Revert "feat: use security-group module instead of resource (#79)"

This reverts commit 2652b41.
cloudposse · nitrocode · Nov 10, 2021 · Jul 5, 2021 · Jul 5, 2021 · Jul 5, 2021
commit 4c4f1d04cc69c62effeee5d2f982d969ec58845c
diff --git a/README.md b/README.md
diff --git a/README.yaml b/README.yaml
@@ -51,14 +51,14 @@ usage: |-
     # Cloud Posse recommends pinning every module to a specific version
     # version     = "x.x.x"
 
-    namespace       = "eg"
-    stage           = "test"
-    name            = "app"
-    region          = "us-west-1"
-    vpc_id          = var.vpc_id
-    subnets         = var.private_subnets
-    security_groups = [var.security_group_id]
-    zone_id         = var.aws_route53_dns_zone_id
+    namespace          = "eg"
+    stage              = "test"
+    name               = "app"
+    region             = "us-west-1"
+    vpc_id             = var.vpc_id
+    subnets            = var.private_subnets
+    security_groups    = [var.security_group_id]
+    zone_id            = var.aws_route53_dns_zone_id
   }
   ```
 
@@ -80,5 +80,3 @@ contributors:
     github: "maokomioko"
   - name: "Josh Myers"
     github: "joshmyers"
-  - name: "Vladimir Syromyatnikov"
-    github: "SweetOps"
diff --git a/docs/terraform.md b/docs/terraform.md
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -28,29 +28,10 @@ module "subnets" {
 module "efs" {
   source = "../../"
 
-  region  = var.region
-  vpc_id  = module.vpc.vpc_id
-  subnets = module.subnets.private_subnet_ids
-  security_group_rules = [
-    {
-      type                     = "egress"
-      from_port                = 0
-      to_port                  = 65535
-      protocol                 = "-1"
-      cidr_blocks              = ["0.0.0.0/0"]
-      source_security_group_id = null
-      description              = "Allow all egress trafic"
-    },
-    {
-      type                     = "ingress"
-      from_port                = 2049
-      to_port                  = 2049
-      protocol                 = "tcp"
-      cidr_blocks              = []
-      source_security_group_id = module.vpc.vpc_default_security_group_id
-      description              = "Allow ingress traffic to EFS from trusted Security Groups"
-    }
-  ]
+  region          = var.region
+  vpc_id          = module.vpc.vpc_id
+  subnets         = module.subnets.private_subnet_ids
+  security_groups = [module.vpc.vpc_default_security_group_id]
 
   context = module.this.context
 }
diff --git a/main.tf b/main.tf
@@ -1,6 +1,5 @@
 locals {
-  dns_name               = "${join("", aws_efs_file_system.default.*.id)}.efs.${var.region}.amazonaws.com"
-  security_group_enabled = module.this.enabled && var.security_group_enabled
+  dns_name = "${join("", aws_efs_file_system.default.*.id)}.efs.${var.region}.amazonaws.com"
 }
 
 resource "aws_efs_file_system" "default" {
@@ -21,16 +20,11 @@ resource "aws_efs_file_system" "default" {
 }
 
 resource "aws_efs_mount_target" "default" {
-  count          = module.this.enabled && length(var.subnets) > 0 ? length(var.subnets) : 0
-  file_system_id = join("", aws_efs_file_system.default.*.id)
-  ip_address     = var.mount_target_ip_address
-  subnet_id      = var.subnets[count.index]
-  security_groups = compact(
-    sort(concat(
-      [module.security_group.id],
-      var.security_groups
-    ))
-  )
+  count           = module.this.enabled && length(var.subnets) > 0 ? length(var.subnets) : 0
+  file_system_id  = join("", aws_efs_file_system.default.*.id)
+  ip_address      = var.mount_target_ip_address
+  subnet_id       = var.subnets[count.index]
+  security_groups = [join("", aws_security_group.efs.*.id)]
 }
 
 resource "aws_efs_access_point" "default" {
@@ -57,17 +51,49 @@ resource "aws_efs_access_point" "default" {
   tags = module.this.tags
 }
 
-module "security_group" {
