-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can aws_directory_service_directory return the security group #5750
Comments
Hi @msnelling - good call here. I'm trying to figure out which SecurityGroupId is the correct one for us to set. There's one here: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryConnectSettings.html And there's one here: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryVpcSettingsDescription.html The second one seems to be legacy though. If you have a bit more context, can you point us in the right direction here? |
I haven't used the API but imagine that it maps closely to the "aws cli" command set. When creating a directory service with |
So the thing that makes me hesitate on the VpcSettings one is this part of the description:
I suppose whoever picks this up can do some quick testing to see whether the other value gets populated. Should be pretty simple to implement! 👍 |
Hmm, looking at the results of the |
Perhaps! Or based on that quote I cited - perhaps that is old behavior they no longer perform? |
I got a response from AWS support, they say that currently the only way to get security group is to use the directory id and filter the security groups based on that. For example using the AWS CLI tool |
Might be a pretty heavy cost to pay just to get this feature, but one way we could make this work is to finish up #4961, after which I was expecting that many of the AWS "Describe" APIs would get exposed as data sources. In this case, it might look something like this: resource "aws_directory_service_directory" "main" {
// ...
}
data "aws_security_group" "directory_group" {
name = "d-${aws_directory_service_directory.main.id}_controllers"
// (and any of the other "filter" arguments here, optionally)
// the data source returns a single matching security group if exactly
// one is returned, or fails if the response returns zero or more than one
// security group. (query is over- or under-specified)
}
some other resource, for example {
vpc_security_group_id = "${data.aws_security_group.directory_group.id}"
// ...
} Again, this makes a relatively simple suggestion dependent on a big architectural change, which isn't great, but it does have the advantage of avoiding hard-coding that naming convention within Terraform itself, allowing the user's Terraform config (which is easier to adapt as needed) to use the convention as I did above. |
In the meantime, is it possible in anyway to use a provisioner to run the |
I thought the following might work but got hamstrung by #6460
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
When creating a directory service using aws_directory_service_directory it would be helpful to return the id of the associated security group created at the same time. This would allow the security group to be used when creating other resources.
The text was updated successfully, but these errors were encountered: