Adjusting protection groups, and adding test

rodrigobersa · rodrigobersa · commit 565470fbccec · 2023-09-08T20:21:04.000-04:00
diff --git a/README.md b/README.md
@@ -43,14 +43,11 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aggregation"></a> [aggregation](#input\_aggregation) | Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | A friendly name for the Protection you are creating. | `string` | n/a | yes |
-| <a name="input_pattern"></a> [pattern](#input\_pattern) | The criteria to use to choose the protected resources for inclusion in the group. | `string` | n/a | yes |
-| <a name="input_protection_group_id"></a> [protection\_group\_id](#input\_protection\_group\_id) | The name of the protection group. | `string` | n/a | yes |
+| <a name="input_protection_group_config"></a> [protection\_group\_config](#input\_protection\_group\_config) | `id` - The name of the protection group, or protection\_group\_id<br>  `aggregation` - Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.<br>  `pattern` - The criteria to use to choose the protected resources for inclusion in the group.<br>  `resource_type` - (Optional) The resource type to include in the protection group. You must set this only when you set pattern to `BY_RESOURCE_TYPE`. | <pre>list(object({<br>    id            = string<br>    aggregation   = string<br>    pattern       = string<br>    resource_type = optional(string)<br>  }))</pre> | n/a | yes |
 | <a name="input_resource_arn"></a> [resource\_arn](#input\_resource\_arn) | The ARN (Amazon Resource Name) of the resource to be protected. | `string` | n/a | yes |
 | <a name="input_health_check_configuration"></a> [health\_check\_configuration](#input\_health\_check\_configuration) | Amazon Route53 Health Check Configuration to be associated to AWS Shield Advanced Protection. | `map(any)` | `null` | no |
-| <a name="input_resource_type"></a> [resource\_type](#input\_resource\_type) | The resource type to include in the protection group. This is required if `pattern` is set to BY\_RESOURCE\_TYPE. Otherwise this must be not set. Defaults to `null` | `string` | `null` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Key-value map of resource tags. Defaults to `{}` | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Key-value map of resource tags to apply to all taggable resources created by the module. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. Defaults to `{}`. | `map(string)` | `{}` | no |
 
 ### Outputs
 
diff --git a/main.tf b/main.tf
@@ -17,11 +17,13 @@ resource "aws_shield_protection" "this" {
 }
 
 resource "aws_shield_protection_group" "this" {
-  protection_group_id = var.protection_group_id
-  aggregation         = var.aggregation
-  pattern             = var.pattern
-  members             = [var.resource_arn]
-  resource_type       = var.resource_type
+  for_each = var.protection_group_config != null ? { for config in var.protection_group_config : config.id => config } : {}
+
+  protection_group_id = each.value.id
+  aggregation         = each.value.aggregation
+  pattern             = each.value.pattern
+  resource_type       = each.value.resource_type
+  members             = try([var.resource_arn], [])
   tags = merge(
     local.tags,
     var.tags
diff --git a/test/complete/main.tf b/test/complete/main.tf
@@ -11,12 +11,62 @@ resource "aws_eip" "example" {
   domain = "vpc"
 }
 
+
+
 module "shield_advanced" {
   source = "../.."
 
