreshing state... [id=sg-1111111111111111]
module.security_group.aws_security_group_rule.ingress["443-443-tcp-10.0.0.0/24-2600:1f13:b21:6500::/56"]: Refreshing state... [id=sgrule-195631393]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.security_group.aws_security_group.self[0] has changed
  ~ resource "aws_security_group" "self" {
        id                     = "sg-1111111111111111"
      ~ ingress                = [
          + {
              + cidr_blocks      = []
              + description      = "HTTPS"
              + from_port        = 443
              + ipv6_cidr_blocks = [
                  + "2600:1f13:b21:6500::/56",
                ]
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 443
            },
            # (1 unchanged element hidden)
        ]
        name                   = "ex-basic"
        tags                   = {
            "Name" = "ex-basic"
        }
        # (7 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo
or respond to these changes.

Full Changelog: v2.1.0...v2.1.2

v2.1.0

Proposed Changes

• added support for source_security_group_ids list for ingress, egress, matrix_ingress, and matrix_egress module rules.
• updated the complete example to include security group rule resource using rule aliases exported from the module.

Full Changelog: v2.0.2...v2.1.0

v2.0.2

What's Changed

• v2.0.2 patches by @aidanmelen in #31

Full Changelog: v2.0.1...v2.0.2

v2.0.1

What's Changed

• added unpack = true to basic example and updated test.
• #29 : Improve managed and common rule aliases Error messaging
• #30 : Add Managed and Common rule alias documentation

Full Changelog: v2.0.0...v2.0.1

v2.0.0

What's Changed

• V2.0.0 by @aidanmelen in #28

Breaking Change (Service Interruption)

Existing security group rules will be replaced during the upgrade for two reasons:

1. With the unpack enhancement, we now normalize the rules (i.e. looking up managed and common rules values) before creating the map keys. Keys will now have a predefined order. As a consequence, existing ingress, egress, matrix_ingress, and matrix_egress module rules, for versions v1.3.0 and earlier, will be replaced when upgrading to v1.4.0. This technically isn't a breaking code change because the rules will get recreated with a new key; however, because there is the potential for a service interruption -- the major release indictates caution should be take when upgrading. This upgrade will be highly recommended because all previous version will suffer from the service interruption side-effect caused by changing packed rule arguments. Upgrading will prevent it from happening again after the upgrade!

2. Rules that use managed or common (aliased rules) and do not have a description override will see the rule with the managed by Terraform description be replaced with the new alias rule descriptions. Rules that specific description will take precedence over the rule_alias.description and will not change. Please see Argument Precedence for more information.

Full Changelog: v1.3.0...v2.0.0

v1.3.0

What's Changed

• Added name_prefix example that uses lifecycle.create_before_destroy by @aidanmelen in #19

Note: Security groups created with the name argument are not effected by this change. However, security groups using the name_prefix argument upgrading from module version v1.2.0 and earlier will see the following resource replacement:

module.security_group.aws_security_group.self[0] -> module.security_group.aws_security_group.self_with_name_prefix[0]

Please see Terraform conditionally apply lifecycle block for more information about this implementation decisions.

If you want to avoid the sg replacement then you must manually move the resource.

Full Changelog: v1.2.0...v1.3.0

v1.2.0

What's Changed

• added default name tag. added confluent managed rules by @aidanmelen in #18

Full Changelog: v1.1.0...v1.2.0

v1.1.0

What's Changed

• v1.1.0 by @aidanmelen in #17

• moved tfsec ignores from the module to examples.
• created test for common rules
• refactor managed and common rules into dedicated locals that are later merged into local.rules.
• added automation for updating the code example versions.
• added default_rule_description variable.
• refactored to use dot lookup syntax for readability.
• added short-hand managed rules: https, http.
• added short-hand common rules: https-tcp-public, http-tcp-public, https-public, http-public.

Full Changelog: v1.0.0...v1.1.0

v1.0.0

What's Changed

• feat: Rule Matrix by @aidanmelen in #16

For example:

matrix_ingress = {
    rules = [
      {
        rule = "https-443-tcp"
      },
      {
        from_port = 80
        to_port   = 80
        protocol  = "tcp"
      }
    ]
    cidr_blocks = ["10.0.0.0/24", "10.0.1.0/24"]
    # ipv6_cidr_blocks = []
    prefix_list_ids = ["pl-1111111111"]
    source_security_group_ids = "sg-1111111111"
    # self = false
  }

this will create 6 rules:

1. https-443-tcp from ["10.0.0.0/24", "10.0.1.0/24"] and ["pl-1111111111"]
2. https-443-tcp from sg-1111111111
3. 80-80-tcp from ["10.0.0.0/24", "10.0.1.0/24"] and ["pl-1111111111"]
4. 80-80-tcp from sg-1111111111

uncommenting ipv6_cidr_blocks and self will create even more matrix rules.

Full Changelog: v0.6.3...v1.0.0

v0.6.3

Fixes

Breaking

Updated common rules to be consistent with managed rules:

ingress

• all-from-self -> all-all-from-self
• https-from-public -> https-tcp-from-public
• http-from-public -> http-tcp-from-public
• icmp-from-public -> all-icmp-from-public
• ping-from-public -> all-ping-from-public

egress

• all-to-self -> all-all-to-self
• all-to-public -> all-all-to-public

Proposed Changes

• update docs
• update the basic example to recreate the basic example from the aws_security_group resource.
• added short-hand rules: http-tcp, https-tcp for when user assume http is port 80 and https in port 443

Full Changelog: v0.6.2...v0.6.3