refactor: publicly accessible

thxCode · thxCode · commit 457fe5379911 · 2023-11-25T17:19:15.000+08:00
Signed-off-by: thxCode &lt;thxcode0824@gmail.com&gt;
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -3,3 +3,9 @@ plugin "terraform" {
   version = "0.5.0"
   source  = "github.com/terraform-linters/tflint-ruleset-terraform"
 }
+
+plugin "aws" {
+  enabled = true
+  version = "0.27.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_context"></a> [context](#input\_context) | Receive contextual information. When Walrus deploys, Walrus will inject specific contextual information into this field.<br><br>Examples:<pre>context:<br>  project:<br>    name: string<br>    id: string<br>  environment:<br>    name: string<br>    id: string<br>  resource:<br>    name: string<br>    id: string</pre> | `map(any)` | `{}` | no |
-| <a name="input_infrastructure"></a> [infrastructure](#input\_infrastructure) | Specify the infrastructure information for deploying.<br><br>Examples:<pre>infrastructure:<br>  vpc_id: string                            # the ID of the VPC where the redis service applies<br>  kms_key_id: string, optional              # the ID of the KMS key which to encrypt the redis data<br>  domain_suffix: string, optional           # a private DNS namespace of the CloudMap where to register the applied redis service</pre> | <pre>object({<br>    vpc_id        = string<br>    kms_key_id    = optional(string)<br>    domain_suffix = optional(string)<br>  })</pre> | n/a | yes |
+| <a name="input_infrastructure"></a> [infrastructure](#input\_infrastructure) | Specify the infrastructure information for deploying.<br><br>Examples:<pre>infrastructure:<br>  vpc_id: string                   # the ID of the VPC where the Redis service applies<br>  kms_key_id: string, optional     # the ID of the KMS key which to encrypt the Redis data<br>  domain_suffix: string, optional  # a private DNS namespace of the CloudMap where to register the applied Redis service<br>  publicly_accessible: bool        # whether the Redis service is publicly accessible</pre> | <pre>object({<br>    vpc_id        = string<br>    kms_key_id    = optional(string)<br>    domain_suffix = optional(string)<br>    publicly_accessible = optional(bool, false)<br>  })</pre> | n/a | yes |
 | <a name="input_architecture"></a> [architecture](#input\_architecture) | Specify the deployment architecture, select from standalone or replication. | `string` | `"standalone"` | no |
 | <a name="input_replication_readonly_replicas"></a> [replication\_readonly\_replicas](#input\_replication\_readonly\_replicas) | Specify the number of read-only replicas under the replication deployment. | `number` | `1` | no |
 | <a name="input_engine_version"></a> [engine\_version](#input\_engine\_version) | Specify the deployment engine version. | `string` | `"7.0"` | no |
diff --git a/main.tf b/main.tf
@@ -112,10 +112,11 @@ locals {
 
 locals {
   version = coalesce(var.engine_version == "6.0" ? "6.x" : var.engine_version, "7.0")
-  version_family_mapping = {
+  version_family_map = {
     "6.x" = "redis6.x",
     "7.0" = "redis7",
   }
+  publicly_accessible = try(var.infrastructure.publicly_accessible, false)
 }
 
 # create security group.
@@ -132,12 +133,11 @@ resource "aws_security_group_rule" "target" {
   description = local.description
 
   security_group_id = aws_security_group.target.id
-
-  type        = "ingress"
-  protocol    = "tcp"
-  cidr_blocks = [data.aws_vpc.selected.cidr_block]
-  from_port   = 6379
-  to_port     = 6379
+  type              = "ingress"
+  protocol          = "tcp"
+  cidr_blocks       = local.publicly_accessible ? ["0.0.0.0/0", data.aws_vpc.selected.cidr_block] : [data.aws_vpc.selected.cidr_block]
+  from_port         = 6379
+  to_port           = 6379
 }
 
 resource "aws_elasticache_subnet_group" "target" {
@@ -165,7 +165,7 @@ resource "aws_elasticache_parameter_group" "target" {
   description = local.description
   tags        = local.tags
 
-  family = local.version_family_mapping[local.version]
+  family = local.version_family_map[local.version]
 
   dynamic "parameter" {
     for_each = local.parameters
@@ -189,6 +189,7 @@ resource "aws_elasticache_replication_group" "default" {
 
   num_cache_clusters = local.architecture == "replication" ? local.replication_readonly_replicas + 1 : 1
 
+  engine               = "redis"
   engine_version       = local.version
   parameter_group_name = aws_elasticache_parameter_group.target.name
   auth_token           = local.password
@@ -198,10 +199,10 @@ resource "aws_elasticache_replication_group" "default" {
   transit_encryption_enabled = true
   at_rest_encryption_enabled = try(data.aws_kms_key.selected[0].arn != null, true)
   kms_key_id                 = try(data.aws_kms_key.selected[0].arn, null)
-  snapshot_window            = "00:00-05:00"
-  snapshot_retention_limit   = 5
 
-  apply_immediately = true
+  apply_immediately        = true
+  snapshot_window          = "00:00-05:00"
+  snapshot_retention_limit = 5
 }
 
 resource "aws_service_discovery_service" "primary" {
diff --git a/schema.yaml b/schema.yaml
@@ -34,6 +34,15 @@ components:
           required:
           - vpc_id
           properties:
+            publicly_accessible:
+              description: |
+                Specify whether to enable public access. If enabled, the Redis service can be accessed from the public network.
+              default: false
+              nullable: true
+              title: Publicly Accessible
+              type: boolean
+              x-walrus-ui:
+                order: 4
             domain_suffix:
               title: Domain Suffix
               type: string
diff --git a/variables.tf b/variables.tf
@@ -35,15 +35,17 @@ Specify the infrastructure information for deploying.
 Examples:
 ```
 infrastructure:
-  vpc_id: string                            # the ID of the VPC where the redis service applies
-  kms_key_id: string, optional              # the ID of the KMS key which to encrypt the redis data
-  domain_suffix: string, optional           # a private DNS namespace of the CloudMap where to register the applied redis service
+  vpc_id: string                   # the ID of the VPC where the Redis service applies
+  kms_key_id: string, optional     # the ID of the KMS key which to encrypt the Redis data
+  domain_suffix: string, optional  # a private DNS namespace of the CloudMap where to register the applied Redis service
+  publicly_accessible: bool        # whether the Redis service is publicly accessible
 ```
 EOF
   type = object({
-    vpc_id        = string
-    kms_key_id    = optional(string)
-    domain_suffix = optional(string)
+    vpc_id              = string
+    kms_key_id          = optional(string)
+    domain_suffix       = optional(string)
+    publicly_accessible = optional(bool, false)
   })
 }
 