-  name                = "Example protection"
-  resource_arn        = "${local.arn_prefix}/${aws_eip.example.id}"
-  protection_group_id = "example"
-  aggregation         = "MEAN"
-  pattern             = "ARBITRARY"
+  name         = "Example protection"
+  resource_arn = "${local.arn_prefix}/${aws_eip.example.id}"
+
+  protection_group_config = [
+    {
+      id          = "Arbitrary Resource"
+      aggregation = "MEAN"
+      pattern     = "ARBITRARY"
+      members     = "${local.arn_prefix}/${aws_eip.example.id}"
+    },
+    {
+      id          = "All Resources"
+      aggregation = "MEAN"
+      pattern     = "ALL"
+    },
+    {
+      id            = "CloudFront Resource"
+      aggregation   = "SUM"
+      pattern       = "BY_RESOURCE_TYPE"
+      resource_type = "CLOUDFRONT_DISTRIBUTION"
+    },
+    {
+      id            = "Route53 Resource"
+      aggregation   = "MAX"
+      pattern       = "BY_RESOURCE_TYPE"
+      resource_type = "ROUTE_53_HOSTED_ZONE"
+    },
+    {
+      id            = "GlobalAccelerator Resource"
+      aggregation   = "SUM"
+      pattern       = "BY_RESOURCE_TYPE"
+      resource_type = "GLOBAL_ACCELERATOR"
+    },
+    {
+      id            = "ALB Resource"
+      aggregation   = "MEAN"
+      pattern       = "BY_RESOURCE_TYPE"
+      resource_type = "APPLICATION_LOAD_BALANCER"
+    },
+    {
+      id            = "CLB Resource"
+      aggregation   = "MEAN"
+      pattern       = "BY_RESOURCE_TYPE"
+      resource_type = "CLASSIC_LOAD_BALANCER"
+    },
+    {
+      id            = "ElasticIP Resource"
+      aggregation   = "SUM"
+      pattern       = "BY_RESOURCE_TYPE"
+      resource_type = "ELASTIC_IP_ALLOCATION"
+    },
+  ]
+
 }
diff --git a/variables.tf b/variables.tf
@@ -8,43 +8,54 @@ variable "resource_arn" {
   type        = string
 }
 
-variable "protection_group_id" {
-  description = "The name of the protection group."
-  type        = string
-}
-
-variable "aggregation" {
-  description = "Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events."
-  type        = string
+variable "protection_group_config" {
+  description = <<EOF
+  `id` - The name of the protection group, or protection_group_id
+  `aggregation` - Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.
+  `pattern` - The criteria to use to choose the protected resources for inclusion in the group.
+  `resource_type` - (Optional) The resource type to include in the protection group. You must set this only when you set pattern to `BY_RESOURCE_TYPE`.
+  EOF
+  type = list(object({
+    id            = string
+    aggregation   = string
+    pattern       = string
+    resource_type = optional(string)
+  }))
   validation {
-    condition = contains([
-      "SUM",
-      "MEAN",
-      "MAX",
-    ], var.aggregation)
-    error_message = "Valid values for `var.aggregation` are `SUM | MEAN | MAX`."
+    condition = alltrue([
+      for config in var.protection_group_config : contains([
+        "SUM",
+        "MEAN",
+        "MAX",
+        ], config.aggregation) && contains([
+        "ARBITRARY",
+        "ALL",
+        "BY_RESOURCE_TYPE",
+        ], config.pattern) && contains([
+        "APPLICATION_LOAD_BALANCER",
+        "CLASSIC_LOAD_BALANCER",
+        "CLOUDFRONT_DISTRIBUTION",
+        "ELASTIC_IP_ALLOCATION",
+        "GLOBAL_ACCELERATOR",
+        "ROUTE_53_HOSTED_ZONE",
+      ], config.resource_type) if config.resource_type != null
+    ])
+    error_message = <<EOF
+    Valid values for `aggregation` are `SUM | MEAN | MAX`.
+    Valid values for `pattern` are `ARBITRARY | ALL | BY_RESOURCE_TYPE`. You must declare `members` parameter when using the `ARBITRARY` pattern, using a list with the content of the `var.resource_arn`.
+    Valid values for `resource_type` are `APPLICATION_LOAD_BALANCER | CLASSIC_LOAD_BALANCER | CLOUDFRONT_DISTRIBUTION | ELASTIC_IP_ALLOCATION | GLOBAL_ACCELERATOR | ROUTE_53_HOSTED_ZONE`.
+    EOF
   }
 }
 
-variable "pattern" {
-  description = "The criteria to use to choose the protected resources for inclusion in the group."
-  type        = string
-}
-
-variable "resource_type" {
-  description = "The resource type to include in the protection group. This is required if `pattern` is set to BY_RESOURCE_TYPE. Otherwise this must be not set. Defaults to `null`"
-  type        = string
-  default     = null
-}
-
 variable "health_check_configuration" {
   description = "Amazon Route53 Health Check Configuration to be associated to AWS Shield Advanced Protection."
   type        = map(any)
   default     = null
 }
 
 variable "tags" {
-  description = "Key-value map of resource tags. Defaults to `{}`"
+  description = "Key-value map of resource tags to apply to all taggable resources created by the module. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. Defaults to `{}`."
   type        = map(string)
   default     = {}
 }
