How can I check a reference for a particular property?

[melcloud]

** Question : **
Given I have following tf, how can I write a When to filter security group rules belong to aws_security_group.alb only? If I use its reference is aws_security_group.alb, it will also pick up aws_security_group_rule.alb_ecs_ingress

resource "aws_security_group" "alb" {
  name        = "alb-sg"
  description = "Act as identifier of this ALB to be used as source security group in other rules. Allows outbound traffic back to origin network"
  vpc_id = var.vpc_id
}

resource "aws_security_group_rule" "alb_ingress_self" {
  type            = "ingress"
  description     = "Allow ALB to communicate with itself (ingress)"
  security_group_id = aws_security_group.alb.id
  protocol        = "tcp"
  from_port       = 0
  to_port         = 65535
  self            = true
}

resource "aws_security_group_rule" "alb_egress_self" {
  type            = "egress"
  description     = "Allow ALB to communicate with itself (egress)"
  security_group_id = aws_security_group.alb.id
  protocol        = "tcp"
  from_port       = 0
  to_port         = 65535
  self            = true
}

resource "aws_security_group" "alb_ecs" {
  name        = "alb-ecs-access"
  description = "Allow ALB access to ECS task(s)"
  vpc_id = var.vpc_id
}

resource "aws_security_group_rule" "alb_ecs_ingress" {
  type            = "ingress"
  description     = "Allow ALB to communicate with ECS tasks on port 8080"
  security_group_id = aws_security_group.alb_ecs.id
  protocol        = "tcp"
  from_port       = 8080
  to_port         = 8080
  source_security_group_id = aws_security_group.alb.id
}

[eerkunt]

Hi,

Instead of reference you should use address like,

When its address is alb

or

When its address is aws_security_group.alb

Sorry, couldnt remember which one I am on mobile right now :(

[eerkunt]

Additionally, it will always pick up the linked/mounted resources on it, since they act as one resource.

In order to avoid this problem we may define a new tag like ;

@nomount
Given I have aws_security_group defined

Of course the tag name could be many things :)

[eerkunt]

Is it possible to give a bit more detail about the use case ?

[melcloud]

Thanks for the quick reply. 🙂 The use case is to check whether we only have three rules for all at, and each of them has the correct port and source security group. The other use case is that I want to check whether a security group have egress aws_security_group_rule

[melcloud]

It is good to know it will pick up linked resources on alb. I may give that a go, thanks a lot 🙂

[melcloud]

Sorry, still not quite get it. What I want to do is:

  Scenario Outline: Application load balancer security group allows load balancer to communicate with itself
    Given I have aws_security_group_rule defined
    When its reference is aws_security_group.alb
    And its type is <type>
    Then its protocol must be tcp
    And its from_port must be 0
    And its to_port must be 65535
    And it must contain self
    And its value must be true

    Examples:
      | type      |
      | ingress |
      | egress  |

This obviously failed as aws_security_group_rule. alb_ecs_ingress also references aws_security_group.alb. So I want to filter this based on security_group_id property, something like When its security_group_id has reference aws_security_group.alb.

[eerkunt]

Sorry for the late response. It fails, exactly for the reason you said. It mounts security_group_id and source_security_group_id simultaneously.

In order to solve this problem, a bit of refactoring is required since we keep the references as a list right now like ['aws_security_group.alb', 'aws_security_group.alb_ecs']. I will change this to a key:value pair where we will track which parameter is referenced to which and will refactor steps a bit to understand this new structure.

Possibly there will be a slight improvement in ;

When its reference is aws_security_group.alb

where you can use as is or give a key/value pair like ;

When its security_group_id reference is aws_security_group.alb
         ^^^^^^^^^^^^^^^^^

[eerkunt]

Been waiting for #229 too long. Releasing new version.

[eerkunt]

Can you have a try with 1.1.13 please ?

[ghost]

This issue's conversation is now locked. If you want to continue this discussion please open a new issue.