Refactor ElastiCache module SG rule creation

burmek · burmek · commit 9a75d0fe6fbe · 2023-07-18T16:00:03.000-04:00
diff --git a/comet-infrastructure/main.tf b/comet-infrastructure/main.tf
@@ -81,13 +81,11 @@ module "comet_elasticache" {
   count       = var.enable_elasticache ? 1 : 0
   environment = var.environment
 
-  ec2_enabled = var.enable_ec2
-  eks_enabled = var.enable_eks
-
   vpc_id                       = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
   elasticache_private_subnets  = var.enable_vpc ? module.comet_vpc[0].private_subnets : var.comet_private_subnets
-  elasticache_allow_ec2_sg     = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : null
-  elasticache_allow_eks_sg     = var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : null
+  elasticache_allow_from_sg    = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : (
+                                 var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : (
+                                 var.elasticache_allow_from_sg))
   elasticache_engine           = var.elasticache_engine
   elasticache_engine_version   = var.elasticache_engine_version
   elasticache_instance_type    = var.elasticache_instance_type
diff --git a/comet-infrastructure/modules/comet_elasticache/main.tf b/comet-infrastructure/modules/comet_elasticache/main.tf
@@ -30,22 +30,11 @@ resource "aws_security_group" "redis_inbound_sg" {
   vpc_id = var.vpc_id
 }
 
-resource "aws_vpc_security_group_ingress_rule" "redis_port_inbound_ec2" {
-  count = var.ec2_enabled ? 1 : 0
+resource "aws_vpc_security_group_ingress_rule" "redis_port_inbound_rule" {
   security_group_id = aws_security_group.redis_inbound_sg.id
 
   from_port   = local.redis_port
   to_port     = local.redis_port
   ip_protocol    = "tcp"
-  referenced_security_group_id = var.elasticache_allow_ec2_sg
-}
-
-resource "aws_vpc_security_group_ingress_rule" "redis_port_inbound_eks" {
-  count = var.eks_enabled ? 1 : 0
-  security_group_id = aws_security_group.redis_inbound_sg.id
-
-  from_port   = local.redis_port
-  to_port     = local.redis_port
-  ip_protocol    = "tcp"
-  referenced_security_group_id = var.elasticache_allow_eks_sg
+  referenced_security_group_id = var.elasticache_allow_from_sg
 }
diff --git a/comet-infrastructure/modules/comet_elasticache/variables.tf b/comet-infrastructure/modules/comet_elasticache/variables.tf
@@ -14,13 +14,8 @@ variable "elasticache_private_subnets" {
   type        = list(string)
 }
 
-variable "elasticache_allow_ec2_sg" {
-  description = "Security group associated with EC2 compute, if provisioned"
-  type        = string
-}
-
-variable "elasticache_allow_eks_sg" {
-  description = "Security group associated with EKS compute, if provisioned"
+variable "elasticache_allow_from_sg" {
+  description = "Security group from which connections to ElastiCache will be allowed"
   type        = string
 }
 
@@ -47,16 +42,4 @@ variable "elasticache_param_group_name" {
 variable "elasticache_num_cache_nodes" {
   description = "Number of nodes in the Elasticache cluster"
   type        = number
-}
-
-variable "ec2_enabled" {
-  description = "Indicates if EC2 compute has been provisioned for Comet"
-  type        = bool
-  default     = null
-}
-
-variable "eks_enabled" {
-  description = "Indicates if EKS compute has been provisioned for Comet"
-  type        = bool
-  default     = null
 }
diff --git a/comet-infrastructure/terraform.tfvars b/comet-infrastructure/terraform.tfvars
@@ -15,6 +15,9 @@ availability_zones    = ["us-east-1a", "us-east-1b", "us-east-1c"]
 comet_public_subnets  = ["subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl"]
 comet_private_subnets = ["subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl"]
 
+# if provisioning ElastiCache in existing VPC, set the variable below to specify an SG that connections will be allowed from
+elasticache_allow_from_sg = "sg-012345abcdefghijkl"
+
 s3_bucket_name      = "comet-use2-bucket"
 rds_root_password   = "CHANGE-ME"
 ssl_certificate_arn = ""
diff --git a/comet-infrastructure/variables.tf b/comet-infrastructure/variables.tf
@@ -11,7 +11,7 @@ variable "region" {
 }
 
 variable "availability_zones" {
-  description = "List of availability zones from VPC"
+  description = "List of availability zones from region"
   type        = list(string)
   default     = null
 }
@@ -193,6 +193,12 @@ variable "eks_external_dns" {
 }
 
 #comet_elasticache
+variable "elasticache_allow_from_sg" {
+  description = "Security group from which to allow connections to ElastiCache, for use when provisioning in existing VPC"
+  type        = string
+  default     = null
+}
+
 variable "elasticache_engine" {
   description = "Engine type for ElastiCache cluster"
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ variable "region" {`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`variable "availability_zones" {`
`14`		`- description = "List of availability zones from VPC"`
	`14`	`+ description = "List of availability zones from region"`
`15`	`15`	`type = list(string)`
`16`	`16`	`default = null`
`17`	`17`	`}`
`@@ -193,6 +193,12 @@ variable "eks_external_dns" {`
`193`	`193`	`}`
`194`	`194`
`195`	`195`	`#comet_elasticache`
	`196`	`+variable "elasticache_allow_from_sg" {`
	`197`	`+ description = "Security group from which to allow connections to ElastiCache, for use when provisioning in existing VPC"`
	`198`	`+ type = string`
	`199`	`+ default = null`
	`200`	`+}`
	`201`	`+`
`196`	`202`	`variable "elasticache_engine" {`
`197`	`203`	`description = "Engine type for ElastiCache cluster"`
`198`	`204`	`type = string`