"aws_security_group" vs "aws_security_group_rule"

[throwawayacctfo...@gmail.com]

Hello, 

This is a bit of noob question so please bear with me. 

I am running into a cycle error when I attempt to reference to formulate security groups. For example, I would like to create an `aws_security_group` called `bastion-sg`. This group has the following rules: 

• Bastion::Inbound = ssh from source company-ip-range ( for example, 172.0.0.0/24)

• Bastion::Outbound = ssh to destination SG-Private (private instances allowed) 

On the other hand, private subnets should only allow ssh inbound traffic from the bastion host, and outbound traffic via the nat instance. 

• Private::Inbound = ssh from Source Bastion-SG 

• Private::Outbound = HTTP to Destination NAT-SG 

My first attempt translating this into terraform is this: 

resource "aws_security_group" "bastion_sg" {
  name = "bastion_sg"
  description = "SG for Bastion Host"
  vpc_id = "${aws_vpc.Test.id}"


  ingress {
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["172.0.0.0/24"]
  }


  egress {
    from_to = 22
    to_port = 22
    protocol = "tcp"
    security_groups = ["${aws_security_group.private_sg.id}"]
  }


  tags {
    Name = "Bastion-SG"
    Environment = "${var.vpc_name}"
  }  
}


resource "aws_security_group" "private_sg" {
  name = "private_sg"
  description = "SG for Private Subnets"
  vpc_id = "${aws_vpc.Test.id}"


  ingress {
    from_port = 22
    to_port = 22
    protocol = "tcp"
    security_groups = ["${aws_security_group.bastion_sg.id}"]
  }


  egress {
    from_to = 80
    to_port = 80
    protocol = "tcp"
    security_groups = ["${aws_security_group.nat_sg.id}"]
  }


  egress {
    from_to = 443
    to_port = 443
    protocol = "tcp"
    security_groups = ["${aws_security_group.nat_sg.id}"]
  }  


  tags {
    Name = "Private-SG"
    Environment = "${var.vpc_name}"
  }  
}

Which gave me this error: 

* Cycle: module.test.aws_security_group.nat_sg, module.test.aws_security_group.bastion_sg, module.test.aws_security_group.private_sg

Looking at terraform docs for "aws_security_group", I see these two: 

The ingress block supports:

• cidr_blocks - (Optional) List of CIDR blocks.
• security_groups - (Optional) List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC.

I find this documentation super confusing. 

• In aws, source refers either to a cidr_block or a security_group. In terraform, should I replace the idea of source of incoming traffic with one of the above (that is cidr_blocks or security_groups)?  
  

My confusing increases even more when I take a look at the docs for  "aws_security_group_rule". Note that 

• cidr_blocks - (Optional) List of CIDR blocks. Cannot be specified with source_security_group_id
• security_group_id - (Required) The security group to apply this rule to.
• source_security_group_id - (Optional) The security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks.

The logical way I would think to use function "aws_security_group_rule" is in conjunction with "aws_security_group". For example: 

1. First create a security group with "aws_security_group" 
2. Then create a security rule using function "aws_security_group_rule" 
3. And then  attach a security rule created 
   

How do these two functions work together?  Would appreciate any feedback. Thank you. 

[⁞ Fernando Miguel]

are you using this module?

https://github.com/terraform-aws-modules/terraform-aws-security-group

-- 

Fernando Miguel

https://FernandoMiguel.net

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/f42ff6db-c21c-4eeb-a0f3-34efe1d43f36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[throwawayacctfo...@gmail.com]

No, I am not. 

I am learning by writing out my own modules. Using

Terraform v0.10.7

[Fernando]

what's probably happening is one of two things:

either you are trying to reference a resource that still doesnt exist , cause modules dont do depend_on

or 

you dont have output from the module that you can call

[throwawayacctfo...@gmail.com]

So you are cycling that this error: 

* Cycle: module.test.aws_security_group.nat_sg, module.test.aws_security_group.bastion_sg, module.test.aws_security_group.private_sg

is due to one of the 2 reasons you stated? 

Also I am not using depends_on anyway in the file where those rules are written (in fact all rules for the vpc are in one file at the moment). So not sure what you mean when you say that modules do not do depends_on.