terraform-aws-modules / terraform-aws-security-group Goto Github PK

View Code? Open in Web Editor NEW

550.0 17.0 1.0K 549 KB

Terraform module to create AWS Security Group resources 🇺🇦

Home Page: https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws

License: Other

HCL 99.28% Shell 0.72%

terraform-module aws-security-group aws security-group aws-vpc

terraform-aws-security-group's Introduction

AWS EC2-VPC Security Group Terraform module

Terraform module which creates EC2 security group within VPC on AWS.

Features

This module aims to implement ALL combinations of arguments supported by AWS and latest stable version of Terraform:

IPv4/IPv6 CIDR blocks
VPC endpoint prefix lists (use data source aws_prefix_list)
Access from source security groups
Access from self
Named rules (see the rules here)
Named groups of rules with ingress (inbound) and egress (outbound) ports open for common scenarios (eg, ssh, http-80, mysql, see the whole list here)
Conditionally create security group and/or all required security group rules.

Ingress and egress rules can be configured in a variety of ways. See inputs section for all supported arguments and complete example for the complete use-case.

If there is a missing feature or a bug - open an issue.

Terraform versions

For Terraform 0.13 or later use any version from v4.5.0 of this module or newer.

For Terraform 0.12 use any version from v3.* to v4.4.0.

If you are using Terraform 0.11 you can use versions v2.*.

Usage

There are two ways to create security groups using this module:

Security group with predefined rules

module "web_server_sg" {
  source = "terraform-aws-modules/security-group/aws//modules/http-80"

  name        = "web-server"
  description = "Security group for web-server with HTTP ports open within VPC"
  vpc_id      = "vpc-12345678"

  ingress_cidr_blocks = ["10.10.0.0/16"]
}

Security group with custom rules

module "vote_service_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "user-service"
  description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
  vpc_id      = "vpc-12345678"

  ingress_cidr_blocks      = ["10.10.0.0/16"]
  ingress_rules            = ["https-443-tcp"]
  ingress_with_cidr_blocks = [
    {
      from_port   = 8080
      to_port     = 8090
      protocol    = "tcp"
      description = "User-service ports"
      cidr_blocks = "10.10.0.0/16"
    },
    {
      rule        = "postgresql-tcp"
      cidr_blocks = "0.0.0.0/0"
    },
  ]
}

Note about "value of 'count' cannot be computed"

Terraform 0.11 has a limitation which does not allow computed values inside count attribute on resources (issues: #16712, #18015, ...)

Computed values are values provided as outputs from module. Non-computed values are all others - static values, values referenced as variable and from data-sources.

When you need to specify computed value inside security group rule argument you need to specify it using an argument which starts with computed_ and provide a number of elements in the argument which starts with number_of_computed_. See these examples:

module "http_sg" {
  source = "terraform-aws-modules/security-group/aws"
  # omitted for brevity
}

module "db_computed_source_sg" {
  # omitted for brevity

  vpc_id = "vpc-12345678" # these are valid values also - `module.vpc.vpc_id` and `local.vpc_id`

  computed_ingress_with_source_security_group_id = [
    {
      rule                     = "mysql-tcp"
      source_security_group_id = module.http_sg.security_group_id
    }
  ]
  number_of_computed_ingress_with_source_security_group_id = 1
}

module "db_computed_sg" {
  # omitted for brevity

  ingress_cidr_blocks = ["10.10.0.0/16", data.aws_security_group.default.id]

  computed_ingress_cidr_blocks           = [module.vpc.vpc_cidr_block]
  number_of_computed_ingress_cidr_blocks = 1
}

module "db_computed_merged_sg" {
  # omitted for brevity

  computed_ingress_cidr_blocks           = ["10.10.0.0/16", module.vpc.vpc_cidr_block]
  number_of_computed_ingress_cidr_blocks = 2
}

Note that db_computed_sg and db_computed_merged_sg are equal, because it is possible to put both computed and non-computed values in arguments starting with computed_.

Conditional creation

Sometimes you need a way to conditionally create a security group. If you're using Terraform < 0.13 which lacks module support for count, you can instead specify the argument create.

# This security group will not be created
module "vote_service_sg" {
  source = "terraform-aws-modules/security-group/aws"

  create = false
  # ... omitted
}

Examples

Complete Security Group example shows all available parameters to configure security group.
Security Group "Rules Only" example shows how to manage just rules of a security group that is created outside.
HTTP Security Group example shows more applicable security groups for common web-servers.
Disable creation of Security Group example shows how to disable creation of security group.
Dynamic values inside Security Group rules example shows how to specify values inside security group rules (data-sources and variables are allowed).
Computed values inside Security Group rules example shows how to specify computed values inside security group rules (solution for value of 'count' cannot be computed problem).

How to add/update rules/groups?

Rules and groups are defined in rules.tf. Run update_groups.sh when content of that file has changed to recreate content of all automatic modules.

Known issues

No issue is creating limit on this module.

Requirements

Name	Version
terraform	>= 1.0
aws	>= 3.29

Providers

Name	Version
aws	>= 3.29

Modules

No modules.

Resources

Name	Type
aws_security_group.this	resource
aws_security_group.this_name_prefix	resource
aws_security_group_rule.computed_egress_rules	resource
aws_security_group_rule.computed_egress_with_cidr_blocks	resource
aws_security_group_rule.computed_egress_with_ipv6_cidr_blocks	resource
aws_security_group_rule.computed_egress_with_prefix_list_ids	resource
aws_security_group_rule.computed_egress_with_self	resource
aws_security_group_rule.computed_egress_with_source_security_group_id	resource
aws_security_group_rule.computed_ingress_rules	resource
aws_security_group_rule.computed_ingress_with_cidr_blocks	resource
aws_security_group_rule.computed_ingress_with_ipv6_cidr_blocks	resource
aws_security_group_rule.computed_ingress_with_prefix_list_ids	resource
aws_security_group_rule.computed_ingress_with_self	resource
aws_security_group_rule.computed_ingress_with_source_security_group_id	resource
aws_security_group_rule.egress_rules	resource
aws_security_group_rule.egress_with_cidr_blocks	resource
aws_security_group_rule.egress_with_ipv6_cidr_blocks	resource
aws_security_group_rule.egress_with_prefix_list_ids	resource
aws_security_group_rule.egress_with_self	resource
aws_security_group_rule.egress_with_source_security_group_id	resource
aws_security_group_rule.ingress_rules	resource
aws_security_group_rule.ingress_with_cidr_blocks	resource
aws_security_group_rule.ingress_with_ipv6_cidr_blocks	resource
aws_security_group_rule.ingress_with_prefix_list_ids	resource
aws_security_group_rule.ingress_with_self	resource
aws_security_group_rule.ingress_with_source_security_group_id	resource

Inputs

Name	Description	Type	Default	Required
auto_groups	Map of groups of security group rules to use to generate modules (see update_groups.sh)	`map(map(list(string)))`	{ "activemq": { "egress_rules": [ "all-all" ], "ingress_rules": [ "activemq-5671-tcp", "activemq-8883-tcp", "activemq-61614-tcp", "activemq-61617-tcp", "activemq-61619-tcp" ], "ingress_with_self": [ "all-all" ] }, "alertmanager": { "egress_rules": [ "all-all" ], "ingress_rules": [ "alertmanager-9093-tcp", "alertmanager-9094-tcp" ], "ingress_with_self": [ "all-all" ] }, "carbon-relay-ng": { "egress_rules": [ "all-all" ], "ingress_rules": [ "carbon-line-in-tcp", "carbon-line-in-udp", "carbon-pickle-tcp", "carbon-pickle-udp", "carbon-gui-udp" ], "ingress_with_self": [ "all-all" ] }, "cassandra": { "egress_rules": [ "all-all" ], "ingress_rules": [ "cassandra-clients-tcp", "cassandra-thrift-clients-tcp", "cassandra-jmx-tcp" ], "ingress_with_self": [ "all-all" ] }, "consul": { "egress_rules": [ "all-all" ], "ingress_rules": [ "consul-tcp", "consul-grpc-tcp", "consul-grpc-tcp-tls", "consul-webui-http-tcp", "consul-webui-https-tcp", "consul-dns-tcp", "consul-dns-udp", "consul-serf-lan-tcp", "consul-serf-lan-udp", "consul-serf-wan-tcp", "consul-serf-wan-udp" ], "ingress_with_self": [ "all-all" ] }, "dax-cluster": { "egress_rules": [ "all-all" ], "ingress_rules": [ "dax-cluster-unencrypted-tcp", "dax-cluster-encrypted-tcp" ], "ingress_with_self": [ "all-all" ] }, "docker-swarm": { "egress_rules": [ "all-all" ], "ingress_rules": [ "docker-swarm-mngmt-tcp", "docker-swarm-node-tcp", "docker-swarm-node-udp", "docker-swarm-overlay-udp" ], "ingress_with_self": [ "all-all" ] }, "elasticsearch": { "egress_rules": [ "all-all" ], "ingress_rules": [ "elasticsearch-rest-tcp", "elasticsearch-java-tcp" ], "ingress_with_self": [ "all-all" ] }, "etcd": { "egress_rules": [ "all-all" ], "ingress_rules": [ "etcd-client-tcp", "etcd-peer-tcp" ], "ingress_with_self": [ "all-all" ] }, "grafana": { "egress_rules": [ "all-all" ], "ingress_rules": [ "grafana-tcp" ], "ingress_with_self": [ "all-all" ] }, "graphite-statsd": { "egress_rules": [ "all-all" ], "ingress_rules": [ "graphite-webui", "graphite-2003-tcp", "graphite-2004-tcp", "graphite-2023-tcp", "graphite-2024-tcp", "graphite-8080-tcp", "graphite-8125-tcp", "graphite-8125-udp", "graphite-8126-tcp" ], "ingress_with_self": [ "all-all" ] }, "http-80": { "egress_rules": [ "all-all" ], "ingress_rules": [ "http-80-tcp" ], "ingress_with_self": [ "all-all" ] }, "http-8080": { "egress_rules": [ "all-all" ], "ingress_rules": [ "http-8080-tcp" ], "ingress_with_self": [ "all-all" ] }, "https-443": { "egress_rules": [ "all-all" ], "ingress_rules": [ "https-443-tcp" ], "ingress_with_self": [ "all-all" ] }, "https-8443": { "egress_rules": [ "all-all" ], "ingress_rules": [ "https-8443-tcp" ], "ingress_with_self": [ "all-all" ] }, "ipsec-4500": { "egress_rules": [ "all-all" ], "ingress_rules": [ "ipsec-4500-udp" ], "ingress_with_self": [ "all-all" ] }, "ipsec-500": { "egress_rules": [ "all-all" ], "ingress_rules": [ "ipsec-500-udp" ], "ingress_with_self": [ "all-all" ] }, "kafka": { "egress_rules": [ "all-all" ], "ingress_rules": [ "kafka-broker-tcp", "kafka-broker-tls-tcp", "kafka-broker-tls-public-tcp", "kafka-broker-sasl-scram-tcp", "kafka-broker-sasl-scram-tcp", "kafka-broker-sasl-iam-tcp", "kafka-broker-sasl-iam-public-tcp", "kafka-jmx-exporter-tcp", "kafka-node-exporter-tcp" ], "ingress_with_self": [ "all-all" ] }, "kibana": { "egress_rules": [ "all-all" ], "ingress_rules": [ "kibana-tcp" ], "ingress_with_self": [ "all-all" ] }, "kubernetes-api": { "egress_rules": [ "all-all" ], "ingress_rules": [ "kubernetes-api-tcp" ], "ingress_with_self": [ "all-all" ] }, "ldap": { "egress_rules": [ "all-all" ], "ingress_rules": [ "ldap-tcp" ], "ingress_with_self": [ "all-all" ] }, "ldaps": { "egress_rules": [ "all-all" ], "ingress_rules": [ "ldaps-tcp" ], "ingress_with_self": [ "all-all" ] }, "logstash": { "egress_rules": [ "all-all" ], "ingress_rules": [ "logstash-tcp" ], "ingress_with_self": [ "all-all" ] }, "loki": { "egress_rules": [ "all-all" ], "ingress_rules": [ "loki-grafana", "loki-grafana-grpc" ], "ingress_with_self": [ "all-all" ] }, "memcached": { "egress_rules": [ "all-all" ], "ingress_rules": [ "memcached-tcp" ], "ingress_with_self": [ "all-all" ] }, "minio": { "egress_rules": [ "all-all" ], "ingress_rules": [ "minio-tcp" ], "ingress_with_self": [ "all-all" ] }, "mongodb": { "egress_rules": [ "all-all" ], "ingress_rules": [ "mongodb-27017-tcp", "mongodb-27018-tcp", "mongodb-27019-tcp" ], "ingress_with_self": [ "all-all" ] }, "mssql": { "egress_rules": [ "all-all" ], "ingress_rules": [ "mssql-tcp", "mssql-udp", "mssql-analytics-tcp", "mssql-broker-tcp" ], "ingress_with_self": [ "all-all" ] }, "mysql": { "egress_rules": [ "all-all" ], "ingress_rules": [ "mysql-tcp" ], "ingress_with_self": [ "all-all" ] }, "nfs": { "egress_rules": [ "all-all" ], "ingress_rules": [ "nfs-tcp" ], "ingress_with_self": [ "all-all" ] }, "nomad": { "egress_rules": [ "all-all" ], "ingress_rules": [ "nomad-http-tcp", "nomad-rpc-tcp", "nomad-serf-tcp", "nomad-serf-udp" ], "ingress_with_self": [ "all-all" ] }, "ntp": { "egress_rules": [ "all-all" ], "ingress_rules": [ "ntp-udp" ], "ingress_with_self": [ "all-all" ] }, "openvpn": { "egress_rules": [ "all-all" ], "ingress_rules": [ "openvpn-udp", "openvpn-tcp", "openvpn-https-tcp" ], "ingress_with_self": [ "all-all" ] }, "oracle-db": { "egress_rules": [ "all-all" ], "ingress_rules": [ "oracle-db-tcp" ], "ingress_with_self": [ "all-all" ] }, "postgresql": { "egress_rules": [ "all-all" ], "ingress_rules": [ "postgresql-tcp" ], "ingress_with_self": [ "all-all" ] }, "prometheus": { "egress_rules": [ "all-all" ], "ingress_rules": [ "prometheus-http-tcp", "prometheus-pushgateway-http-tcp", "prometheus-node-exporter-http-tcp" ], "ingress_with_self": [ "all-all" ] }, "promtail": { "egress_rules": [ "all-all" ], "ingress_rules": [ "promtail-http" ], "ingress_with_self": [ "all-all" ] }, "puppet": { "egress_rules": [ "all-all" ], "ingress_rules": [ "puppet-tcp", "puppetdb-tcp" ], "ingress_with_self": [ "all-all" ] }, "rabbitmq": { "egress_rules": [ "all-all" ], "ingress_rules": [ "rabbitmq-4369-tcp", "rabbitmq-5671-tcp", "rabbitmq-5672-tcp", "rabbitmq-15672-tcp", "rabbitmq-25672-tcp" ], "ingress_with_self": [ "all-all" ] }, "rdp": { "egress_rules": [ "all-all" ], "ingress_rules": [ "rdp-tcp", "rdp-udp" ], "ingress_with_self": [ "all-all" ] }, "redis": { "egress_rules": [ "all-all" ], "ingress_rules": [ "redis-tcp" ], "ingress_with_self": [ "all-all" ] }, "redshift": { "egress_rules": [ "all-all" ], "ingress_rules": [ "redshift-tcp" ], "ingress_with_self": [ "all-all" ] }, "smtp": { "egress_rules": [ "all-all" ], "ingress_rules": [ "smtp-tcp" ], "ingress_with_self": [ "all-all" ] }, "smtp-submission": { "egress_rules": [ "all-all" ], "ingress_rules": [ "smtp-submission-587-tcp", "smtp-submission-2587-tcp" ], "ingress_with_self": [ "all-all" ] }, "smtps": { "egress_rules": [ "all-all" ], "ingress_rules": [ "smtps-465-tcp", "smtps-2465-tcp" ], "ingress_with_self": [ "all-all" ] }, "solr": { "egress_rules": [ "all-all" ], "ingress_rules": [ "solr-tcp" ], "ingress_with_self": [ "all-all" ] }, "splunk": { "egress_rules": [ "all-all" ], "ingress_rules": [ "splunk-indexer-tcp", "splunk-web-tcp", "splunk-splunkd-tcp", "splunk-hec-tcp" ], "ingress_with_self": [ "all-all" ] }, "squid": { "egress_rules": [ "all-all" ], "ingress_rules": [ "squid-proxy-tcp" ], "ingress_with_self": [ "all-all" ] }, "ssh": { "egress_rules": [ "all-all" ], "ingress_rules": [ "ssh-tcp" ], "ingress_with_self": [ "all-all" ] }, "storm": { "egress_rules": [ "all-all" ], "ingress_rules": [ "storm-nimbus-tcp", "storm-ui-tcp", "storm-supervisor-tcp" ], "ingress_with_self": [ "all-all" ] }, "vault": { "egress_rules": [ "all-all" ], "ingress_rules": [ "vault-tcp" ], "ingress_with_self": [ "all-all" ] }, "wazuh": { "egress_rules": [ "all-all" ], "ingress_rules": [ "wazuh-server-agent-connection-tcp", "wazuh-server-agent-connection-udp", "wazuh-server-agent-enrollment", "wazuh-server-agent-cluster-daemon", "wazuh-server-syslog-collector-tcp", "wazuh-server-syslog-collector-udp", "wazuh-server-restful-api", "wazuh-indexer-restful-api", "wazuh-dashboard" ], "ingress_with_self": [ "all-all" ] }, "web": { "egress_rules": [ "all-all" ], "ingress_rules": [ "http-80-tcp", "http-8080-tcp", "https-443-tcp", "web-jmx-tcp" ], "ingress_with_self": [ "all-all" ] }, "winrm": { "egress_rules": [ "all-all" ], "ingress_rules": [ "winrm-http-tcp", "winrm-https-tcp" ], "ingress_with_self": [ "all-all" ] }, "zabbix": { "egress_rules": [ "all-all" ], "ingress_rules": [ "zabbix-server", "zabbix-proxy", "zabbix-agent" ], "ingress_with_self": [ "all-all" ] }, "zipkin": { "egress_rules": [ "all-all" ], "ingress_rules": [ "zipkin-admin-tcp", "zipkin-admin-query-tcp", "zipkin-admin-web-tcp", "zipkin-query-tcp", "zipkin-web-tcp" ], "ingress_with_self": [ "all-all" ] }, "zookeeper": { "egress_rules": [ "all-all" ], "ingress_rules": [ "zookeeper-2181-tcp", "zookeeper-2182-tls-tcp", "zookeeper-2888-tcp", "zookeeper-3888-tcp", "zookeeper-jmx-tcp" ], "ingress_with_self": [ "all-all" ] } }	no
computed_egress_rules	List of computed egress rules to create by name	`list(string)`	`[]`	no
computed_egress_with_cidr_blocks	List of computed egress rules to create where 'cidr_blocks' is used	`list(map(string))`	`[]`	no
computed_egress_with_ipv6_cidr_blocks	List of computed egress rules to create where 'ipv6_cidr_blocks' is used	`list(map(string))`	`[]`	no
computed_egress_with_prefix_list_ids	List of computed egress rules to create where 'prefix_list_ids' is used only	`list(map(string))`	`[]`	no
computed_egress_with_self	List of computed egress rules to create where 'self' is defined	`list(map(string))`	`[]`	no
computed_egress_with_source_security_group_id	List of computed egress rules to create where 'source_security_group_id' is used	`list(map(string))`	`[]`	no
computed_ingress_rules	List of computed ingress rules to create by name	`list(string)`	`[]`	no
computed_ingress_with_cidr_blocks	List of computed ingress rules to create where 'cidr_blocks' is used	`list(map(string))`	`[]`	no
computed_ingress_with_ipv6_cidr_blocks	List of computed ingress rules to create where 'ipv6_cidr_blocks' is used	`list(map(string))`	`[]`	no
computed_ingress_with_prefix_list_ids	List of computed ingress rules to create where 'prefix_list_ids' is used	`list(map(string))`	`[]`	no
computed_ingress_with_self	List of computed ingress rules to create where 'self' is defined	`list(map(string))`	`[]`	no
computed_ingress_with_source_security_group_id	List of computed ingress rules to create where 'source_security_group_id' is used	`list(map(string))`	`[]`	no
create	Whether to create security group and all rules	`bool`	`true`	no
create_sg	Whether to create security group	`bool`	`true`	no
create_timeout	Time to wait for a security group to be created	`string`	`"10m"`	no
delete_timeout	Time to wait for a security group to be deleted	`string`	`"15m"`	no
description	Description of security group	`string`	`"Security Group managed by Terraform"`	no
egress_cidr_blocks	List of IPv4 CIDR ranges to use on all egress rules	`list(string)`	[ "0.0.0.0/0" ]	no
egress_ipv6_cidr_blocks	List of IPv6 CIDR ranges to use on all egress rules	`list(string)`	[ "::/0" ]	no
egress_prefix_list_ids	List of prefix list IDs (for allowing access to VPC endpoints) to use on all egress rules	`list(string)`	`[]`	no
egress_rules	List of egress rules to create by name	`list(string)`	`[]`	no
egress_with_cidr_blocks	List of egress rules to create where 'cidr_blocks' is used	`list(map(string))`	`[]`	no
egress_with_ipv6_cidr_blocks	List of egress rules to create where 'ipv6_cidr_blocks' is used	`list(map(string))`	`[]`	no
egress_with_prefix_list_ids	List of egress rules to create where 'prefix_list_ids' is used only	`list(map(string))`	`[]`	no
egress_with_self	List of egress rules to create where 'self' is defined	`list(map(string))`	`[]`	no
egress_with_source_security_group_id	List of egress rules to create where 'source_security_group_id' is used	`list(map(string))`	`[]`	no
ingress_cidr_blocks	List of IPv4 CIDR ranges to use on all ingress rules	`list(string)`	`[]`	no
ingress_ipv6_cidr_blocks	List of IPv6 CIDR ranges to use on all ingress rules	`list(string)`	`[]`	no
ingress_prefix_list_ids	List of prefix list IDs (for allowing access to VPC endpoints) to use on all ingress rules	`list(string)`	`[]`	no
ingress_rules	List of ingress rules to create by name	`list(string)`	`[]`	no
ingress_with_cidr_blocks	List of ingress rules to create where 'cidr_blocks' is used	`list(map(string))`	`[]`	no
ingress_with_ipv6_cidr_blocks	List of ingress rules to create where 'ipv6_cidr_blocks' is used	`list(map(string))`	`[]`	no
ingress_with_prefix_list_ids	List of ingress rules to create where 'prefix_list_ids' is used only	`list(map(string))`	`[]`	no
ingress_with_self	List of ingress rules to create where 'self' is defined	`list(map(string))`	`[]`	no
ingress_with_source_security_group_id	List of ingress rules to create where 'source_security_group_id' is used	`list(map(string))`	`[]`	no
name	Name of security group - not required if create_sg is false	`string`	`null`	no
number_of_computed_egress_rules	Number of computed egress rules to create by name	`number`	`0`	no
number_of_computed_egress_with_cidr_blocks	Number of computed egress rules to create where 'cidr_blocks' is used	`number`	`0`	no
number_of_computed_egress_with_ipv6_cidr_blocks	Number of computed egress rules to create where 'ipv6_cidr_blocks' is used	`number`	`0`	no
number_of_computed_egress_with_prefix_list_ids	Number of computed egress rules to create where 'prefix_list_ids' is used only	`number`	`0`	no
number_of_computed_egress_with_self	Number of computed egress rules to create where 'self' is defined	`number`	`0`	no
number_of_computed_egress_with_source_security_group_id	Number of computed egress rules to create where 'source_security_group_id' is used	`number`	`0`	no
number_of_computed_ingress_rules	Number of computed ingress rules to create by name	`number`	`0`	no
number_of_computed_ingress_with_cidr_blocks	Number of computed ingress rules to create where 'cidr_blocks' is used	`number`	`0`	no
number_of_computed_ingress_with_ipv6_cidr_blocks	Number of computed ingress rules to create where 'ipv6_cidr_blocks' is used	`number`	`0`	no
number_of_computed_ingress_with_prefix_list_ids	Number of computed ingress rules to create where 'prefix_list_ids' is used	`number`	`0`	no
number_of_computed_ingress_with_self	Number of computed ingress rules to create where 'self' is defined	`number`	`0`	no
number_of_computed_ingress_with_source_security_group_id	Number of computed ingress rules to create where 'source_security_group_id' is used	`number`	`0`	no
putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
revoke_rules_on_delete	Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. Enable for EMR.	`bool`	`false`	no
rules	Map of known security group rules (define as 'name' = ['from port', 'to port', 'protocol', 'description'])	`map(list(any))`	{ "_": [ "", "", "" ], "activemq-5671-tcp": [ 5671, 5671, "tcp", "ActiveMQ AMQP" ], "activemq-61614-tcp": [ 61614, 61614, "tcp", "ActiveMQ STOMP" ], "activemq-61617-tcp": [ 61617, 61617, "tcp", "ActiveMQ OpenWire" ], "activemq-61619-tcp": [ 61619, 61619, "tcp", "ActiveMQ WebSocket" ], "activemq-8883-tcp": [ 8883, 8883, "tcp", "ActiveMQ MQTT" ], "alertmanager-9093-tcp": [ 9093, 9093, "tcp", "Alert Manager" ], "alertmanager-9094-tcp": [ 9094, 9094, "tcp", "Alert Manager Cluster" ], "all-all": [ -1, -1, "-1", "All protocols" ], "all-icmp": [ -1, -1, "icmp", "All IPV4 ICMP" ], "all-ipv6-icmp": [ -1, -1, 58, "All IPV6 ICMP" ], "all-tcp": [ 0, 65535, "tcp", "All TCP ports" ], "all-udp": [ 0, 65535, "udp", "All UDP ports" ], "carbon-admin-tcp": [ 2004, 2004, "tcp", "Carbon admin" ], "carbon-gui-udp": [ 8081, 8081, "tcp", "Carbon GUI" ], "carbon-line-in-tcp": [ 2003, 2003, "tcp", "Carbon line-in" ], "carbon-line-in-udp": [ 2003, 2003, "udp", "Carbon line-in" ], "carbon-pickle-tcp": [ 2013, 2013, "tcp", "Carbon pickle" ], "carbon-pickle-udp": [ 2013, 2013, "udp", "Carbon pickle" ], "cassandra-clients-tcp": [ 9042, 9042, "tcp", "Cassandra clients" ], "cassandra-jmx-tcp": [ 7199, 7199, "tcp", "JMX" ], "cassandra-thrift-clients-tcp": [ 9160, 9160, "tcp", "Cassandra Thrift clients" ], "consul-dns-tcp": [ 8600, 8600, "tcp", "Consul DNS" ], "consul-dns-udp": [ 8600, 8600, "udp", "Consul DNS" ], "consul-grpc-tcp": [ 8502, 8502, "tcp", "Consul gRPC" ], "consul-grpc-tcp-tls": [ 8503, 8503, "tcp", "Consul gRPC TLS" ], "consul-serf-lan-tcp": [ 8301, 8301, "tcp", "Serf LAN" ], "consul-serf-lan-udp": [ 8301, 8301, "udp", "Serf LAN" ], "consul-serf-wan-tcp": [ 8302, 8302, "tcp", "Serf WAN" ], "consul-serf-wan-udp": [ 8302, 8302, "udp", "Serf WAN" ], "consul-tcp": [ 8300, 8300, "tcp", "Consul server" ], "consul-webui-http-tcp": [ 8500, 8500, "tcp", "Consul web UI HTTP" ], "consul-webui-https-tcp": [ 8501, 8501, "tcp", "Consul web UI HTTPS" ], "dax-cluster-encrypted-tcp": [ 9111, 9111, "tcp", "DAX Cluster encrypted" ], "dax-cluster-unencrypted-tcp": [ 8111, 8111, "tcp", "DAX Cluster unencrypted" ], "dns-tcp": [ 53, 53, "tcp", "DNS" ], "dns-udp": [ 53, 53, "udp", "DNS" ], "docker-swarm-mngmt-tcp": [ 2377, 2377, "tcp", "Docker Swarm cluster management" ], "docker-swarm-node-tcp": [ 7946, 7946, "tcp", "Docker Swarm node" ], "docker-swarm-node-udp": [ 7946, 7946, "udp", "Docker Swarm node" ], "docker-swarm-overlay-udp": [ 4789, 4789, "udp", "Docker Swarm Overlay Network Traffic" ], "elasticsearch-java-tcp": [ 9300, 9300, "tcp", "Elasticsearch Java interface" ], "elasticsearch-rest-tcp": [ 9200, 9200, "tcp", "Elasticsearch REST interface" ], "etcd-client-tcp": [ 2379, 2379, "tcp", "Etcd Client" ], "etcd-peer-tcp": [ 2380, 2380, "tcp", "Etcd Peer" ], "grafana-tcp": [ 3000, 3000, "tcp", "Grafana Dashboard" ], "graphite-2003-tcp": [ 2003, 2003, "tcp", "Carbon receiver plain text" ], "graphite-2004-tcp": [ 2004, 2004, "tcp", "Carbon receiver pickle" ], "graphite-2023-tcp": [ 2023, 2023, "tcp", "Carbon aggregator plaintext" ], "graphite-2024-tcp": [ 2024, 2024, "tcp", "Carbon aggregator pickle" ], "graphite-8080-tcp": [ 8080, 8080, "tcp", "Graphite gunicorn port" ], "graphite-8125-tcp": [ 8125, 8125, "tcp", "Statsd TCP" ], "graphite-8125-udp": [ 8125, 8125, "udp", "Statsd UDP default" ], "graphite-8126-tcp": [ 8126, 8126, "tcp", "Statsd admin" ], "graphite-webui": [ 80, 80, "tcp", "Graphite admin interface" ], "http-80-tcp": [ 80, 80, "tcp", "HTTP" ], "http-8080-tcp": [ 8080, 8080, "tcp", "HTTP" ], "https-443-tcp": [ 443, 443, "tcp", "HTTPS" ], "https-8443-tcp": [ 8443, 8443, "tcp", "HTTPS" ], "ipsec-4500-udp": [ 4500, 4500, "udp", "IPSEC NAT-T" ], "ipsec-500-udp": [ 500, 500, "udp", "IPSEC ISAKMP" ], "kafka-broker-sasl-iam-public-tcp": [ 9198, 9198, "tcp", "Kafka SASL/IAM Public access control enabled (MSK specific)" ], "kafka-broker-sasl-iam-tcp": [ 9098, 9098, "tcp", "Kafka SASL/IAM access control enabled (MSK specific)" ], "kafka-broker-sasl-scram-public-tcp": [ 9196, 9196, "tcp", "Kafka SASL/SCRAM Public enabled broker (MSK specific)" ], "kafka-broker-sasl-scram-tcp": [ 9096, 9096, "tcp", "Kafka SASL/SCRAM enabled broker (MSK specific)" ], "kafka-broker-tcp": [ 9092, 9092, "tcp", "Kafka PLAINTEXT enable broker 0.8.2+" ], "kafka-broker-tls-public-tcp": [ 9194, 9194, "tcp", "Kafka TLS Public enabled broker 0.8.2+ (MSK specific)" ], "kafka-broker-tls-tcp": [ 9094, 9094, "tcp", "Kafka TLS enabled broker 0.8.2+" ], "kafka-jmx-exporter-tcp": [ 11001, 11001, "tcp", "Kafka JMX Exporter" ], "kafka-node-exporter-tcp": [ 11002, 11002, "tcp", "Kafka Node Exporter" ], "kibana-tcp": [ 5601, 5601, "tcp", "Kibana Web Interface" ], "kubernetes-api-tcp": [ 6443, 6443, "tcp", "Kubernetes API Server" ], "ldap-tcp": [ 389, 389, "tcp", "LDAP" ], "ldaps-tcp": [ 636, 636, "tcp", "LDAPS" ], "logstash-tcp": [ 5044, 5044, "tcp", "Logstash" ], "loki-grafana": [ 3100, 3100, "tcp", "Grafana Loki endpoint" ], "loki-grafana-grpc": [ 9095, 9095, "tcp", "Grafana Loki GRPC" ], "memcached-tcp": [ 11211, 11211, "tcp", "Memcached" ], "minio-tcp": [ 9000, 9000, "tcp", "MinIO" ], "mongodb-27017-tcp": [ 27017, 27017, "tcp", "MongoDB" ], "mongodb-27018-tcp": [ 27018, 27018, "tcp", "MongoDB shard" ], "mongodb-27019-tcp": [ 27019, 27019, "tcp", "MongoDB config server" ], "mssql-analytics-tcp": [ 2383, 2383, "tcp", "MSSQL Analytics" ], "mssql-broker-tcp": [ 4022, 4022, "tcp", "MSSQL Broker" ], "mssql-tcp": [ 1433, 1433, "tcp", "MSSQL Server" ], "mssql-udp": [ 1434, 1434, "udp", "MSSQL Browser" ], "mysql-tcp": [ 3306, 3306, "tcp", "MySQL/Aurora" ], "nfs-tcp": [ 2049, 2049, "tcp", "NFS/EFS" ], "nomad-http-tcp": [ 4646, 4646, "tcp", "Nomad HTTP" ], "nomad-rpc-tcp": [ 4647, 4647, "tcp", "Nomad RPC" ], "nomad-serf-tcp": [ 4648, 4648, "tcp", "Serf" ], "nomad-serf-udp": [ 4648, 4648, "udp", "Serf" ], "ntp-udp": [ 123, 123, "udp", "NTP" ], "octopus-tentacle-tcp": [ 10933, 10933, "tcp", "Octopus Tentacle" ], "openvpn-https-tcp": [ 443, 443, "tcp", "OpenVPN" ], "openvpn-tcp": [ 943, 943, "tcp", "OpenVPN" ], "openvpn-udp": [ 1194, 1194, "udp", "OpenVPN" ], "oracle-db-tcp": [ 1521, 1521, "tcp", "Oracle" ], "postgresql-tcp": [ 5432, 5432, "tcp", "PostgreSQL" ], "prometheus-http-tcp": [ 9090, 9090, "tcp", "Prometheus" ], "prometheus-node-exporter-http-tcp": [ 9100, 9100, "tcp", "Prometheus Node Exporter" ], "prometheus-pushgateway-http-tcp": [ 9091, 9091, "tcp", "Prometheus Pushgateway" ], "promtail-http": [ 9080, 9080, "tcp", "Promtail endpoint" ], "puppet-tcp": [ 8140, 8140, "tcp", "Puppet" ], "puppetdb-tcp": [ 8081, 8081, "tcp", "PuppetDB" ], "rabbitmq-15672-tcp": [ 15672, 15672, "tcp", "RabbitMQ" ], "rabbitmq-25672-tcp": [ 25672, 25672, "tcp", "RabbitMQ" ], "rabbitmq-4369-tcp": [ 4369, 4369, "tcp", "RabbitMQ epmd" ], "rabbitmq-5671-tcp": [ 5671, 5671, "tcp", "RabbitMQ" ], "rabbitmq-5672-tcp": [ 5672, 5672, "tcp", "RabbitMQ" ], "rdp-tcp": [ 3389, 3389, "tcp", "Remote Desktop" ], "rdp-udp": [ 3389, 3389, "udp", "Remote Desktop" ], "redis-tcp": [ 6379, 6379, "tcp", "Redis" ], "redshift-tcp": [ 5439, 5439, "tcp", "Redshift" ], "saltstack-tcp": [ 4505, 4506, "tcp", "SaltStack" ], "smtp-submission-2587-tcp": [ 2587, 2587, "tcp", "SMTP Submission" ], "smtp-submission-587-tcp": [ 587, 587, "tcp", "SMTP Submission" ], "smtp-tcp": [ 25, 25, "tcp", "SMTP" ], "smtps-2456-tcp": [ 2465, 2465, "tcp", "SMTPS" ], "smtps-465-tcp": [ 465, 465, "tcp", "SMTPS" ], "solr-tcp": [ 8983, 8987, "tcp", "Solr" ], "splunk-hec-tcp": [ 8088, 8088, "tcp", "Splunk HEC" ], "splunk-indexer-tcp": [ 9997, 9997, "tcp", "Splunk indexer" ], "splunk-splunkd-tcp": [ 8089, 8089, "tcp", "Splunkd" ], "splunk-web-tcp": [ 8000, 8000, "tcp", "Splunk Web" ], "squid-proxy-tcp": [ 3128, 3128, "tcp", "Squid default proxy" ], "ssh-tcp": [ 22, 22, "tcp", "SSH" ], "storm-nimbus-tcp": [ 6627, 6627, "tcp", "Nimbus" ], "storm-supervisor-tcp": [ 6700, 6703, "tcp", "Supervisor" ], "storm-ui-tcp": [ 8080, 8080, "tcp", "Storm UI" ], "vault-tcp": [ 8200, 8200, "tcp", "Vault" ], "wazuh-dashboard": [ 443, 443, "tcp", "Wazuh web user interface" ], "wazuh-indexer-restful-api": [ 9200, 9200, "tcp", "Wazuh indexer RESTful API" ], "wazuh-server-agent-cluster-daemon": [ 1516, 1516, "tcp", "Wazuh cluster daemon" ], "wazuh-server-agent-connection-tcp": [ 1514, 1514, "tcp", "Agent connection service(TCP)" ], "wazuh-server-agent-connection-udp": [ 1514, 1514, "udp", "Agent connection service(UDP)" ], "wazuh-server-agent-enrollment": [ 1515, 1515, "tcp", "Agent enrollment service" ], "wazuh-server-restful-api": [ 55000, 55000, "tcp", "Wazuh server RESTful API" ], "wazuh-server-syslog-collector-tcp": [ 514, 514, "tcp", "Wazuh Syslog collector(TCP)" ], "wazuh-server-syslog-collector-udp": [ 514, 514, "udp", "Wazuh Syslog collector(UDP)" ], "web-jmx-tcp": [ 1099, 1099, "tcp", "JMX" ], "winrm-http-tcp": [ 5985, 5985, "tcp", "WinRM HTTP" ], "winrm-https-tcp": [ 5986, 5986, "tcp", "WinRM HTTPS" ], "zabbix-agent": [ 10050, 10050, "tcp", "Zabbix Agent" ], "zabbix-proxy": [ 10051, 10051, "tcp", "Zabbix Proxy" ], "zabbix-server": [ 10051, 10051, "tcp", "Zabbix Server" ], "zipkin-admin-query-tcp": [ 9901, 9901, "tcp", "Zipkin Admin port query" ], "zipkin-admin-tcp": [ 9990, 9990, "tcp", "Zipkin Admin port collector" ], "zipkin-admin-web-tcp": [ 9991, 9991, "tcp", "Zipkin Admin port web" ], "zipkin-query-tcp": [ 9411, 9411, "tcp", "Zipkin query port" ], "zipkin-web-tcp": [ 8080, 8080, "tcp", "Zipkin web port" ], "zookeeper-2181-tcp": [ 2181, 2181, "tcp", "Zookeeper" ], "zookeeper-2182-tls-tcp": [ 2182, 2182, "tcp", "Zookeeper TLS (MSK specific)" ], "zookeeper-2888-tcp": [ 2888, 2888, "tcp", "Zookeeper" ], "zookeeper-3888-tcp": [ 3888, 3888, "tcp", "Zookeeper" ], "zookeeper-jmx-tcp": [ 7199, 7199, "tcp", "JMX" ] }	no
security_group_id	ID of existing security group whose rules we will manage	`string`	`null`	no
tags	A mapping of tags to assign to security group	`map(string)`	`{}`	no
use_name_prefix	Whether to use name_prefix or fixed name. Should be true to able to update security group name after initial creation	`bool`	`true`	no
vpc_id	ID of the VPC where to create security group	`string`	`null`	no

