feat: make security group optional (#39)

* feat: make security group optional

* fix: server lb name

* fix: add missing var

* fix: add missing variable to example

* adds default value

* fix naming convention

Author: jubranNassar

examples/basic-example/main.tf

@@ -35,6 +35,7 @@ module "this" {
   vpc_id      = var.vpc_id
   ecs_subnets = var.private_subnet_ids
 
+  server_lb_name            = var.server_lb_name
   server_lb_subnets         = var.public_subnet_ids
   server_security_group_id  = var.server_security_group_id
   server_lb_certificate_arn = var.lb_certificate_arn

examples/basic-example/variables.tf

@@ -46,6 +46,12 @@ variable "kms_signing_key_arn" {
   type = string
 }
 
+variable "server_lb_name" {
+  type        = string
+  description = "The name of the server load balancer."
+  default     = null
+}
+
 variable "lb_certificate_arn" {
   type = string
 }

main.tf

@@ -40,7 +40,9 @@ module "lb" {
 
   drain_security_group_id = var.drain_security_group_id
 
+
   server_port               = local.server_port
+  server_lb_name            = var.server_lb_name
   server_lb_internal        = var.server_lb_internal
   server_lb_subnets         = var.server_lb_subnets
   server_lb_certificate_arn = var.server_lb_certificate_arn

modules/lb/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  load_balancer_security_group_id = var.load_balancer_security_group_id != null ? var.load_balancer_security_group_id : aws_security_group.load_balancer_sg[0].id
+}

modules/lb/mqtt_lb.tf

@@ -1,7 +1,7 @@
 resource "aws_lb" "mqtt" {
   count              = var.mqtt_broker_type == "builtin" ? 1 : 0
   name               = "spacelift-mqtt-${var.suffix}"
-  security_groups    = [aws_security_group.load_balancer_sg.id]
+  security_groups    = [local.load_balancer_security_group_id]
   subnets            = var.mqtt_lb_subnets
   load_balancer_type = "network"
   internal           = var.mqtt_lb_internal

modules/lb/outputs.tf

@@ -45,3 +45,8 @@ output "vcs_gateway_target_group_arn" {
 output "vcs_gateway_lb_dns" {
   value = var.vcs_gateway_service_security_group_id != null ? aws_lb.vcs_gateway[0].dns_name : null
 }
+
+output "load_balancer_security_group_id" {
+  value       = local.load_balancer_security_group_id
+  description = "The security group ID used by the main load balancer (either provided or created)"
+}

modules/lb/security.tf

@@ -1,11 +1,13 @@
 resource "aws_security_group" "load_balancer_sg" {
+  count = var.load_balancer_security_group_id == null ? 1 : 0
+
   name        = "load_balancer_sg_${var.suffix}"
   description = "Allow HTTP and HTTPS traffic to the load balancer"
   vpc_id      = var.vpc_id
 }
 
 resource "aws_vpc_security_group_egress_rule" "lb_http_towards_server" {
-  security_group_id = aws_security_group.load_balancer_sg.id
+  security_group_id = local.load_balancer_security_group_id
 
   description                  = "Allow all traffic to the server"
   from_port                    = var.server_port
@@ -17,7 +19,7 @@ resource "aws_vpc_security_group_egress_rule" "lb_http_towards_server" {
 resource "aws_vpc_security_group_egress_rule" "lb_mqtt_towards_server" {
   count = var.mqtt_broker_type == "builtin" ? 1 : 0
 
-  security_group_id = aws_security_group.load_balancer_sg.id
+  security_group_id = local.load_balancer_security_group_id
 
   description                  = "Allow all traffic to the server"
   from_port                    = var.mqtt_port
@@ -27,7 +29,7 @@ resource "aws_vpc_security_group_egress_rule" "lb_mqtt_towards_server" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "tls" {
-  security_group_id = aws_security_group.load_balancer_sg.id
+  security_group_id = local.load_balancer_security_group_id
 
   description = "Accept HTTP connections on port 443"
   from_port   = 443
@@ -39,7 +41,7 @@ resource "aws_vpc_security_group_ingress_rule" "tls" {
 resource "aws_vpc_security_group_ingress_rule" "mqtt" {
   count = var.mqtt_broker_type == "builtin" ? 1 : 0
 
-  security_group_id = aws_security_group.load_balancer_sg.id
+  security_group_id = local.load_balancer_security_group_id
 
   description = "Accept TLS connections on port 1984 for built in MQTT server"
   from_port   = var.mqtt_port
@@ -55,7 +57,7 @@ resource "aws_vpc_security_group_ingress_rule" "http_lb_to_server" {
   from_port                    = var.server_port
   to_port                      = var.server_port
   ip_protocol                  = "tcp"
-  referenced_security_group_id = aws_security_group.load_balancer_sg.id
+  referenced_security_group_id = local.load_balancer_security_group_id
 }
 
 resource "aws_vpc_security_group_ingress_rule" "mqtt_lb_to_server" {
@@ -67,7 +69,7 @@ resource "aws_vpc_security_group_ingress_rule" "mqtt_lb_to_server" {
   from_port                    = var.mqtt_port
   to_port                      = var.mqtt_port
   ip_protocol                  = "tcp"
-  referenced_security_group_id = aws_security_group.load_balancer_sg.id
+  referenced_security_group_id = local.load_balancer_security_group_id
 }
 
 resource "aws_security_group" "vcs_gateway_lb_sg" {

modules/lb/server_lb.tf

@@ -1,7 +1,7 @@
 resource "aws_lb" "server" {
-  name               = "server-lb-${var.suffix}"
+  name               = coalesce(var.server_lb_name, "server-lb-${var.suffix}")
   load_balancer_type = "application"
-  security_groups    = [aws_security_group.load_balancer_sg.id]
+  security_groups    = [local.load_balancer_security_group_id]
   subnets            = var.server_lb_subnets
   internal           = var.server_lb_internal
 }

modules/lb/variables.tf

@@ -23,6 +23,12 @@ variable "server_port" {
   description = "The port the server is listening on."
 }
 
+variable "server_lb_name" {
+  type        = string
+  description = "The name of the server load balancer."
+  default     = null
+}
+
 variable "server_lb_subnets" {
   type        = list(string)
   description = "The subnets to deploy the server load balancer in."
@@ -87,3 +93,9 @@ variable "vcs_gateway_certificate_arn" {
   type        = string
   description = "The ARN of the certificate to use for the VCS gateway load balancer."
 }
+
+variable "load_balancer_security_group_id" {
+  type        = string
+  default     = null
+  description = "The security group ID to use for the main load balancer. If not provided, a new security group will be created."
+}

variables.tf

@@ -35,6 +35,12 @@ variable "vpc_id" {
   description = "The VPC ID to deploy the load balancers in."
 }
 
+variable "server_lb_name" {
+  type        = string
+  description = "The name of the server load balancer."
+  default     = null
+}
+
 variable "server_lb_internal" {
   type        = bool
   description = "Whether the server load balancer should be internal or internet-facing. It's false (internet-facing) by default."