Description
With 0.40.0 the setup process of this module has become a little more complex.
Prior to 0.40.0 (e.g. with 0.39.0) one could simply tell the module to allow which SG's like so:
allowed_security_groups = [
module.api.ecs_service_security_group_id,
join(",", module.bastion.security_group_ids)
]It would allow any of these SG's to connect to var.port. Easy.
With v0.40.0 this has changed and now requires explicit declaration of rules like this:
security_group_rules = [
{
type = "egress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
source_security_group_id = null
description = "Allow all outbound traffic"
},
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = module.api.ecs_service_security_group_id
description = "Allow inbound Redis traffic from ECS"
},
{
type = "ingress"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = []
source_security_group_id = join(",", module.bastion.security_group_ids)
description = "Allow inbound Redis traffic from Bastion"
},
]I have tried to define them as such:
security_groups = [
module.api.ecs_service_security_group_id,
join(",", module.bastion.security_group_ids)
]While they do get added to the Redis instance, it does not allow to connect from them.
The README shows a nice "allow all outbound" and a "allow all from VPC" example but the default value of the security_group_rules only contains the former.
Am I using this module the wrong way or is this actually they way it is supposed to work (now)? If so, is there something we can do to improve this behavior?