Make cluster security group idempotent [GH-49]

[GH-49]: #49

Author: MSR-RyanFisher

README.md

@@ -129,7 +129,7 @@ Available targets:
 | parameter | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | object | `<list>` | no |
 | port | Redis port | number | `6379` | no |
 | replication_group_id | Replication group ID with the following constraints:  A name must contain from 1 to 20 alphanumeric characters or hyphens.   The first character must be a letter.   A name cannot end with a hyphen or contain two consecutive hyphens. | string | `` | no |
-| security_groups | Security Group IDs | list(string) | `<list>` | no |
+| security_groups | A list of security group IDs that are allowed ingress to the cluster | list(string) | `<list>` | no |
 | snapshot_retention_limit | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | number | `0` | no |
 | snapshot_window | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | string | `06:30-07:30` | no |
 | stage | Stage (e.g. `prod`, `dev`, `staging`) | string | `` | no |

docs/terraform.md

@@ -26,7 +26,7 @@
 | parameter | A list of Redis parameters to apply. Note that parameters may differ from one Redis family to another | object | `<list>` | no |
 | port | Redis port | number | `6379` | no |
 | replication_group_id | Replication group ID with the following constraints:  A name must contain from 1 to 20 alphanumeric characters or hyphens.   The first character must be a letter.   A name cannot end with a hyphen or contain two consecutive hyphens. | string | `` | no |
-| security_groups | Security Group IDs | list(string) | `<list>` | no |
+| security_groups | A list of security group IDs that are allowed ingress to the cluster | list(string) | `<list>` | no |
 | snapshot_retention_limit | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | number | `0` | no |
 | snapshot_window | The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | string | `06:30-07:30` | no |
 | stage | Stage (e.g. `prod`, `dev`, `staging`) | string | `` | no |

main.tf

@@ -17,21 +17,30 @@ resource "aws_security_group" "default" {
   vpc_id = var.vpc_id
   name   = module.label.id
 
-  ingress {
-    from_port       = var.port # Redis
-    to_port         = var.port
-    protocol        = "tcp"
-    security_groups = var.security_groups
-  }
+  tags = module.label.tags
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_security_group_rule" "default_ingress" {
+  for_each                 = toset(var.security_groups)
+  description              = "default ingress"
+  type                     = "ingress"
+  from_port                = var.port # Redis
+  to_port                  = var.port
+  protocol                 = "tcp"
+  source_security_group_id = each.value
 
-  tags = module.label.tags
+  security_group_id = aws_security_group.default.*.id
+}
+
+resource "aws_security_group_rule" "default_egress" {
+  description              = "default egress"
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  source_security_group_id = aws_security_group.default
+
+  security_group_id = aws_security_group.default.*.id
 }
 
 locals {

variables.tf

@@ -24,7 +24,7 @@ variable "name" {
 variable "security_groups" {
   type        = list(string)
   default     = []
-  description = "Security Group IDs"
+  description = "A list of security group IDs that are allowed ingress to the cluster"
 }
 
 variable "vpc_id" {