Outputs

Name	Description
security_group_arn	The ARN of the security group
security_group_description	The description of the security group
security_group_id	The ID of the security group
security_group_name	The name of the security group
security_group_owner_id	The owner ID
security_group_vpc_id	The VPC ID

Authors

Module managed by Anton Babenko.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
Putin khuylo!

terraform-aws-security-group's People

Contributors

Stargazers

Watchers

Forkers

mapk0y codevally grem11n paulolobt shapeways johnypony3 devops-workflow ryanhornbeck husstech newcontext-oss headspacemeditation mbsiemens schneems ashex 2solt chrislovecnm jmackley79 rastandy ehtobsemaj aki-chat99 gpestana justincampbell ifmorrison william-richard hmhco madmaze kuldeep-surendra ironicbadger pvanbuijtene nx0 qafro1 subdavis jbadigital jamesp9 seetwobyte dhirenshumsher tom-butler lukaspour rponcetn diegoalex88 alisdair gitboo kira garyshanes nickma hde candonov sperka venkatanchuri dnarwani robh007 viniciusperes-x fn123fn123 tklovett jordiclariana briantyr tickbox-smc davidcelis frankduan philldeakin praveen03 kishorekumark flickerfly trectenwald nguyenhoamy1602 robomfeinberg morais90 srirasri vijay2233 martinssu kkannanece1989 kirbyfu talbright alexcloudops isaaguilar fitness-lifestyle-group armchairlinguist yo61 marchenko-devpro etopeter tekniqueltd suizman toneb30 francisv-ets merbla abhineetraj veerumot huu672 andreichernov maartenvanderhoef gitmor cul ttsrg gamichalski stephencoe jipengxiang hbocodelabs jboero riponbanik premkumarcandy

terraform-aws-security-group's Issues

Creation of group with IPv6 ICMP rules hangs and returns error

To reproduce:

`module "Test-ICMP-V6" {
source = "terraform-aws-modules/security-group/aws"

name = "Test-ICMP-V6"
description = "this is a test"
vpc_id = "${data.aws_vpcs.vpc.ids[0]}"

egress_with_cidr_blocks = [
{
from_port = -1
to_port = -1
protocol = "58"
description = "ICMP V6 ALL"
ipv6_cidr_blocks = ["::/0"]
},
]
}`

Behavior:

The group gets created on AWS

However, terraform does not return success. After minutes it times out with an error:

Creating the group as an aws_security_group resource works fine.

Thank you.

Map contains elements of type list

Hi,

Some maps/strings interpolation problem.

module.sg.aws_security_group_rule.ingress_with_cidr_blocks[1]: lookup: lookup() may only be used with flat maps, this map contains elements of type list in:

${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}
* module.sg.aws_security_group_rule.ingress_with_cidr_blocks[0]: lookup: lookup() may only be used with flat maps, this map contains elements of type list in:
${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}

relevant code example:

module "sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "test"
  description = "Security group for the instance"
  vpc_id      = "${var.vpc_id}"

  ingress_with_cidr_blocks = [
    {
      from_port   = -1
      to_port     = -1
      protocol    = "icmp"
      description = "Allow ICMP"
      cidr_blocks = ["${data.aws_vpc.vpc.cidr_block}"] 
    }
  ]
}

Unrelated question, is there a way to lock version in the source?

Thanks!

module fails silently to create inbound rules

Description
I am unable to create a security with inbound rule using this module.

Repro steps

create the following file: main.tf

module "security_group" {
  source = "terraform-aws-modules/security-group/aws"

  name = "terraform-bastion-security-group"
  vpc_id = "${module.vpc.vpc_id}"
  description = "Security group that allows devs to connect to private EC2 subnets"

  ingress_cidr_blocks = [
    {
      cidr_blocks = "173.138.148.14/32"
      description = "office"
      rule = "ssh-tcp"

    },
    {
      cidr_blocks = "134.140.91.119/32"
      description = "home2"
      rule = "ssh-tcp"
    },
    {
      cidr_blocks = "162.126.201.144/32"
      description = "home1"
      rule = "ssh-tcp"
    }
  ]

  tags = {
    Terraform = "true"
    Environment = "test"
  }
}

I've excluded the vpc module code because it doesn't seem relevant to my issue.

terraform plan -out=plan.out
terraform apply plan.out

Expected behavior
The security group is created 3 inbound rules.

Actual behavior
The security group is created without any inbound rules.

Notes
Terraform doesn't output any warnings/errors, so it would appear that my usage if the module is valid.

Dependency error with single security group

I had a dependency error when creating a single security group for use on a single EC2 instance (created by terraform-aws-modules/security-group/aws).

After the instance was created, I changed the name of the security group and did terraform apply. Terraform took 10 min to wait for a destroy on the security group, then gave the dependency error:

...
-/+ module.security_group.aws_security_group.this (new resource required)
      id:                       "sg-03893f4be81e8ad9d" => <computed> (forces new resource)
      arn:                      "arn:aws:ec2:eu-west-1:XXXX:security-group/sg-03893f4be81e8ad9d" => <computed>
      description:              "xxxxx" => "zzzz"
      egress.#:                 "1" => <computed>
      ingress.#:                "2" => <computed>
      name:                     "myserver-xxx" => "myserver-yyy" (forces new resource)
      owner_id:                 "276818062819" => <computed>
      revoke_rules_on_delete:   "false" => "false"
      vpc_id:                   "vpc-vvv" => "vpc-vvv"


Plan: 2 to add, 1 to change, 2 to destroy.

...

aws_eip.this: Destroying... (ID: eipalloc-0bf8d34d76f43e362)
module.security_group.aws_security_group.this: Destroying... (ID: sg-03893f4be81e8ad9d)
aws_eip.this: Destruction complete after 6s
module.security_group.aws_security_group.this: Still destroying... (ID: sg-03893f4be81e8ad9d, 10s elapsed)
...
module.security_group.aws_security_group.this: Still destroying... (ID: sg-03893f4be81e8ad9d, 9m50s elapsed)
module.security_group.aws_security_group.this: Still destroying... (ID: sg-03893f4be81e8ad9d, 10m0s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* module.security_group.aws_security_group.this (destroy): 1 error(s) occurred:

* aws_security_group.this: DependencyViolation: resource sg-03893f4be81e8ad9d has a dependent object
	status code: 400, request id: e50faf0c-b74b-487f-aa75-6f7f3ec1256c

I worked around this by detaching the security group from the instance and re-doing the apply, but ultimately Terraform decided it had to destroy & re-create the instance (in dev environment fortunately).

Module code

Using Terraform 0.11.3

module "security_group" {
  source = "terraform-aws-modules/security-group/aws"
  version = "1.20.0"

  name        = "${var.env}-xxxx"

  description = "Security group xxxx"
  vpc_id      = "${var.vpc_id}"

  ingress_cidr_blocks = ["0.0.0.0/0"]
  ingress_rules       = ["ssh-tcp", "https-443-tcp", "all-icmp"]
  egress_rules        = ["all-all"]
}

# Get most recent AMI ID for Ubuntu 16.04
data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}


resource "aws_key_pair" "aws_admin" {
  key_name   = "aws-admin"
  public_key = "${file("${var.public_key_path}")}"
}


module "ec2" {
  source = "terraform-aws-modules/ec2-instance/aws"
  version = "1.5.0"

  name                        = "${var.env}-myserver"
  instance_count              = 1

  ami                         = "${data.aws_ami.ubuntu.id}"
  instance_type               = "t2.micro"
  subnet_id                   = "${var.subnet_id}"
  vpc_security_group_ids      = ["${module.security_group.this_security_group_id}"]
  associate_public_ip_address = true

  key_name                    = "${aws_key_pair.aws_admin.key_name}"
  monitoring                  = false 
}

Variables

variable "aws_region" {
  description = "AWS region"
  type        = "string"
}

variable "env" {
  description = "Environment"
  type        = "string"
}

variable "vpc_id" {
  description = "ID for this VPC"
  type        = "string"
}

variable "subnet_id" {
  description = "Subnet ID for this EC2 instance"
  type        = "string"
}

variable "public_key_path" {
  description = "Path to the SSH Public Key to add to AWS."
  type        = "string"
}

Possible workaround

This workaround (not yet tried) may solve this problem, by using name_prefix and create-before-destroy as the lifecycle. However, this may not be a general fix for everyone.

Interested to hear about any better workarounds, or how this might be fixed.

Thank you for a great module BTW!

Security group templates start wide open

variable "ingress_cidr_blocks" {
  description = "List of IPv4 CIDR ranges to use on all ingress rules"
  default     = ["0.0.0.0/0"]
}

variable "ingress_ipv6_cidr_blocks" {
  description = "List of IPv6 CIDR ranges to use on all ingress rules"
  default     = ["::/0"]
}

example from postgresql module. It seems acceptable to have egress be open by default but it should NOT be open by default on ingress. Didnt check all of the other predefines; but they also appear to have the same issue.

