feat: Use base security-group module to remove duplicate EFS security group

[dynamike]

Description

Attempt to resolve #324. I believe this is due to the fact that the nfs submodule is trying to create a duplicate NFS ingress that conflicts with the one defined here. This PR used the base security-group module and relies on

  ingress_with_source_security_group_id = [{
    rule                     = "nfs-tcp",
    source_security_group_id = module.atlantis_sg.security_group_id
  }]

to configure the efs ingress rules.

Motivation and Context

Resolves #324

Breaking Changes

This will cause a brief breakage for atlantis as it will replace security groups due to the need to switch modules. A sample plan looks like the following

Terraform plan

Terraform will perform the following actions:

  # module.atlantis.aws_efs_mount_target.this["10.20.1.0/24"] will be updated in-place
  ~ resource "aws_efs_mount_target" "this" {
        id                     = "fsmt-0c8334429c735571a"
      ~ security_groups        = [
          - "sg-023aee2b50991fd4b",
          - "sg-05e25a6addebd0f3f",
        ] -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # module.atlantis.aws_efs_mount_target.this["10.20.2.0/24"] will be updated in-place
  ~ resource "aws_efs_mount_target" "this" {
        id                     = "fsmt-0d40f94760fb56788"
      ~ security_groups        = [
          - "sg-023aee2b50991fd4b",
          - "sg-05e25a6addebd0f3f",
        ] -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # module.atlantis.aws_efs_mount_target.this["10.20.3.0/24"] will be updated in-place
  ~ resource "aws_efs_mount_target" "this" {
        id                     = "fsmt-0316cf50969125693"
      ~ security_groups        = [
          - "sg-023aee2b50991fd4b",
          - "sg-05e25a6addebd0f3f",
        ] -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # module.atlantis.module.efs_sg[0].aws_security_group.this_name_prefix[0] will be created
  + resource "aws_security_group" "this_name_prefix" {
      + arn                    = (known after apply)
      + description            = "Security group allowing access to the EFS storage"
      + egress                 = (known after apply)
      + id                     = (known after apply)
      + ingress                = (known after apply)
      + name                   = (known after apply)
      + name_prefix            = "atlantis-efs-"
      + owner_id               = (known after apply)
      + revoke_rules_on_delete = false
      + tags                   = {
          + "Name" = "atlantis"
        }
      + tags_all               = {
          + "Automation" = "Terraform"
          + "Name"       = "atlantis"
        }
      + vpc_id                 = "vpc-079a13d42c60e2b9e"

      + timeouts {
          + create = "10m"
          + delete = "15m"
        }
    }

  # module.atlantis.module.efs_sg[0].aws_security_group_rule.ingress_with_source_security_group_id[0] will be created
  + resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
      + description              = "Ingress Rule"
      + from_port                = 2049
      + id                       = (known after apply)
      + prefix_list_ids          = []
      + protocol                 = "tcp"
      + security_group_id        = (known after apply)
      + self                     = false
      + source_security_group_id = "sg-05e25a6addebd0f3f"
      + to_port                  = 2049
      + type                     = "ingress"
    }

  # module.atlantis.module.efs_sg[0].module.sg.aws_security_group.this_name_prefix[0] will be destroyed
  # (because aws_security_group.this_name_prefix is not in configuration)
  - resource "aws_security_group" "this_name_prefix" {
      - arn                    = "arn:aws:ec2:us-west-2:147093333562:security-group/sg-023aee2b50991fd4b" -> null
      - description            = "Security group allowing access to the EFS storage" -> null
      - egress                 = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "All protocols"
              - from_port        = 0
              - ipv6_cidr_blocks = [
                  - "::/0",
                ]
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = false
              - to_port          = 0
            },
        ] -> null
      - id                     = "sg-023aee2b50991fd4b" -> null
      - ingress                = [
          - {
              - cidr_blocks      = []
              - description      = "Ingress Rule"
              - from_port        = 0
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = true
              - to_port          = 0
            },
          - {
              - cidr_blocks      = []
              - description      = "Ingress Rule"
              - from_port        = 2049
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = [
                  - "sg-05e25a6addebd0f3f",
                ]
              - self             = false
              - to_port          = 2049
            },
        ] -> null
      - name                   = "atlantis-efs-20221115182547572900000005" -> null
      - name_prefix            = "atlantis-efs-" -> null
      - owner_id               = "147093333562" -> null
      - revoke_rules_on_delete = false -> null
      - tags                   = {
          - "Name" = "atlantis"
        } -> null
      - tags_all               = {
          - "Automation" = "Terraform"
          - "Name"       = "atlantis"
        } -> null
      - vpc_id                 = "vpc-079a13d42c60e2b9e" -> null

