feat: Filtering imported security groups by IDs

`terraforming sg` now accepts one or more security groups via `--group-ids sg-12345 sg-234456`. This limits the tf output to include only the two security groups. Similarly, `terraform sg --tfstate --group-ids sg-12345` limits the tfstate output to include only the security group. An expected use-case to this flag is to gradually migrate hundreds of your security groups under the control of terraform, without worrying about the huge tf/tfstate diff on initial import. Run `terraforming help sg` to see the description of the flag: ``` bundle exec bin/terraforming help sg Usage: terraforming sg Options: [--group-ids=one two three] # Filter exported security groups by IDs [--merge=MERGE] # tfstate file to merge [--overwrite], [--no-overwrite] # Overwrite existing tfstate [--tfstate], [--no-tfstate] # Generate tfstate [--profile=PROFILE] # AWS credentials profile [--region=REGION] # AWS region [--assume=ASSUME] # Role ARN to assume [--use-bundled-cert], [--no-use-bundled-cert] # Use the bundled CA certificate from AWS SDK Security Group ```
dtan4 · May 16, 2018 · 38a6a15 · 38a6a15
1 parent c1d467b
commit 38a6a15
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 12 deletions.
diff --git a/lib/terraforming.rb b/lib/terraforming.rb
@@ -22,7 +22,6 @@
 require "terraforming/util"
 require "terraforming/version"
 
-require "terraforming/cli"
 require "terraforming/resource/alb"
 require "terraforming/resource/auto_scaling_group"
 require "terraforming/resource/cloud_watch_alarm"
@@ -66,3 +65,4 @@
 require "terraforming/resource/vpn_gateway"
 require "terraforming/resource/sns_topic"
 require "terraforming/resource/sns_topic_subscription"
+require "terraforming/cli"
diff --git a/lib/terraforming/cli.rb b/lib/terraforming/cli.rb
@@ -1,5 +1,9 @@
 module Terraforming
   class CLI < Thor
+    OPTIONS_AVAILABLE_TO_SUBCOMMANDS = [
+        Terraforming::Resource::SecurityGroup::AVAILABLE_OPTIONS,
+    ].reduce(:concat).freeze
+
     class_option :merge, type: :string, desc: "tfstate file to merge"
     class_option :overwrite, type: :boolean, desc: "Overwrite existing tfstate"
     class_option :tfstate, type: :boolean, desc: "Generate tfstate"
@@ -191,6 +195,7 @@ def s3
     end
 
     desc "sg", "Security Group"
+    method_option :"group-ids", type: :array, desc: "Filter exported security groups by IDs"
     def sg
       execute(Terraforming::Resource::SecurityGroup, options)
     end
@@ -242,7 +247,13 @@ def configure_aws(options)
 
     def execute(klass, options)
       configure_aws(options)
-      result = options[:tfstate] ? tfstate(klass, options[:merge]) : tf(klass)
+
+      subcommand_options = options.select { |k, v| OPTIONS_AVAILABLE_TO_SUBCOMMANDS.include? k }
+      result = if options[:tfstate]
+                 tfstate(klass, options[:merge], subcommand_options)
+               else
+                 tf(klass, subcommand_options)
+               end
 
       if options[:tfstate] && options[:merge] && options[:overwrite]
         open(options[:merge], "w+") do |f|
@@ -254,14 +265,23 @@ def execute(klass, options)
       end
     end
 
-    def tf(klass)
-      klass.tf
+    def tf(klass, options={})
+      if options.empty?
+        klass.tf
+      else
+        klass.tf(options)
+      end
     end
 
-    def tfstate(klass, tfstate_path)
+    def tfstate(klass, tfstate_path, options={})
       tfstate = tfstate_path ? MultiJson.load(open(tfstate_path).read) : tfstate_skeleton
       tfstate["serial"] = tfstate["serial"] + 1
-      tfstate["modules"][0]["resources"] = tfstate["modules"][0]["resources"].merge(klass.tfstate)
+      tfstate_addition = if options.empty?
+                           klass.tfstate
+                         else
+                           klass.tfstate(options)
+                         end
+      tfstate["modules"][0]["resources"] = tfstate["modules"][0]["resources"].merge(tfstate_addition)
       MultiJson.encode(tfstate, pretty: true)
     end
 

diff --git a/lib/terraforming/resource/security_group.rb b/lib/terraforming/resource/security_group.rb
@@ -3,16 +3,35 @@ module Resource
     class SecurityGroup
       include Terraforming::Util
 
-      def self.tf(client: Aws::EC2::Client.new)
-        self.new(client).tf
+      module Options
+        GROUP_IDS = 'group-ids'
       end
 
-      def self.tfstate(client: Aws::EC2::Client.new)
-        self.new(client).tfstate
+      AVAILABLE_OPTIONS = [
+          Options::GROUP_IDS,
+      ].freeze
+
+      def self.tf(options={})
+        opts = apply_defaults_to_options(options)
+        self
+            .new(opts[:client], opts)
+            .tf
+      end
+
+      def self.tfstate(options={})
+        opts = apply_defaults_to_options(options)
+        self.new(opts[:client], opts).tfstate
+      end
+
+      def self.apply_defaults_to_options(options)
+        options.dup.tap { |o|
+          o[:client] ||= Aws::EC2::Client.new
+        }
       end
 
-      def initialize(client)
+      def initialize(client, options)
         @client = client
+        @group_ids = options[Options::GROUP_IDS]
       end
 
       def tf
@@ -159,7 +178,12 @@ def self_referenced_permission?(security_group, permission)
       end
 
       def security_groups
-        @client.describe_security_groups.map(&:security_groups).flatten
+        description = if @group_ids
+                        @client.describe_security_groups(group_ids: @group_ids)
+                      else
+                        @client.describe_security_groups
+                      end
+        description.map(&:security_groups).flatten
       end
 
       def security_groups_in(permission, security_group)