CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-terraformpy

Python library and CLI tool for generating Terraform JSON configurations using full Python programming capabilities

Overview
Eval results
Files

aws-hooks.mddocs/

AWS Hooks

AWS-specific hooks and utilities for handling AWS resource configurations and provider quirks. This module provides specialized transformation functions to ensure proper Terraform configuration generation for AWS resources.

Capabilities

Security Group Rule Transformation

Utility for ensuring AWS security group rules have all required attributes properly defined to avoid Terraform provider issues.

def fill_in_optional_aws_security_group_rules_attrs(object_id: str, attrs: dict) -> dict:
    """
    Ensure AWS security group rules have all mandatory attributes defined.

    Parameters:
    - object_id: str - The resource object ID
    - attrs: dict - Resource attributes to transform

    Returns:
    dict - Modified attributes with all optional rule attributes set to None if missing

    This function processes 'ingress' and 'egress' rule blocks and ensures all
    optional attributes are explicitly set to None to prevent Terraform provider issues.
    """

Security Group Hook Installation

Convenience function for installing the AWS security group attribute transformation hook.

def install_aws_security_group_attributes_as_blocks_hook() -> None:
    """
    Install hook for AWS security group attribute handling.

    This installs a transformation hook that ensures all ingress and egress blocks
    have all mandatory attributes defined as None so they compile out as null.

    Addresses: https://github.com/terraform-providers/terraform-provider-aws/issues/8786
    """

Constants

Security Group Rule Attributes

SECURITY_GROUP_RULE_OPTIONAL_ATTRS: tuple = (
    "cidr_blocks",
    "ipv6_cidr_blocks",
    "prefix_list_ids",
    "security_groups",
    "self",
    "description"
)
"""
Tuple of optional attribute names for AWS security group rules.
These attributes must be explicitly set to None if not provided
to avoid Terraform AWS provider validation issues.
"""

Usage Examples

Basic AWS Security Group Hook Usage

from terraformpy import Resource
from terraformpy.hooks.aws import install_aws_security_group_attributes_as_blocks_hook

# Install the AWS security group hook globally
install_aws_security_group_attributes_as_blocks_hook()

# Create security group - hook will automatically ensure proper attribute handling
web_sg = Resource('aws_security_group', 'web',
    name='web-security-group',
    description='Security group for web server',
    vpc_id='${aws_vpc.main.id}',

    ingress=[
        {
            'from_port': 80,
            'to_port': 80,
            'protocol': 'tcp',
            'cidr_blocks': ['0.0.0.0/0']
            # Missing optional attributes will be automatically set to None
        },
        {
            'from_port': 443,
            'to_port': 443,
            'protocol': 'tcp',
            'security_groups': ['${aws_security_group.alb.id}']
            # Missing optional attributes will be automatically set to None
        }
    ],

    egress=[
        {
            'from_port': 0,
            'to_port': 0,
            'protocol': '-1',
            'cidr_blocks': ['0.0.0.0/0']
            # Missing optional attributes will be automatically set to None
        }
    ]
)

Manual Hook Application

from terraformpy import Resource
from terraformpy.hooks.aws import fill_in_optional_aws_security_group_rules_attrs

# Apply transformation manually to specific attributes
sg_attrs = {
    'name': 'my-security-group',
    'ingress': [
        {
            'from_port': 22,
            'to_port': 22,
            'protocol': 'tcp',
            'cidr_blocks': ['10.0.0.0/8']
            # Missing: ipv6_cidr_blocks, prefix_list_ids, security_groups, self, description
        }
    ]
}

# Transform attributes to ensure all optional fields are present
transformed_attrs = fill_in_optional_aws_security_group_rules_attrs('aws_security_group.ssh', sg_attrs)

# Create resource with transformed attributes
ssh_sg = Resource('aws_security_group', 'ssh', **transformed_attrs)

Using with Resource Collections

from terraformpy import ResourceCollection, Resource
from terraformpy.hooks.aws import install_aws_security_group_attributes_as_blocks_hook
import schematics

class WebTierSecurityGroups(ResourceCollection):
    vpc_id = schematics.StringType(required=True)
    allowed_cidrs = schematics.ListType(schematics.StringType(), default=['0.0.0.0/0'])

    def create_resources(self):
        # Install AWS hooks for this collection
        install_aws_security_group_attributes_as_blocks_hook()

        # ALB security group
        self.alb_sg = Resource('aws_security_group', 'alb',
            name='alb-security-group',
            vpc_id=self.vpc_id,
            ingress=[
                {
                    'from_port': 80,
                    'to_port': 80,
                    'protocol': 'tcp',
                    'cidr_blocks': self.allowed_cidrs
                },
                {
                    'from_port': 443,
                    'to_port': 443,
                    'protocol': 'tcp',
                    'cidr_blocks': self.allowed_cidrs
                }
            ]
        )

        # Web server security group
        self.web_sg = Resource('aws_security_group', 'web',
            name='web-security-group',
            vpc_id=self.vpc_id,
            ingress=[
                {
                    'from_port': 80,
                    'to_port': 80,
                    'protocol': 'tcp',
                    'security_groups': [self.alb_sg.id]
                }
            ]
        )

# Usage
web_security = WebTierSecurityGroups(
    vpc_id='${aws_vpc.main.id}',
    allowed_cidrs=['10.0.0.0/8', '172.16.0.0/12']
)

Hook System Integration

from terraformpy import Resource, TFObject
from terraformpy.hooks.aws import fill_in_optional_aws_security_group_rules_attrs

# Add hook directly to Resource class
Resource.add_hook('aws_security_group', fill_in_optional_aws_security_group_rules_attrs)

# Or add to the global TFObject system
TFObject.add_hook('aws_security_group', fill_in_optional_aws_security_group_rules_attrs)

# Now all aws_security_group resources will automatically use the hook
security_group = Resource('aws_security_group', 'example',
    name='example-sg',
    ingress=[{'from_port': 22, 'to_port': 22, 'protocol': 'tcp', 'cidr_blocks': ['0.0.0.0/0']}]
)

Best Practices

When to Use AWS Hooks

  • Always use install_aws_security_group_attributes_as_blocks_hook() when working with AWS security groups
  • Use early in your configuration - call once at the beginning of your script
  • Use in ResourceCollections that create AWS security groups to ensure consistent behavior

Troubleshooting AWS Provider Issues

The AWS hooks address common Terraform AWS provider validation errors:

# Without hooks - may cause Terraform validation errors:
Resource('aws_security_group', 'broken',
    ingress=[{
        'from_port': 80,
        'to_port': 80,
        'protocol': 'tcp',
        'cidr_blocks': ['0.0.0.0/0']
        # Missing optional attributes may cause provider validation errors
    }]
)

# With hooks - guaranteed to work:
from terraformpy.hooks.aws import install_aws_security_group_attributes_as_blocks_hook
install_aws_security_group_attributes_as_blocks_hook()

Resource('aws_security_group', 'working',
    ingress=[{
        'from_port': 80,
        'to_port': 80,
        'protocol': 'tcp',
        'cidr_blocks': ['0.0.0.0/0']
        # Hook automatically adds missing attributes as None
    }]
)

Install with Tessl CLI

npx tessl i tessl/pypi-terraformpy

docs

aws-hooks.md

cli.md

compilation-hooks.md

core-objects.md

helpers.md

index.md

resource-collections.md

tile.json