      - timeouts {
          - create = "10m" -> null
          - delete = "15m" -> null
        }
    }

  # module.atlantis.module.efs_sg[0].module.sg.aws_security_group_rule.egress_rules[0] will be destroyed
  # (because aws_security_group_rule.egress_rules is not in configuration)
  - resource "aws_security_group_rule" "egress_rules" {
      - cidr_blocks       = [
          - "0.0.0.0/0",
        ] -> null
      - description       = "All protocols" -> null
      - from_port         = 0 -> null
      - id                = "sgrule-4171184799" -> null
      - ipv6_cidr_blocks  = [
          - "::/0",
        ] -> null
      - prefix_list_ids   = [] -> null
      - protocol          = "-1" -> null
      - security_group_id = "sg-023aee2b50991fd4b" -> null
      - self              = false -> null
      - to_port           = 0 -> null
      - type              = "egress" -> null
    }

  # module.atlantis.module.efs_sg[0].module.sg.aws_security_group_rule.ingress_rules[0] will be destroyed
  # (because aws_security_group_rule.ingress_rules is not in configuration)
  - resource "aws_security_group_rule" "ingress_rules" {
      - cidr_blocks       = [] -> null
      - from_port         = 2049 -> null
      - id                = "sgrule-1299490025" -> null
      - ipv6_cidr_blocks  = [] -> null
      - prefix_list_ids   = [] -> null
      - protocol          = "tcp" -> null
      - security_group_id = "sg-023aee2b50991fd4b" -> null
      - self              = false -> null
      - to_port           = 2049 -> null
      - type              = "ingress" -> null
    }

  # module.atlantis.module.efs_sg[0].module.sg.aws_security_group_rule.ingress_with_self[0] will be destroyed
  # (because aws_security_group_rule.ingress_with_self is not in configuration)
  - resource "aws_security_group_rule" "ingress_with_self" {
      - description       = "Ingress Rule" -> null
      - from_port         = 0 -> null
      - id                = "sgrule-1227184360" -> null
      - prefix_list_ids   = [] -> null
      - protocol          = "-1" -> null
      - security_group_id = "sg-023aee2b50991fd4b" -> null
      - self              = true -> null
      - to_port           = 0 -> null
      - type              = "ingress" -> null
    }

  # module.atlantis.module.efs_sg[0].module.sg.aws_security_group_rule.ingress_with_source_security_group_id[0] will be destroyed
  # (because aws_security_group_rule.ingress_with_source_security_group_id is not in configuration)
  - resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
      - description              = "Ingress Rule" -> null
      - from_port                = 2049 -> null
      - id                       = "sgrule-2156250272" -> null
      - prefix_list_ids          = [] -> null
      - protocol                 = "tcp" -> null
      - security_group_id        = "sg-023aee2b50991fd4b" -> null
      - self                     = false -> null
      - source_security_group_id = "sg-05e25a6addebd0f3f" -> null
      - to_port                  = 2049 -> null
      - type                     = "ingress" -> null
    }

Plan: 2 to add, 3 to change, 5 to destroy.

I wasn't able to find a way to fix this without this breaking change, but let me know if there's another avenue to go down.

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed pre-commit run -a on my pull request

[antonbabenko]

That's ok. This is feat (not a fix), and it will trigger a minor release instead of a patch. Users will have to pay attention to it and recreate the security group.

[antonbabenko]

This PR is included in version 3.25.0 🎉

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.