From cd712b6278b7aca952321a83541171593e1b7fe2 Mon Sep 17 00:00:00 2001 From: Bryan Barajas Date: Thu, 15 Feb 2024 00:39:03 +0000 Subject: [PATCH] AWS/Azure/Gcloud Networking - replace defaults with an empty string and raise a helpful message for users --- edbterraform/data/terraform/aws/modules/security/main.tf | 5 +++++ .../data/terraform/aws/modules/specification/variables.tf | 4 ++-- edbterraform/data/terraform/azure/modules/security/main.tf | 5 +++++ .../data/terraform/azure/modules/specification/variables.tf | 4 ++-- edbterraform/data/terraform/gcloud/modules/security/main.tf | 5 +++++ .../data/terraform/gcloud/modules/specification/variables.tf | 4 ++-- 6 files changed, 21 insertions(+), 6 deletions(-) diff --git a/edbterraform/data/terraform/aws/modules/security/main.tf b/edbterraform/data/terraform/aws/modules/security/main.tf index ccaa4cde..c6409301 100644 --- a/edbterraform/data/terraform/aws/modules/security/main.tf +++ b/edbterraform/data/terraform/aws/modules/security/main.tf @@ -27,6 +27,11 @@ resource "aws_security_group_rule" "rule" { error_message = "${each.key} has type ${each.value.type}. Must be ingress or egress." } + precondition { + error_message = "port defaults must be one of: service, public, internal or an empty string ('')" + condition = contains(["service", "internal", "public", ""], try(each.value.defaults, "")) + } + precondition { condition = each.value.cidrs != null && length(each.value.cidrs) > 0 error_message = <<-EOT diff --git a/edbterraform/data/terraform/aws/modules/specification/variables.tf b/edbterraform/data/terraform/aws/modules/specification/variables.tf index fbdb46e6..8174b8c5 100644 --- a/edbterraform/data/terraform/aws/modules/specification/variables.tf +++ b/edbterraform/data/terraform/aws/modules/specification/variables.tf @@ -38,7 +38,7 @@ variable "spec" { cidr = optional(string) })), {}) ports = optional(list(object({ - defaults = optional(string, "service") + defaults = optional(string, "") port = optional(number) to_port = optional(number) protocol = string @@ -55,7 +55,7 @@ variable "spec" { region = string ssh_port = optional(number, 22) ports = optional(list(object({ - defaults = optional(string, "internal") + defaults = optional(string, "") port = optional(number) to_port = optional(number) protocol = string diff --git a/edbterraform/data/terraform/azure/modules/security/main.tf b/edbterraform/data/terraform/azure/modules/security/main.tf index 6504de9c..732cd87d 100644 --- a/edbterraform/data/terraform/azure/modules/security/main.tf +++ b/edbterraform/data/terraform/azure/modules/security/main.tf @@ -39,5 +39,10 @@ resource "azurerm_network_security_rule" "rules" { condition = each.value.type == "ingress" || each.value.type == "egress" error_message = "${each.key} has type ${each.value.type}. Must be ingress or egress." } + + precondition { + error_message = "port defaults must be one of: service, public, internal or an empty string ('')" + condition = contains(["service", "internal", "public", ""], try(each.value.defaults, "")) + } } } diff --git a/edbterraform/data/terraform/azure/modules/specification/variables.tf b/edbterraform/data/terraform/azure/modules/specification/variables.tf index 953e9ec3..c546fed7 100644 --- a/edbterraform/data/terraform/azure/modules/specification/variables.tf +++ b/edbterraform/data/terraform/azure/modules/specification/variables.tf @@ -41,7 +41,7 @@ variable "spec" { cidr = optional(string) })), {}) ports = optional(list(object({ - defaults = optional(string, "service") + defaults = optional(string, "") port = optional(number) to_port = optional(number) protocol = string @@ -60,7 +60,7 @@ variable "spec" { instance_type = string ssh_port = optional(number, 22) ports = optional(list(object({ - defaults = optional(string, "internal") + defaults = optional(string, "") port = optional(number) to_port = optional(number) protocol = string diff --git a/edbterraform/data/terraform/gcloud/modules/security/main.tf b/edbterraform/data/terraform/gcloud/modules/security/main.tf index 4ddfd0c8..391e3f9d 100644 --- a/edbterraform/data/terraform/gcloud/modules/security/main.tf +++ b/edbterraform/data/terraform/gcloud/modules/security/main.tf @@ -46,5 +46,10 @@ resource "google_compute_firewall" "rules" { condition = each.value.type == "ingress" || each.value.type == "egress" error_message = "${each.key} has type ${each.value.type}. Must be ingress or egress." } + + precondition { + error_message = "port defaults must be one of: service, public, internal or an empty string ('')" + condition = contains(["service", "internal", "public", ""], try(each.value.defaults, "")) + } } } diff --git a/edbterraform/data/terraform/gcloud/modules/specification/variables.tf b/edbterraform/data/terraform/gcloud/modules/specification/variables.tf index a8ad89fc..80ff08df 100644 --- a/edbterraform/data/terraform/gcloud/modules/specification/variables.tf +++ b/edbterraform/data/terraform/gcloud/modules/specification/variables.tf @@ -39,7 +39,7 @@ variable "spec" { cidr = optional(string) })), {}) ports = optional(list(object({ - defaults = optional(string, "service") + defaults = optional(string, "") port = optional(number) to_port = optional(number) protocol = string @@ -59,7 +59,7 @@ variable "spec" { ip_forward = optional(bool) ssh_port = optional(number, 22) ports = optional(list(object({ - defaults = optional(string, "internal") + defaults = optional(string, "") port = optional(number) to_port = optional(number) protocol = string