feat: allow configuring additional security group rules

[mhulscher]

what

• Follow-up of feat: allow configuring of additional security group rules terraform-aws-ssm-agent#38
• Allow adding additional security groups rules to primary security group

why

• To ensure module users don't necessarily need to create separate security groups to attach additional rules

references

• N/A

Summary by CodeRabbit

• New Features
  • Added support for specifying additional security group rules via a new configuration option.
  • Upgraded the subnet router module to a newer version for improved compatibility.

[coderabbitai]

Walkthrough

The changes update the version of the "tailscale_subnet_router" Terraform module from 1.3.0 to 1.4.0 and introduce a new input variable, additional_security_group_rules, allowing users to specify extra security group rules. This variable is defined as a map of objects in variables.tf and integrated into the module invocation in main.tf.

Changes

File(s)	Change Summary
main.tf	Updated "tailscale_subnet_router" module source version to 1.4.0. Added additional_security_group_rules input to module usage.
variables.tf	Added new variable additional_security_group_rules as a map of objects for specifying extra security group rules.

Poem

🎉
A version bump, a rule anew,
Security grows, as changes accrue.
Ports and protocols, now defined with care,
1.4.0 brings features to share!
Terraform scripts, with rules to choose—
Our infrastructure walks in safer shoes.
🚀

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 16th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

variables.tf (1)

21-36: Add validation for additional_security_group_rules
The new additional_security_group_rules variable is flexible but could lead to invalid configs (e.g., from_port > to_port or unsupported type values). Consider adding a validation block to enforce correct rule definitions.
Example:

variable "additional_security_group_rules" {
  description = "Additional security group rules that will be attached to the primary security group"
  type = map(object({
    type      = string
    from_port = number
    to_port   = number
    protocol  = string

    description      = optional(string)
    cidr_blocks      = optional(list(string))
    ipv6_cidr_blocks = optional(list(string))
    prefix_list_ids  = optional(list(string))
    self             = optional(bool)
  }))
  default = {}

  validation {
    condition = alltrue([
      for rule in values(var.additional_security_group_rules) : (
        contains(["ingress", "egress"], rule.type)
        && rule.from_port <= rule.to_port
      )
    ])
    error_message = "Each rule must have type = \"ingress\" or \"egress\" and from_port ≤ to_port."
  }
}

main.tf (1)

51-51: Document usage of additional_security_group_rules
Now that you accept custom rule maps, update the module README with an example. For instance:

 module "tailscale_subnet_router" {
   # ...
+  additional_security_group_rules = {
+    allow_ssh = {
+      type        = "ingress"
+      from_port   = 22
+      to_port     = 22
+      protocol    = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
 }

This will help users quickly adopt the new feature.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 59acbd6 and 2f4a184.

📒 Files selected for processing (2)

• main.tf (2 hunks)
• variables.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.tf`: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.or...

**/*.tf: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.

• main.tf
• variables.tf

🔇 Additional comments (2)

main.tf (2)

50-50: Maintain backward compatibility of additional_security_group_ids
Good call keeping additional_security_group_ids in the invocation for existing use-cases. No changes needed here.

---

40-40:

✅ Verification successful

Confirm module version bump
Upgrading the module version to 1.4.0 is required to support the new additional_security_group_rules input. Ensure that this release on the Terraform Registry includes the corresponding logic to consume the new variable.

Consider running:

---

🏁 Script executed:

#!/bin/bash
# Verify that version 1.4.0 of the module declares `additional_security_group_rules`
ast-grep --pattern 'variable additional_security_group_rules' --lang hcl

Length of output: 181

---

🏁 Script executed:

#!/bin/bash
# Search for the `variable "additional_security_group_rules"` declaration in Terraform files
rg 'variable\s+"additional_security_group_rules"' --context 3 --glob '*.tf'

Length of output: 471

---

Module version bump confirmed
The Terraform module v1.4.0 already declares the additional_security_group_rules variable in variables.tf, so the bump is valid. Approving the change.

[oycyc]

Good addition, thanks!

[oycyc]

Ah @gberenice can you review this as well, I was the last committer because I had to resolve a merge conflict after merging the rsync PR