Output ingress and egress rules contitionally

Output of both ingress and egress rules currently does not work, because when a security group is created the attributes ingress and egress rules have the type of list of map, but when a security group is not created output can be anything (empty string or empty list).

Terraform has few limitations:

conditional operator cannot be used with list values
true and false expression types must match; have type list and type map

Can somebody figure out what value to write in output to work in both situations:

output "this_security_group_ingress" {
  description = "The ingress rules"
  value       = "${element(concat(aws_security_group.this.*.ingress, list("")), 0)}"
}

output "this_security_group_egress" {
  description = "The egress rules"
  value       = "${element(concat(aws_security_group.this.*.egress, list("")), 0)}"
}

Unable to set timeouts

When creating multi-az instances, the creation time goes beyond the default timeout of 40mins.

Terraform now supports setting timeouts for create, update and delete.

On the module this is not possible yet.

Error launching source instance: VPCResourceNotSpecified

Hi,

Good day.

I receive the following error when attempting to run packer:

$ packer build terraform-aws-nomad/examples/nomad-consul-ami/nomad-consul-docker.json
amazon-linux-ami: Error launching source instance: VPCResourceNotSpecified: The specified instance type can only be used in a VPC. A subnet ID or network interface ID is required to carry out the request.

I'll manually find an AMI, just thought I would raise the issue. Hope it is the correct channel.

Regards.
JJ

Add descriptions to rules

See this - hashicorp/terraform#16216 (comment)

aws_autoscaling_group.landing-backend-asg: aws_autoscaling_group.landing-backend-asg: diffs didn't match during apply

Hello,

Got the following error regarding ASG:

Error: Error applying plan:

2 error(s) occurred:

aws_autoscaling_group.landing-backend-asg: aws_autoscaling_group.landing-backend-asg: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Please include the following information in your report:

Terraform Version: 0.11.7
Resource ID: aws_autoscaling_group.landing-backend-asg
Mismatch reason: attribute mismatch: availability_zones.1305112097
Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"tag.253834880.key":*terraform.ResourceAttrDiff{Old:"", New:"Name", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cooldown":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "max_size":*terraform.ResourceAttrDiff{Old:"", New:"6", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "service_linked_role_arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "wait_for_capacity_timeout":*terraform.ResourceAttrDiff{Old:"", New:"10m", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.253834880.value":*terraform.ResourceAttrDiff{Old:"", New:"landing-be-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_type":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "target_group_arns.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zones.#":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zones.1305112097":*terraform.ResourceAttrDiff{Old:"", New:"us-east-1b", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zones.3569565595":*terraform.ResourceAttrDiff{Old:"", New:"us-east-1a", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"landing-backend-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "protect_from_scale_in":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.253834880.propagate_at_launch":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "launch_configuration":*terraform.ResourceAttrDiff{Old:"", New:"${aws_launch_configuration.landing-be-lc.name}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "force_delete":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "min_size":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "metrics_granularity":*terraform.ResourceAttrDiff{Old:"", New:"1Minute", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "load_balancers.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_grace_period":*terraform.ResourceAttrDiff{Old:"", New:"300", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "desired_capacity":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"tag.253834880.key":*terraform.ResourceAttrDiff{Old:"", New:"Name", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "force_delete":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "load_balancers.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "launch_configuration":*terraform.ResourceAttrDiff{Old:"", New:"landing-be-lc-20180608183516869100000002", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.253834880.propagate_at_launch":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "target_group_arns.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.2867234066":*terraform.ResourceAttrDiff{Old:"", New:"subnet-079023da426475303", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_type":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "wait_for_capacity_timeout":*terraform.ResourceAttrDiff{Old:"", New:"10m", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "target_group_arns.1036788961":*terraform.ResourceAttrDiff{Old:"", New:"arn:aws:elasticloadbalancing:us-east-1:926677255207:targetgroup/target-group-be-prod/0975ef99732e3fb4", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.3572172968":*terraform.ResourceAttrDiff{Old:"", New:"subnet-07b55c63d545586ef", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "max_size":*terraform.ResourceAttrDiff{Old:"", New:"6", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cooldown":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "service_linked_role_arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "protect_from_scale_in":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "desired_capacity":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_grace_period":*terraform.ResourceAttrDiff{Old:"", New:"300", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "metrics_granularity":*terraform.ResourceAttrDiff{Old:"", New:"1Minute", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.253834880.value":*terraform.ResourceAttrDiff{Old:"", New:"landing-be-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "min_size":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.#":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"landing-backend-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

Also include as much context as you can about your config, state, and the steps you performed to trigger this error.

aws_autoscaling_group.landing-frontend-asg: aws_autoscaling_group.landing-frontend-asg: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Please include the following information in your report:

Terraform Version: 0.11.7
Resource ID: aws_autoscaling_group.landing-frontend-asg
Mismatch reason: attribute mismatch: availability_zones.1305112097
Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"service_linked_role_arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_type":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "launch_configuration":*terraform.ResourceAttrDiff{Old:"", New:"${aws_launch_configuration.landing-fe-lc.name}", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_grace_period":*terraform.ResourceAttrDiff{Old:"", New:"300", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "target_group_arns.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cooldown":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.203886079.value":*terraform.ResourceAttrDiff{Old:"", New:"landing-fe-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"landing-frontend-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "min_size":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "load_balancers.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zones.3569565595":*terraform.ResourceAttrDiff{Old:"", New:"us-east-1a", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.203886079.key":*terraform.ResourceAttrDiff{Old:"", New:"Name", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "metrics_granularity":*terraform.ResourceAttrDiff{Old:"", New:"1Minute", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zones.1305112097":*terraform.ResourceAttrDiff{Old:"", New:"us-east-1b", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.203886079.propagate_at_launch":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "force_delete":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "wait_for_capacity_timeout":*terraform.ResourceAttrDiff{Old:"", New:"10m", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "max_size":*terraform.ResourceAttrDiff{Old:"", New:"6", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "desired_capacity":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "protect_from_scale_in":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zones.#":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}
Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"tag.203886079.value":*terraform.ResourceAttrDiff{Old:"", New:"landing-fe-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "protect_from_scale_in":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"", New:"landing-frontend-asg", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "metrics_granularity":*terraform.ResourceAttrDiff{Old:"", New:"1Minute", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.203886079.key":*terraform.ResourceAttrDiff{Old:"", New:"Name", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.#":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "force_delete":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.1809229248":*terraform.ResourceAttrDiff{Old:"", New:"subnet-0ef1bc84efaa6e7e5", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "service_linked_role_arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_type":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "launch_configuration":*terraform.ResourceAttrDiff{Old:"", New:"landing-fe-lc-20180608183516803500000001", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tag.203886079.propagate_at_launch":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "max_size":*terraform.ResourceAttrDiff{Old:"", New:"6", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "health_check_grace_period":*terraform.ResourceAttrDiff{Old:"", New:"300", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "min_size":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "target_group_arns.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "default_cooldown":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "desired_capacity":*terraform.ResourceAttrDiff{Old:"", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "load_balancers.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "wait_for_capacity_timeout":*terraform.ResourceAttrDiff{Old:"", New:"10m", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_zone_identifier.504094051":*terraform.ResourceAttrDiff{Old:"", New:"subnet-0674ab6d902d52bcc", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "target_group_arns.3430367253":*terraform.ResourceAttrDiff{Old:"", New:"arn:aws:elasticloadbalancing:us-east-1:XXXXXXXXXXXXXX:targetgroup/target-group-fe-prod/3a6ff9cf06c7c337", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:false, Meta:map[string]interface {}(nil)}

Also include as much context as you can about your config, state, and the steps you performed to trigger this error.

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Group name value.

Hi,

Good day.

Is there any reason why the "Group Name" has this long generated number at the back? Example:

example20181022054634731400000003

Is there a valid need for that? Thanks.

Regards.
JJ

split groups creation from rules adding

I've modified slightly this module for one important feature, and would like to know if you are interested in a PR for improvement.

I've changed the way the module works, by splitting the creation of the SG and the rules into two parts.
The biggest advantage of this is being able to reference other SG at creation time.

diff --git a/terraform/modules/sg/main.tf b/terraform/modules/sg/main.tf
index ffdc8d4..7c5154e 100755
--- a/terraform/modules/sg/main.tf
+++ b/terraform/modules/sg/main.tf
@@ -2,6 +2,8 @@
 # Security group
 #################
 resource "aws_security_group" "this" {
+  count = "${length(var.security_group_id) > 0 ? 0 : 1}"
+
   name        = "${var.name}"

and

 resource "aws_security_group_rule" "ingress_rules" {
   count = "${length(var.ingress_rules)}"
 
-  security_group_id = "${aws_security_group.this.id}"
+  security_group_id = "${var.security_group_id}"
   type              = "ingress"

if it is of interest, i can submit a PR.

thanks in advance

How to use a list variable as input for cidr_blocks within ingress_with_cidr_blocks ?

Maybe this is a know limitation I'm not aware of but I can't use a compted list as input for cidr_blocks within ingress_with_cidr_blocks

module.my_mod.module.my_sg.aws_security_group_rule.ingress_with_cidr_blocks: lookup: lookup() may only be used with flat maps, this map contains elements of type list in:

${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}

ingress_with_cidr_blocks = [
{
from_port = 3000
to_port = 3000
protocol = "tcp"
description = "NodeJSPort"
cidr_blocks = ["${var.my_cidr_blocks}"]
},
]

with
variable "my_cidr_blocks" {
default = [
"10.0.0.0/8",
"192.168.0.0/16",
"172.16.0.0/16",
]
}

ingress_with_source_security_group_id not working with created SG

When you create a SG and then you want to use this SG on another SG ingress_with_source_security_group_id rule, it fails with the following error:

* module.test-security-group.aws_security_group_rule.ingress_with_source_security_group_id: 
aws_security_group_rule.ingress_with_source_security_group_id: value of 'count' cannot be computed

Sample Code:

module "bastion-ec2-security-group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "1.15.0"
  name    = "TestEC2SG"
  vpc_id  = "vpc-xxxxxxx"

  egress_with_cidr_blocks = [
    {
      from_port   = 0
      to_port     = 65535
      protocol    = "-1"
      cidr_blocks = "0.0.0.0/0"
    },
  ]
}

module "bastion-security-group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "1.15.0"
  name    = "TestSG"
  vpc_id  = "vpc-xxxxxxx"

  ingress_with_source_security_group_id = [
    {
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      description = "SSH"
      source_security_group_id = "${module.bastion-ec2-security-group.this_security_group_id}"
    },
  ]
  egress_with_cidr_blocks = [
    {
      from_port   = 0
      to_port     = 65535
      protocol    = "-1"
      cidr_blocks = "0.0.0.0/0"
    },
  ]
}

No rules created when using `computed_ingress_with_source_security_group_id`

Description
No inbound rules are created when using computed_ingress_with_source_security_group_id

Repro steps

Example terraform security group:

module "mysql_wordpress_security_group" {
  source = "terraform-aws-modules/security-group/aws"

  name = "mysql_wordpress_security_group"
  vpc_id = "${module.vpc.vpc_id}"
  description = "test"

  computed_ingress_with_source_security_group_id = [
    {
      source_security_group_id = "${module.ec2_security_group.this_security_group_id}"
      rule = "mysql-tcp"
    }
  ]
  egress_cidr_blocks = ["0.0.0.0/0"]
  egress_rules = ["all-all"]


  tags = {
    Terraform = "true"
    Environment = "${terraform.workspace}"
  }
}

terraform plan & terraform apply

Expected behavior
A security group with an inbound rule is created

Actual behavior
A security group without any inbound rules is created.

Rules lists gives 404 error.