-  source  = "cloudposse/security-group/aws"
-  version = "0.3.1"
+resource "aws_security_group" "efs" {
+  count       = module.this.enabled ? 1 : 0
+  name        = format("%s-efs", module.this.id)
+  description = "EFS Security Group"
+  vpc_id      = var.vpc_id
 
-  use_name_prefix = var.security_group_use_name_prefix
-  rules           = var.security_group_rules
-  vpc_id          = var.vpc_id
-  description     = var.security_group_description
+  lifecycle {
+    create_before_destroy = true
+  }
 
-  enabled = local.security_group_enabled
-  context = module.this.context
+  tags = module.this.tags
+}
+
+resource "aws_security_group_rule" "ingress_security_groups" {
+  count                    = module.this.enabled ? length(var.security_groups) : 0
+  description              = "Allow inbound traffic from existing security groups"
+  type                     = "ingress"
+  from_port                = "2049" # NFS
+  to_port                  = "2049"
+  protocol                 = "tcp"
+  source_security_group_id = var.security_groups[count.index]
+  security_group_id        = join("", aws_security_group.efs.*.id)
+}
+
+resource "aws_security_group_rule" "ingress_cidr_blocks" {
+  count             = module.this.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
+  description       = "Allow inbound traffic from CIDR blocks"
+  type              = "ingress"
+  from_port         = "2049" # NFS
+  to_port           = "2049"
+  protocol          = "tcp"
+  cidr_blocks       = var.allowed_cidr_blocks
+  security_group_id = join("", aws_security_group.efs.*.id)
+}
+
+resource "aws_security_group_rule" "egress" {
+  count             = module.this.enabled ? 1 : 0
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = join("", aws_security_group.efs.*.id)
 }
 
 module "dns" {

diff --git a/outputs.tf b/outputs.tf
@@ -49,16 +49,16 @@ output "network_interface_ids" {
 }
 
 output "security_group_id" {
-  value       = module.security_group.id
+  value       = join("", aws_security_group.efs.*.id)
   description = "EFS Security Group ID"
 }
 
 output "security_group_arn" {
-  value       = module.security_group.arn
+  value       = join("", aws_security_group.efs.*.arn)
   description = "EFS Security Group ARN"
 }
 
 output "security_group_name" {
-  value       = module.security_group.name
+  value       = join("", aws_security_group.efs.*.name)
   description = "EFS Security Group name"
 }
diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go
@@ -66,17 +66,7 @@ func TestExamplesComplete(t *testing.T) {
 
 	// Run `terraform output` to get the value of an output variable
 	securityGroupName := terraform.Output(t, terraformOptions, "security_group_name")
-	expectedSecurityGroupName := "eg-test-efs-test-" + randId
+	expectedSecurityGroupName := "eg-test-efs-test-" + randId + "-efs"
 	// Verify we're getting back the outputs we expect
 	assert.Equal(t, expectedSecurityGroupName, securityGroupName)
-
-	// Run `terraform output` to get the value of an output variable
-	securityGroupID := terraform.Output(t, terraformOptions, "security_group_id")
-	// Verify we're getting back the outputs we expect
-	assert.Contains(t, securityGroupID, "sg-", "SG ID should contains substring 'sg-'")
-
-	// Run `terraform output` to get the value of an output variable
-	securityGroupARN := terraform.Output(t, terraformOptions, "security_group_arn")
-	// Verify we're getting back the outputs we expect
-	assert.Contains(t, securityGroupARN, "arn:aws:ec2", "SG ID should contains substring 'arn:aws:ec2'")
 }
diff --git a/test/src/go.mod b/test/src/go.mod
@@ -3,7 +3,6 @@ module github.com/cloudposse/terraform-aws-efs
 go 1.13
 
 require (
-	github.com/gruntwork-io/gruntwork-cli v0.7.0 // indirect
-	github.com/gruntwork-io/terratest v0.34.7
+	github.com/gruntwork-io/terratest v0.31.4
 	github.com/stretchr/testify v1.6.1
 )