feat: expose egress_enabled to tighten security group egress#98
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughThis pull request introduces an ChangesEgress control and module upgrade
🎯 3 (Moderate) | ⏱️ ~20 minutes Sequence DiagramsequenceDiagram
participant TestRunner
participant TerraformModule as aurora_postgres_cluster
participant AWS_EC2 as EC2
TestRunner->>TerraformModule: terraform apply (egress_enabled = false)
TerraformModule->>AWS_EC2: create SecurityGroup (no egress rules)
TestRunner->>AWS_EC2: DescribeSecurityGroups(security_group_id)
AWS_EC2-->>TestRunner: security group (egress_permissions = empty)
Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Important Do not edit the Please update the Could you fix it @aknysh? 🙏 |
The aws-account-map repo (cloned by CI for the iam-roles relative-path module) was recently updated to stack-config/yaml v2, which requires cloudposse/utils >= 2.0.0. This component still pinned stack-config 1.8.0, which requires utils < 2.0.0, making the provider graph unsatisfiable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
/terratest |
…onfig v2 The vendored account-map came from cloudposse/terraform-aws-components 1.520.0, which uses cloudposse/stack-config/yaml v1.5.0 (constraint utils >= 1.7.1, != 1.4.0, < 2.0.0). After bumping the component's own remote-state to stack-config v2 (utils >= 2.0.0), this old account-map made the resolved utils graph unsatisfiable during atmos deploys. Switch to the standalone aws-account-map@v1.537.2 (uses stack-config v2) and bring vpc + dns-delegated up to the versions used by elasticache-redis. Drop dns-primary; the test suite only depends on vpc and dns-delegated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
/terratest |
AWS no longer offers Aurora Postgres 13.21 (the version the fixture was pinned to), so cluster creation fails with InvalidParameterCombination. Bump to 17.9, the current latest Aurora Postgres release, and update cluster_family to aurora-postgresql17 to match. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
/terratest |
|
These changes were released in v2.0.0. |
what
egress_enabledinput on theaurora-postgrescomponent (default:true, preserves current behavior).cloudposse/rds-cluster/awsmodule so consumers can opt into restricted outbound traffic on the cluster's security group.TestBasic: deploys withegress_enabled = falseand asserts the resulting security group has zero egress rules.test/go.modto the latest available versions (includingtest-helpersv1.0.0,terratestv1.0.0,testifyv1.11.1, full AWS SDK v2 family, and the Go directive to1.26.3).README.md/src/README.mdinputs tables.why
allow_all_egresspattern already exposed in theelasticache-rediscomponent, applied here using the upstream module's native variable name (egress_enabled).truekeeps every existing stack unchanged — consumers opt in to restricted egress by settingegress_enabled: false.Summary by CodeRabbit
New Features
Documentation
Chores