I get a 404 when I try to visit the link: https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/rules.tf

Has this file moved?

aws_security_group_rule.ingress_rules: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

I'm getting errors trying to setup my module w/ ingress_with_cidr_blocks

Error: Error applying plan:

1 error(s) occurred:

* module.web_server_sg.module.sg.aws_security_group_rule.ingress_rules: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

I understand the ingress_with_cidr_blocks is not an option listed in the error, but I'm going off the comment from a previous issue that said this would be ok. I have a pretty bare example of the failure, am I forgetting/missing adding something to my module?

provider "aws" {
  version = "~> 1.31.0"
  alias  = "us-west-1"
  region = "us-west-1"
  profile = "${var.profile}"
}

data "terraform_remote_state" "vpc" {
  backend = "s3"

  config {
    bucket = "${var.vpc_remote_state_bucket}"
    key    = "${var.vpc_remote_state_key}"
    region = "${var.region}"
    profile = "${var.profile}"
  }
}

module "web_server_sg" {
  source = "terraform-aws-modules/security-group/aws//modules/http-80"

  name        = "web-server"
  vpc_id      = "${data.terraform_remote_state.vpc.us_east_vpc1_id}"

  ingress_with_cidr_blocks = [
      {
          "rule" = "http-80-tcp"
          "cidr_blocks" = "0.0.0.0/0"
      },
  ]
}

I've tried w/ both the http-80 module as well as the web module for the source

Value of 'count' cannot be computed

Hello,

It appears that the changes made to the output file from commit "Make use of name_prefix optional (#74)" is causing errors when we try to run a plan with security groups referencing an ingress with source security group id. We receive the following error for each security group:

module.subnet_name.aws_security_group_rule.ingress_with_source_security_group_id: aws_security_group_rule.ingress_with_source_security_group_id: value of 'count' cannot be computed

I have traced this back to the following change in the output file:
Original working code:

output "this_security_group_id" {
  description = "The ID of the security group"
  value       = "${element(concat(aws_security_group.this.*.id, list("")), 0)}"
}

Updated broken code:

output "this_security_group_id" {
  description = "The ID of the security group"
  value       = "${element(concat(coalescelist(aws_security_group.this.*.id, aws_security_group.this_name_prefix.*.id), list("")), 0)}"
}

We are running on tf version v0.11.2, but coalescelist was introduced in v0.9.4 so that shouldn't be a problem. Please let me know if there is any additional information you would like.

Is there any plan to solve the dependencies between Security groups

Hi Guys,
I am starting to write terraform scripts for my company and I am wondering if there is any plan (in this module, I am not yet familiar enough with terraform to understand the inner issue) to solve this issue: #16

It's quite an issue here because it means we either have to manage security groups outside terraform (aws cli for example) and use them as data resources in tf (but it means we also have to properly track them and destroy them if need be ) or we need to run terraform apply multiple times with added lines in the script (which might also be very error prone)

I am hitting the issue because I want to allow connections from a sg to another sg, but if I understand correctly, I will run into it also when I will want to add ec2 containers inside sg. (all my sg have a vpc_id that is computed)

Last minute fixes (module is almost ready)

I am almost done with this module. Remaining:

create rules groups (copy them from tf_aws_sg) + terraform-community-modules/tf_aws_sg#56
update README to describe how to update_groups
review it all
tag, publish to registry, deprecate old repo

I need a second look at all of this, so could you guys take a look and tell me if you see something completely bad/wrong/missing in this module?

/cc @kamilboratynski @brandoconnor @solarce @hakamadare @joestump @tfhartmann ...

ipv6 cidr

the correct cidr for wide open IPv6 is ::/0 not 0.0.0.0/0

Error with creating same ipv6 rule when using multiple *_with_source_security_group_id

Hi,

the following code:

module "alb_sg" {
  source                                                  = "terraform-aws-modules/security-group/aws"

  name                                                    = "alb-sg"
  description                                             = "SG "
  vpc_id                                                  = "${data.aws_vpc.vpc.id}"


  egress_cidr_blocks                                      = ["10.0.0.0/8"]
  egress_rules                                            = ["https-443-tcp"]

  ingress_with_cidr_blocks                                = [
    {
      rule        = "http-80-tcp"
      cidr_blocks = "10.0.0.0/8"
    }
  ]

  egress_with_source_security_group_id                    = [
    {
      rule                     = "mysql-tcp"
      source_security_group_id = "${data.aws_security_group.my_sg.id}"
    }, {
      rule                     = "mysql-tcp"
      source_security_group_id = "${data.aws_security_group.my_other_sg.id}"
    }
  ]
}

produces the following error:

Error message: the specified rule "peer: ::/0, TCP, from port: 3306, to port: 3306, ALLOW" already exists

adding this: egress_ipv6_cidr_blocks = [] fixes the issue, however I no longer get ipv6 CIDRs.

the working is fine for us as we don't currently use ipv6 however I can see it being an issue others.

Cheers,
Josh

Required ipv6 when using ingress_with_cidr_blocks?

Not sure if this is the proper place or not, but...
using this bit of code:

module "internal_sg" {
    source = "github.com/terraform-aws-modules/terraform-aws-security-group?ref=v1.1.4"

    name        = "user-service"
    description = "Security group"
    vpc_id      = "${module.vpc.vpc_id}"
    ingress_cidr_blocks      = ["0.0.0.0/0"]
    ingress_rules            = ["http-80-tcp", "https-443-tcp"]

    ingress_with_cidr_blocks = [
        {
            from_port   = 8080
            to_port     = 8090
            protocol    = "tcp"
            description = "User-service ports"
            cidr_blocks = "0.0.0.0/0"
      }
  ]
}

I consistently get the error: Error: module.internal_sg.aws_security_group_rule.ingress_with_cidr_blocks: "ipv6_cidr_blocks.0" must contain a valid CIDR, got error parsing: invalid CIDR address:

I'm not using IPV6, and I'm not including it in the module definition.

Version is terraform 0.10.8.

Question: ingress_with_cidr_blocks only for 1 env

Lets suppose that I have 2 envs, test and prod:
I would like to add an ingress_with_cidr_blocks only for test env, so:

I tried this:

//variables
variable "ingress_with_cidr" {
  default = [
    {
      from_port   = 3306
      to_port     = 3306
      protocol    = "tcp"
      description = "From all VPC to DB"
      cidr_blocks = "10.2.0.0/16"
    }
  ]
}

(...)
// interpolate for the variable if "test" and empty list if "prod"
ingress_with_cidr_blocks = "${terraform.env == "test" ? var.ingress_with_cidr : list()}

didnt work:

var.ingress_with_cidr_blocks: At column 3, line 1: conditional operator cannot be used with list values in:

${terraform.env == "prod" ? var.ingress_with_cidr : list()}

Any idea how to acomplish this?

Referencing Security Group IDs not yet created as ingress/egress sources

Hi, ran into an issue yesterday when refactoring my tf code, specifically switching to use more security groups as explicit sources for ingress/egress rules. i.e. like point to point networking. To do this I use the ingress_with_source_security_group_id param like this:

  ingress_with_source_security_group_id = [
    {
      from_port = 5432
      to_port = 5432
      protocol = "tcp"
      description = "DB port ingress from ec2-1-sg"
      source_security_group_id = "${module.ec2-1-sg.this_security_group_id}"
    },
    {
      from_port = 5432
      to_port = 5432
      protocol = "tcp"
      description = "DB port ingress from ec2-2-sg"
      source_security_group_id = "${module.ec2-2-sg.this_security_group_id}"
    }
  ]

This fails to plan, because within the module main.tf file the line count = "${length(var.ingress_with_source_security_group_id)}" is trying to count the length of a list that has a computed value somewhere within it...i.e. the source_security_group_id key of the list elements. After a lot of searching, this is a known issue hashicorp/terraform#12570 (comment).

As an experiment, I tired to just pass the value to count directly as a hard coded number of the total number of rules being defined, in the example above that was 2. That planned and applied successfully 🎉.

So I made the following mods to the module to try to include this in a backwards compatible way. The idea being that if you will be using a computed value in the list of rules, to specify the total number. It is a redundant parameter, but I think it's a small price to pay to allow you to be able to reference security groups that are not yet created, from the same single run of terraform apply.

diff --git a/main.tf b/main.tf
index acfb9a6..5efa91e 100644
--- a/main.tf
+++ b/main.tf
@@ -33,7 +33,7 @@ resource "aws_security_group_rule" "ingress_rules" {
 ##########################
 # Security group rules with "source_security_group_id", but without "cidr_blocks" and "self"
 resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
-  count = "${length(var.ingress_with_source_security_group_id)}"
+  count = "${var.ingress_with_source_security_group_id_count > 0 ? var.ingress_with_source_security_group_id_count : length(var.ingress_with_source_security_group_id)}"
 
   security_group_id = "${aws_security_group.this.id}"
   type              = "ingress"
@@ -121,7 +121,7 @@ resource "aws_security_group_rule" "egress_rules" {
 #########################
 # Security group rules with "source_security_group_id", but without "cidr_blocks" and "self"
 resource "aws_security_group_rule" "egress_with_source_security_group_id" {
-  count = "${length(var.egress_with_source_security_group_id)}"
+  count = "${var.egress_with_source_security_group_id_count > 0 ? var.egress_with_source_security_group_id_count : length(var.egress_with_source_security_group_id)}"
 
   security_group_id = "${aws_security_group.this.id}"
   type              = "egress"

diff --git a/variables.tf b/variables.tf
index f82755c..43ac20d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,6 +47,11 @@ variable "ingress_with_source_security_group_id" {
   default     = []
 }
 
+variable "ingress_with_source_security_group_id_count" {
+  description = "Number of ingress rules to create where 'source_security_group_id' is used"
+  default     = 0
+}
+
 variable "ingress_cidr_blocks" {
   description = "List of IPv4 CIDR ranges to use on all ingress rules"
   default     = []
@@ -90,6 +95,11 @@ variable "egress_with_source_security_group_id" {
   default     = []
 }
 
+variable "egress_with_source_security_group_id_count" {
+  description = "Number of egress rules to create where 'source_security_group_id' is used"
+  default     = 0
+}
+
 variable "egress_cidr_blocks" {
   description = "List of IPv4 CIDR ranges to use on all egress rules"
   default     = ["0.0.0.0/0"]

However due to another known issue (hashicorp/hil#50), this fails because the interpreter does not skip the evaluation of the false path of the conditional. So the original error of not allowing computed count values still appears. This issue being resolved should make my code above work, but I don't think it will be backwards compatible. Unless they backport the change into all versions of terraform.

I tired to think through all sorts of syntax hacks to try to get the list to evaluate to a number and ignore the computed sg id's, but no luck. Just wanted to post my findings here in case someone else runs into the issue, or if anyone has any ideas. It could be worth adding a note in the docs to warn about this. If so, am happy to make the PR.

EDIT:

better naming of the module in my example code

Adding egress_cidr_block entry does not change infrastructure

Adding a egress_cidr_blocks to the security group module does not cause terraform to detect any changes.

Repro

Create a security group
ex:

module "security_group" {
 source = "terraform-aws-modules/security-group/aws"
 name = "sec-grp1"
 vpc_id = "${module.vpc.vpc_id}"
 ingress_cidr_blocks = [
   "35.192.136.167/32",
   "147.75.192.163/32"]
 ingress_rules = ["ssh-tcp"]
}

Plan and apply the resource using terraform
Add follow key to the security group egress_cidr_blocks = ["0.0.0.0/0"]
Run terraform plan -out=plan.out

Expected behavior
Terraform detects a change to the security group resource

Actual behavior
Terraform does not detect any changes:

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Add option to disable self-referencing security groups

Currently, when creating security groups, they automatically create self referencing access. For example, in the ssh submodule, by default it allows ALL access to any other instance which is a member of that security group https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/modules/ssh/auto_values.tf#L17
This doesn't seem like expected behaviour and there's currently no way to disable it.

Could you please add a condition to disable this self-referential behaviour for both ingress and egress rules. Thanks

"the specified rule <rule> already exists"

I have a terraform recipe where I create via interpolation a set of security groups to authorize ssh access to our instances. When the list of addresses changes, it causes the interpolation to also change, such that all of the security_group_rules need to be deleted and recreated. Unfortunately, the new rules are trying to create while the old rules are still deleting, and I get an error message like below:

* aws_security_group_rule.entries[38]: 1 error(s) occurred:

* aws_security_group_rule.entries.38: [WARN] A duplicate Security Group rule was found on (sg-db2b8396). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
information and instructions for recovery. Error message: the specified rule "peer: redacted/32, TCP, from port: 22, to port: 22, ALLOW" already exists
* aws_security_group_rule.entries[36]: 1 error(s) occurred:

* aws_security_group_rule.entries.36: [WARN] A duplicate Security Group rule was found on (sg-db2b8396). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
information and instructions for recovery. Error message: the specified rule "peer: redacted/32, TCP, from port: 22, to port: 22, ALLOW" already exists

Terraform does not automatically rollback in the face of errors.

