feat(security-group): support ram share

posquit0 · posquit0 · commit 7b22fc1fd509 · 2025-10-27T01:42:09.000+09:00
diff --git a/modules/security-group/README.md b/modules/security-group/README.md
@@ -26,6 +26,7 @@ This module creates following resources.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 |
+| <a name="module_share"></a> [share](#module\_share) | tedilabs/organization/aws//modules/ram-share | ~> 0.4.0 |
 
 ## Resources
 
@@ -49,6 +50,7 @@ This module creates following resources.
 | <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
 | <a name="input_revoke_rules_on_delete"></a> [revoke\_rules\_on\_delete](#input\_revoke\_rules\_on\_delete) | (Optional) Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed. | `bool` | `false` | no |
+| <a name="input_shares"></a> [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | <pre>list(object({<br/>    name = optional(string)<br/><br/>    permissions = optional(set(string), ["AWSRAMDefaultPermissionsSecurityGroup"])<br/><br/>    external_principals_allowed = optional(bool, false)<br/>    principals                  = optional(set(string), [])<br/><br/>    tags = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
 | <a name="input_vpc_associations"></a> [vpc\_associations](#input\_vpc\_associations) | (Optional) A set of VPC IDs to associate with the security group. | `set(string)` | `[]` | no |
 
@@ -65,6 +67,7 @@ This module creates following resources.
 | <a name="output_owner_id"></a> [owner\_id](#output\_owner\_id) | The ID of the AWS account that owns the security group. |
 | <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
 | <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |
+| <a name="output_sharing"></a> [sharing](#output\_sharing) | The configuration for sharing of the security group.<br/>    `status` - An indication of whether the security group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.<br/>    `shares` - The list of resource shares via RAM (Resource Access Manager). |
 | <a name="output_vpc_associations"></a> [vpc\_associations](#output\_vpc\_associations) | A set |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the associated VPC. |
 <!-- END_TF_DOCS -->
diff --git a/modules/security-group/outputs.tf b/modules/security-group/outputs.tf
@@ -96,3 +96,15 @@ output "resource_group" {
     )
   )
 }
+
+output "sharing" {
+  description = <<EOF
+  The configuration for sharing of the security group.
+    `status` - An indication of whether the security group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
+    `shares` - The list of resource shares via RAM (Resource Access Manager).
+  EOF
+  value = {
+    status = length(module.share) > 0 ? "SHARED_BY_ME" : "NOT_SHARED"
+    shares = module.share
+  }
+}
diff --git a/modules/security-group/ram-share.tf b/modules/security-group/ram-share.tf
@@ -0,0 +1,37 @@
+###################################################
+# Resource Sharing by RAM (Resource Access Manager)
+###################################################
+
+module "share" {
+  source  = "tedilabs/organization/aws//modules/ram-share"
+  version = "~> 0.4.0"
+
+  for_each = {
+    for share in var.shares :
+    share.name => share
+  }
+
+  region = aws_security_group.this.region
+
+  name = "vpc.security-group.${var.name}.${each.key}"
+
+  resources = [
+    aws_security_group.this.arn
+  ]
+
+  permissions = each.value.permissions
+
+  external_principals_allowed = each.value.external_principals_allowed
+  principals                  = each.value.principals
+
+  resource_group = {
+    enabled = false
+  }
+  module_tags_enabled = false
+
+  tags = merge(
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}
diff --git a/modules/security-group/variables.tf b/modules/security-group/variables.tf
@@ -169,3 +169,24 @@ variable "resource_group" {
   default  = {}
   nullable = false
 }
+
+
+###################################################
+# Resource Sharing by RAM (Resource Access Manager)
+###################################################
+
+variable "shares" {
+  description = "(Optional) A list of resource shares via RAM (Resource Access Manager)."
+  type = list(object({
+    name = optional(string)
+
+    permissions = optional(set(string), ["AWSRAMDefaultPermissionsSecurityGroup"])
+
+    external_principals_allowed = optional(bool, false)
+    principals                  = optional(set(string), [])
+
+    tags = optional(map(string), {})
+  }))
+  default  = []
+  nullable = false
+}

Original file line number	Diff line number	Diff line change
`@@ -96,3 +96,15 @@ output "resource_group" {`
`96`	`96`	`)`
`97`	`97`	`)`
`98`	`98`	`}`
	`99`	`+`
	`100`	`+output "sharing" {`
	`101`	`+ description = <<EOF`
	`102`	`+ The configuration for sharing of the security group.`
	`103`	+ `status` - An indication of whether the security group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
	`104`	+ `shares` - The list of resource shares via RAM (Resource Access Manager).
	`105`	`+ EOF`
	`106`	`+ value = {`
	`107`	`+ status = length(module.share) > 0 ? "SHARED_BY_ME" : "NOT_SHARED"`
	`108`	`+ shares = module.share`
	`109`	`+ }`
	`110`	`+}`