From 68d0bb7ba4cad44cb5976b1ddb9ec8744277b008 Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 15 May 2025 10:10:47 -0400 Subject: [PATCH 1/3] feat: consolidate enable parameters to locals --- main.tf | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/main.tf b/main.tf index 496678b..34d4da9 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,9 @@ +locals { + enabled = local.enabled +} + resource "aws_security_group" "default" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 name = module.this.id description = "Security Group for DocumentDB cluster" vpc_id = var.vpc_id @@ -7,7 +11,7 @@ resource "aws_security_group" "default" { } resource "aws_security_group_rule" "egress" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 type = "egress" description = "Allow outbound traffic from CIDR blocks" from_port = var.egress_from_port @@ -18,7 +22,7 @@ resource "aws_security_group_rule" "egress" { } resource "aws_security_group_rule" "allow_ingress_from_self" { - count = module.this.enabled && var.allow_ingress_from_self ? 1 : 0 + count = local.enabled && var.allow_ingress_from_self ? 1 : 0 type = "ingress" description = "Allow traffic within the security group" from_port = var.db_port @@ -29,7 +33,7 @@ resource "aws_security_group_rule" "allow_ingress_from_self" { } resource "aws_security_group_rule" "ingress_security_groups" { - count = module.this.enabled ? length(var.allowed_security_groups) : 0 + count = local.enabled ? length(var.allowed_security_groups) : 0 type = "ingress" description = "Allow inbound traffic from existing Security Groups" from_port = var.db_port @@ -41,7 +45,7 @@ resource "aws_security_group_rule" "ingress_security_groups" { resource "aws_security_group_rule" "ingress_cidr_blocks" { type = "ingress" - count = module.this.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0 + count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0 description = "Allow inbound traffic from CIDR blocks" from_port = var.db_port to_port = var.db_port @@ -51,13 +55,13 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" { } resource "random_password" "password" { - count = module.this.enabled && var.master_password == "" ? 1 : 0 + count = local.enabled && var.master_password == "" ? 1 : 0 length = 16 special = false } resource "aws_docdb_cluster" "default" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 cluster_identifier = module.this.id master_username = var.master_username master_password = var.master_password != "" ? var.master_password : random_password.password[0].result @@ -84,7 +88,7 @@ resource "aws_docdb_cluster" "default" { } resource "aws_docdb_cluster_instance" "default" { - count = module.this.enabled ? var.cluster_size : 0 + count = local.enabled ? var.cluster_size : 0 identifier = "${module.this.id}-${count.index + 1}" cluster_identifier = join("", aws_docdb_cluster.default[*].id) apply_immediately = var.apply_immediately @@ -98,7 +102,7 @@ resource "aws_docdb_cluster_instance" "default" { } resource "aws_docdb_subnet_group" "default" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 name = module.this.id description = "Allowed subnets for DB cluster instances" subnet_ids = var.subnet_ids @@ -107,7 +111,7 @@ resource "aws_docdb_subnet_group" "default" { # https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-parameter-group-create.html resource "aws_docdb_cluster_parameter_group" "default" { - count = module.this.enabled ? 1 : 0 + count = local.enabled ? 1 : 0 name = module.this.id description = "DB cluster parameter group" family = var.cluster_family @@ -135,7 +139,7 @@ module "dns_master" { source = "cloudposse/route53-cluster-hostname/aws" version = "0.13.0" - enabled = module.this.enabled && var.zone_id != "" ? true : false + enabled = local.enabled && var.zone_id != "" ? true : false dns_name = local.cluster_dns_name zone_id = var.zone_id records = coalescelist(aws_docdb_cluster.default[*].endpoint, [""]) @@ -147,7 +151,7 @@ module "dns_replicas" { source = "cloudposse/route53-cluster-hostname/aws" version = "0.13.0" - enabled = module.this.enabled && var.zone_id != "" ? true : false + enabled = local.enabled && var.zone_id != "" ? true : false dns_name = local.replicas_dns_name zone_id = var.zone_id records = coalescelist(aws_docdb_cluster.default[*].reader_endpoint, [""]) @@ -159,7 +163,7 @@ module "ssm_write_db_password" { source = "cloudposse/ssm-parameter-store/aws" version = "0.13.0" - enabled = module.this.enabled && var.ssm_parameter_enabled == true ? true : false + enabled = local.enabled && var.ssm_parameter_enabled == true ? true : false parameter_write = [ { name = format("%s%s", var.ssm_parameter_path_prefix, module.this.id) From edf76f7edb80b976c73fe0b462a2cbed3312d9c7 Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 15 May 2025 11:04:24 -0400 Subject: [PATCH 2/3] fix: sed did me dirty --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 34d4da9..b6c7cae 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ locals { - enabled = local.enabled + enabled = module.this.enabled } resource "aws_security_group" "default" { From 644fe4c52a35364f9108112965039059917a846d Mon Sep 17 00:00:00 2001 From: RoseSecurity Date: Thu, 15 May 2025 16:11:50 -0400 Subject: [PATCH 3/3] fix: address invalid count bug --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index b6c7cae..50fde66 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ locals { - enabled = module.this.enabled + enabled = module.this.enabled + create_password = local.enabled && length(var.master_password) == 0 } resource "aws_security_group" "default" { @@ -55,7 +56,7 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" { } resource "random_password" "password" { - count = local.enabled && var.master_password == "" ? 1 : 0 + count = local.enabled && local.create_password ? 1 : 0 length = 16 special = false }