Here's a snippet of how I generate the security group rules. I set "create_before_destroy = false" on an expert's suggestion, however it has not solved the issue.

resource "aws_security_group_rule" "entries" {
  count             = "${length(data.aws_security_groups.sg_list.ids) * length(var.authorized_ssh_rangelist)}"
  security_group_id = "${element(data.aws_security_groups.sg_list.ids, count.index / length(var.authorized_ssh_rangelist))}"
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = ["${lookup(var.authorized_ssh_rangelist[count.index % length(var.authorized_ssh_rangelist)], "cidr")}"]
  description       = "${lookup(var.authorized_ssh_rangelist[count.index % length(var.authorized_ssh_rangelist)], "description")}"

  lifecycle {
    create_before_destroy = false
  }
}

aws_security_group_rule.ingress_rules: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

Hey there!

I'm trying to replace the following with use of your module:

resource "aws_security_group" "internal_ssh" {
  name        = "${format("%s-%s-internal-ssh", var.name, var.environment)}"
  description = "Allows ssh from bastion"
  vpc_id      = "${var.vpc_id}"

  ingress {
    from_port       = 22
    to_port         = 22
    protocol        = "tcp"
    security_groups = ["${module.external_ssh_sg.this_security_group_id}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "tcp"
    cidr_blocks = ["${var.cidr}"]
  }

  lifecycle {
    create_before_destroy = true
  }
}

I'm trying this:

module "internal_ssh_sg" {
  source = "github.com/terraform-aws-modules/terraform-aws-security-group//modules/ssh?ref=v1.2.0"

  name        = "${format("%s-%s-internal-ssh", var.name, var.environment)}"
  description = "Allows ssh from bastion"
  vpc_id      = "${var.vpc_id}"

  ingress_with_source_security_group_id = [
    {
      from_port                = 22
      to_port                  = 22
      protocol                 = "tcp"
      source_security_group_id = "${module.external_ssh_sg.this_security_group_id}"
    },
  ]

  egress_cidr_blocks                    = ["${var.cidr}"]
}

but receive:

* aws_security_group_rule.ingress_rules: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

Any ideas what I'm doing wrong?
Thanks!

Issue when configuring ingress_with_cidr_blocks from a remote state

Hi there.

I'm using this AWS VPC module to create a VPC and the subnets, and I'm creating this output for the private subnets CIDR blocks.

output "private-subnets" {
  value = "${module.main-vpc.private_subnets_cidr_blocks}"
}

Which generates this, when I run terragunt apply

Outputs:

private-subnets = [
    172.19.101.0/24,
    172.19.102.0/24
]

However, when configuring the ingress_cidr_blocks variable in the security groups module

ingress_cidr_blocks = "${data.terraform_remote_state.vpc-private-cidrs.private-subnets}"

I get this error:

* module.eks-worker-security-group.aws_security_group_rule.ingress_with_cidr_blocks: lookup: lookup() may only be used with flat maps, this map contains elements of type list in:

${split(",", lookup(var.ingress_with_cidr_blocks[count.index], "cidr_blocks", join(",", var.ingress_cidr_blocks)))}

I don't understand why this happens. Questions:

Should I format the output to generate a map instead of a list?
Given that I'm taking the output from a terraform_remote_state datasource, which is supposed to be known and not calculated, shouldn't the invocation be working?
What can I do for those subnets to be accepted by ingress_with_cidr_blocks?

Thanks!

InvalidParameterValue: ICMP code (65535) out of range

The following definition gets me this error:

Error applying plan:

1 error(s) occurred:

* module.sg_default_iss.aws_security_group_rule.ingress_rules[1]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.1: Error authorizing security group rule type ingress: InvalidParameterValue: ICMP code (65535) out of range
	status code: 400, request id: cfb24bd5-c5b2-447c-b3de-ad1d6a4a333b

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

variable "track_subnet_cidr_block" {
  default = "192.168.144.0/25"
}

module "sg_default_iss" {
  source = "../../modules/terraform-aws-security-group"

  name        = "${var.track_name}_sg"
  description = "Security Group: ${var.track_name}_sg, managed by Terraform"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress_cidr_blocks = ["${var.track_subnet_cidr_block}"]
  ingress_rules       = ["ssh-tcp", "all-icmp"]
  egress_rules        = ["all-all"]

  # ingress_rules = ["ssh-tcp"]

  tags = {
    Environment = "${var.track_environment}"
    Name        = "${var.track_name}_sg"
    Desc        = "The IIS VPC for: ${var.track_name}"
    StopGroup   = "n/a"
    Track       = "${var.track_name}"
    Terraform   = "true"
  }
}

Any tips appreciated,
Chris.

Can't add depends_on or pass conditional expression to create, so can't add elb private IPs to security group.

Due to some outstanding issues with Terraform's AWS provider, I'm trying to find a way to pass some calculated CIDRs into a security group.

Right now the following snippet runs

# Look up the newly created ELB's private IP address
# https://github.com/terraform-providers/terraform-provider-aws/issues/3007#issuecomment-382494881
# https://forums.aws.amazon.com/thread.jspa?threadID=263245
# https://github.com/terraform-providers/terraform-provider-aws/pull/2901
data "aws_network_interface" "elb" {
  depends_on = ["aws_lb.web-lb"]
  count = "${length(data.aws_subnet_ids.all.ids)}"

  filter = {
    name   = "description"
    values = ["ELB ${aws_lb.web-lb.arn_suffix}"]
  }

  filter = {
    name   = "subnet-id"
    values = ["${element(data.aws_subnet_ids.all.ids, count.index)}"]
  }
}

data "aws_network_interface" "elb-tcp" {
  depends_on = ["aws_lb.web-lb-tcp"]
  count = "${length(data.aws_subnet_ids.all.ids)}"

  filter = {
    name   = "description"
    values = ["ELB ${aws_lb.web-lb-tcp.arn_suffix}"]
  }

  filter = {
    name   = "subnet-id"
    values = ["${element(data.aws_subnet_ids.all.ids, count.index)}"]
  }
}

##################################################################
# Security Group
# https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/2.9.0
##################################################################
module "security-group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "2.9.0"

  name        = "Concourse"
  description = "Allows public inbound access to the Concourse API and GUI"
  vpc_id      = "${data.aws_vpc.default.id}"

  use_name_prefix = false

  computed_ingress_with_cidr_blocks = [
    {
      from_port   = 2222
      to_port     = 2222
      protocol    = "tcp"
      description = "Concourse TSA port"
      cidr_blocks = "${join(",", var.allowed-ips)}"
    },
    {
      rule        = "ssh-tcp"
      cidr_blocks = "${join(",", var.allowed-ips)}"
      description = "SSH Access"
    },
    {
      rule        = "http-8080-tcp"
      cidr_blocks = "${join(",", var.allowed-ips)}"
      description = "HTTP Access"
    },
    {
      rule        = "http-8080-tcp"
      cidr_blocks = "${join(",", formatlist("%s/32",flatten(data.aws_network_interface.elb.*.private_ips)))}"
      description = "HTTP - ELB health check"
    },
    {
      from_port   = 2222
      to_port     = 2222
      protocol    = "tcp"
      description = "Concourse TSA port - ELB health check"
      cidr_blocks = "${join(",", formatlist("%s/32",flatten(data.aws_network_interface.elb-tcp.*.private_ips)))}"
    }
  ]
  number_of_computed_ingress_with_cidr_blocks = 5

  egress_cidr_blocks      = ["0.0.0.0/0"]
  egress_rules            = ["all-all"]
}

but gives the following error on first terraform apply

Error: Error applying plan:

1 error(s) occurred:

* data.aws_network_interface.elb[1]: data.aws_network_interface.elb.1: no matching network interface found

I thought that I could perhaps add a depends on to the security-group module like so:

depends_on = ["aws_lb.web-lb-tcp.arn_suffix","aws_lb.web-lb.arn_suffix"]

But that gives the following error:

Error: module "security-group": "depends_on" is not a valid argument

Given that I'm implementing a work around anyway, I'm fine with running apply twice, so I thought I would just set create of the security-group to false if the load balancers hadn't been setup yet. So I added the following:

# Only create once the load balancers have been created
  create = "${data.aws_network_interface.elb-tcp.count > 1 ? true : false}"

But that gives me a ton of errors of the form:

Error: module.security-group.aws_security_group_rule.computed_egress_rules: 1 error(s) occurred:

* module.security-group.aws_security_group_rule.computed_egress_rules: At column 46, line 1: list "var.computed_egress_rules" does not have any elements so cannot determine type. in:

${element(var.rules[var.computed_egress_rules[count.index]], 0)}



Error: module.security-group.aws_security_group_rule.ingress_rules: 1 error(s) occurred:

* module.security-group.aws_security_group_rule.ingress_rules: At column 38, line 1: list "var.ingress_rules" does not have any elements so cannot determine type. in:

${element(var.rules[var.ingress_rules[count.index]], 1)}



Error: module.security-group.aws_security_group_rule.ingress_with_self: 1 error(s) occurred:

* module.security-group.aws_security_group_rule.ingress_with_self: At column 31, line 1: list "var.ingress_with_self" does not have any elements so cannot determine type. in:

${lookup(var.ingress_with_self[count.index], "description", "Ingress Rule")}

Right now I'm just running apply twice and ignoring the error, but I would really like a cleaner workaround for my workaround. 😄

Unexpected IPv6 egress rule added.

The following implementation of this module creates an egress rule for HTTP with a destination of ::/0. Is this to be expected? If I remove the two egress lines then there are no egress rules for either IPv4 or IPv6. When I add them back I get the expected IPv4 rules and the unexpected IPv6 rule.

module "load_balancer_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name   = "load-balancer"
  vpc_id = "${module.vpc.vpc_id}"

  ingress_rules       = ["http-80-tcp", "https-443-tcp"]
  ingress_cidr_blocks = ["0.0.0.0/0"]
  egress_rules        = ["http-80-tcp"]
  egress_cidr_blocks  = "${var.private_subnets}"
}

variable private_subnets {
  type    = "list"
  default = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
}

can we add the following ports for splunk?

9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

make lifecycle create_before_destroy configurable

Current default behavior is to destroy the resource before creating a new one.

Can we make lifecycle create_before_destroy default to true or make it configurable by the caller to avoid any potential down time?

I tried this tf and it didn't work

module "web_server_sg" {
  source = "terraform-aws-modules/security-group/aws//modules/http-80"


  name        = "web-server"
  description = "Security group for web-server with HTTP ports open within VPC. Managed by Terraform"
  vpc_id      = "${data.aws_vpc.default.id}"


  ingress_cidr_blocks   = ["0.0.0.0/0"]

  lifecycle {
    create_before_destroy = true
  }
}

The error message is
terraform plan

Error: module "web_server_sg": "lifecycle" is not a valid argument

I would like to use it like this if it's possible similar to create=true

module "web_server_sg" {
  source = "terraform-aws-modules/security-group/aws//modules/http-80"

  name        = "web-server"
  description = "Security group for web-server with HTTP ports open within VPC. Managed by Terraform"
  vpc_id      = "${data.aws_vpc.default.id}"


  ingress_cidr_blocks = ["0.0.0.0/0"]

  create_before_destroy = true

}

Access to this_security_group_id

I think this is more of a terraform question but I'm not getting much feedback on the terraform group.

I'm using this module, and I'm also using the terraform-aws-ec2-instance.

In the terraform-aws-ec2-instance module I want to access this_security_group_id but I cannot see the way forward. I added:

variable "this_security_group_id" {}

to the input variables file of terraform-aws-ec2-instance but it doesn't see the output variable value of terraform-aws-security-group.

Any help is appreciated.

How could one adopt the Default Security Group with this module.

The terraform documentation here https://www.terraform.io/docs/providers/aws/r/default_security_group.html describes
adopting the Default Security Group to make it be managed by terraform.

Is there a way to do this with this module also?

Thanks.

"When protocol is ALL, you cannot specify from-port."

Error: Error applying plan:                                                                                              
                                                                                                                         1 error(s) occurred:                                                                                                     
                                                                                                                         * module.security_group.aws_security_group_rule.egress_rules: 1 error(s) occurred:                                       
* aws_security_group_rule.egress_rules: Error updating security group sg-455e8739 rule description: InvalidParameterValue
: When protocol is ALL, you cannot specify from-port.
        status code: 400, request id: 82db9a18-0a94-458a-8eef-884aef980c35

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

with the following definition:

module "security_group" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "ping_http_ssh"
  description = "Allow ICMP Ping, http, and ssh on standard ports."

  #vpc_id      = "${data.terraform_remote_state.vpc.vpc_id}"
  vpc_id = "${aws_vpc.this_vpc.id}"

  ingress_cidr_blocks = ["0.0.0.0/0"]
  ingress_rules       = ["http-80-tcp", "all-icmp", "ssh-tcp"]
  egress_rules        = ["all-all"]
}

Which worked last week, but I aggressively update modules with terraform init -upgrade=true. Current versions:

❯ terraform -version
Terraform v0.11.7
+ provider.aws v1.15.0
+ provider.template v1.0.0
+ provider.tls v1.1.0

Thanks for any help. Happy to provide more context. Cheers.

P.S. This is on release 1.22 of this module.

aws_security_group_rule.ingress_rules[1]: : invalid or unknown key: description

I now (1.9.0) get this error: aws_security_group_rule.ingress_rules[1]: : invalid or unknown key: description

However the setup was working before

module "wvm_ssh_sg" {
  source = "terraform-aws-modules/security-group/aws"
  version = "1.9.0"


  name        = "wvm default"
  description = "Default Security group for the workshop VMs. with SSH,HTTP/S and RDP"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress_cidr_blocks      = ["0.0.0.0/0"]
  ingress_rules            = ["ssh-tcp","http-80-tcp","https-443-tcp"]  
  ingress_with_cidr_blocks = [{
     from_port   = 3389
     to_port     = 3389
     protocol    = "tcp"
     cidr_blocks = "0.0.0.0/0"
     },{
     from_port   = 3389
     to_port     = 3389
     protocol    = "udp"
     cidr_blocks = "0.0.0.0/0"
     },
   ]
  ingress_ipv6_cidr_blocks = ["::/0"]

  #egress_cidr_blocks = []
  #egress_ipv6_cidr_blocks = []
  #egress_rules = ["all-all"]
  egress_with_cidr_blocks = [
    {
      rule             = "all-all"
      cidr_blocks      = "0.0.0.0/0"
      ipv6_cidr_blocks = "::/0"
    },]
}

I am using terraform 0.11

'count' cannot be computed

I've got the following module:

module "app_g_api_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "app_g_api_sg"
  description = "Security group for traffic comming from API servers"
  vpc_id      = "${module.vpc.vpc_id}"

  egress_with_source_security_group_id = [
    {
      from_port                = 5000
      to_port                  = 5001
      protocol                 = 6
      description              = "API Group"
      source_security_group_id = "${module.app_alb_sg.this_security_group_id}"
    },
  ]
}

and this is the output of apply

module.app_g_api_sg.aws_security_group_rule.egress_with_source_security_group_id: aws_security_group_rule.egress_with_source_security_group_id: value of 'count' cannot be computed

Unable to create a security group with a specific name

Since v2.4.0, it is not possible to create a security group with a specific name. This is because 5e998c5 changed from using the name parameter to using the name_prefix parameter.

I'm working around it by using a fork with the latest change reverted but I think not being able to create a group with a specific name is a pretty fatal flaw in the module.

Additionally, this is a breaking change since it will cause all security groups managed by this module to be renamed.

Can you possibly reconsider?

Unable to rename security group (resource has a dependent object)

I'm trying to rename my security group so that I know what environment it's for:

module "security_group_web" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "1.15.0"

  name        = "web"
...
}

module "security_group_web" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "1.15.0"

  name        = "staging-web"
...
}

However I get this error:

Error: Error applying plan:

1 error(s) occurred:

* module.staging.module.security_group_web.aws_security_group.this (destroy): 1 error(s) occurred:

* aws_security_group.this: DependencyViolation: resource sg-c5a360bc has a dependent object
        status code: 400, request id: 5f113cf5-8d37-4587-9797-c0b24e349936

I assume this is because the all the security_group_rule resources that depend on the security_group? Is there a way around this?

Does not resolve dependencies with security groups

module "public_subnet_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "${var.environment}-public-subnets"
  description = "Security group for public facing services"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress_with_self = [
    {
      rule = "all-all"
    },
  ]

  ingress_with_cidr_blocks = [
    {
      from_port   = 80
      to_port     = 80
      protocol    = "tcp"
      description = "default http port"
      cidr_blocks = "0.0.0.0/0"
    },
  ]

  ingress_with_source_security_group_id = [
    {
      from_port                = 22
      to_port                  = 22
      protocol                 = "tcp"
      description              = "SSH"
      source_security_group_id = "${module.bastion_sg.this_security_group_id}"
    },
  ]

  egress_cidr_blocks = ["0.0.0.0/0"]
}

module "bastion_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "${var.environment}-bastion"
  description = "Security group for bastion"
  vpc_id      = "${module.vpc.vpc_id}"

  ingress_with_cidr_blocks = [
    {
      rule = "all-all"
    },
  ]

  egress_cidr_blocks = ["0.0.0.0/0"]
}

* module.public_subnet_sg.aws_security_group_rule.ingress_with_source_security_group_id: aws_security_group_rule.ingress_with_source_security_group_id: value of 'count' cannot be computed

Terraform v0.11.2
+ provider.archive v0.1.0
+ provider.aws v1.8.0
+ provider.null v1.0.0

If you remove the ingress rules to create the group, add them back and re-apply things work as expected.

Module prompts for AWS region

The AWS provider is included at the top of main.tf but is missing region information. For every copy of the module that I use, when I run terraform plan, i'm prompted to manually enter the region.

Can we remove the provide tag all together so that it uses whatever the user sets up in their own main.tf?

Example of prompt:

Provider.aws.region
The region where AWS operations will take place. Examples
are us-east-1, us-west-2, etc.

Default: us-east-1
Enter a value:

Default for AWS Invent recommendation?

https://www.youtube.com/watch?v=3Gv47NASmU4

Ingress with source sg id fails

I'm pretty sure this should work but I end up with an error.

module.data_tier.module.sg_sql_clients.aws_security_group_rule.ingress_with_source_security_group_id: aws_security_group_rule.ingress_with_source_security_group_id: value of 'count' cannot be computed

Am I missing something obvious?

`module "sg_tux_sql" {
source = "terraform-aws-modules/security-group/aws"
version = "1.13.0"

name = sg-tux-sql"
create = true
vpc_id = "${var.vpc_id}"

ingress_with_source_security_group_id = [
{
from_port = 1433
to_port = 1434
protocol = "tcp"
description = "MS SQL"
source_security_group_id = "${module.sg_sql_clients.this_security_group_id}"
},
]

egress_rules = ["all-all"]
egress_cidr_blocks = ["0.0.0.0/0"]

Use security groups modules. Get: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

I'm using your awesome modules to build up my infrastructure. However, I have issue while setting up security groups.

I have setup VPC by using https://github.com/terraform-aws-modules/terraform-aws-vpc
And I use this module to setup security groups, but I get error messages like this:

Error: Error applying plan:

4 error(s) occurred:

* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[3]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.3: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule
* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[2]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.2: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule
* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[0]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.0: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule
* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[1]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.1: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

This is my tf file. I haven't put many things yet. And I guess, the ingress_rules if I don't set anything specifically, are those values in error messages set by default in the auto_values.tf ?

provider "aws" {
  profile = "${var.profile}"
  region  = "${var.region}"
  version = "~> 1.16"
}

locals {
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "${var.name}"
  cidr = "10.0.0.0/16"

  azs             = "${local.availability_zones}"
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Terraform   = "true"
    Environment = "${var.environment}"
  }
}

data "aws_security_group" "default" {
  name   = "default"
  vpc_id = "${module.vpc.vpc_id}"
}

module "web_security_group" {
  source = "terraform-aws-modules/security-group/aws//modules/web"
  name   = "web_security_group"
  vpc_id = "${module.vpc.vpc_id}"
}

Update of cidr_blocks in ingress_with_cidr_blocks forces new resource

Hi,

I have the following state (https://gist.github.com/amontalban/0af3064d958f2d1e648848f342b34b2f) and whenever I add/remove an IP to sysadmins_networks variable it produces:

-/+ module.common_sysadmins_sg.aws_security_group_rule.ingress_with_cidr_blocks[0] (new resource required)
      id:                       "sgrule-2061399776" => <computed> (forces new resource)
      cidr_blocks.#:            "4" => "5" (forces new resource)
      cidr_blocks.0:            "5.6.7.8/32" => "5.6.7.8/32"
      cidr_blocks.1:            "9.9.9.9/32" => "9.9.9.9/32"
      cidr_blocks.2:            "1.1.1.1/32" => "1.1.1.1/32"
      cidr_blocks.3:            "2.2.2.2/32" => "2.2.2.2/32"
      cidr_blocks.4:            "" => "1.2.3.4/32" (forces new resource)
      description:              "SSH Access" => "SSH Access"
      from_port:                "22" => "22"
      protocol:                 "tcp" => "tcp"
      security_group_id:        "sg-63991f1d" => "sg-63991f1d"
      self:                     "false" => "false"
      source_security_group_id: "" => <computed>
      to_port:                  "22" => "22"
      type:                     "ingress" => "ingress"

Thing is that I have to frequently add/remove IPs from security groups, I have been doing this by using plain Terraform security groups just fine but can't find the way to do it with this module.

Any input is highly appreciated!

Thanks!

Create integration tests using kitchen-terraform

I think this repository is a good example where we can start creating integration tests for Terraform AWS modules using kitchen-terraform because this module creates resources which can be asserted without dependencies.

I am also thinking about these requirements:

All tests files (incl. Gemfile, .kitchen.yml and alike) should be outside of the root directory. Let's put everything inside tests directory with subdirectories as necessary.
Alternatively to point 1 (above) build Docker image (eg, Dockerfile) containing all dependencies required to run kitchen-terraform
Tests should execute code/fixtures which is inside directory examples/http as is (without modification). The same code can always be executed by a user who wants to run examples manually using just basic commands.
Use CircleCI 2.0 (CircleCI 2.0 is terribly fast and customisable).

@ncs-alane - Do you think such structure can be easily achieved with kitchen-terraform?

Do you have an opportunity&wish to submit initial PR for this?

no changed made to SG - new resource required

Hi,

when i create the following SG and re-execute terraform apply I will get a change for every security group

  source        = "../../../../modules/sg"
  sg_name       = "${var.sg_name_bastion}"
  sg_desc       = "${var.sg_desc_bastion}"
  vpc_id        = "${module.network.vpc_id}"
  default_tags  = "${var.default_tags}"
  vpc_name      = "${var.vpc_name}"

  computed_ingress_with_source_security_group_id = [
    {
      rule                     = "ssh-tcp"
      source_security_group_id = "${module.sg_ext_bastion_clb.this_security_group_id}"
    }

  ]
  number_of_computed_ingress_with_source_security_group_id = 1

  egress_rules = ["all-all"]

  egress_cidr_blocks = ["0.0.0.0/0"]
}

      id:                       "sgrule-3738587866" => <computed> (forces new resource)
      cidr_blocks.#:            "1" => "1"
      cidr_blocks.0:            "0.0.0.0/0" => "0.0.0.0/0"
      description:              "All protocols" => "All protocols"
      from_port:                "0" => "-1" (forces new resource)
      ipv6_cidr_blocks.#:       "1" => "1"
      ipv6_cidr_blocks.0:       "::/0" => "::/0"
      protocol:                 "-1" => "-1"
      security_group_id:        "sg-01c0fe1033ecf03f3" => "sg-01c0fe1033ecf03f3"
      self:                     "false" => "false"
      source_security_group_id: "" => <computed>
      to_port:                  "0" => "-1" (forces new resource)
      type:                     "egress" => "egress"

Any input is highly appreciated!

Thanks!

terraform-aws-modules / terraform-aws-security-group Goto Github PK

terraform-aws-security-group's Introduction

AWS EC2-VPC Security Group Terraform module

Features

Terraform versions

Usage

Security group with predefined rules

Security group with custom rules

Note about "value of 'count' cannot be computed"

Conditional creation

Examples

How to add/update rules/groups?

Known issues

Requirements

Providers

Modules

Resources

Inputs

Outputs

Authors

License

Additional information for users from Russia and Belarus

terraform-aws-security-group's People

Contributors

Stargazers

Watchers

Forkers

terraform-aws-security-group's Issues

Module code

Variables

Possible workaround

Recommend Projects

Recommend Topics

Recommend Org