How to add security_group_rule ingress to security group?
104 views
Skip to first unread message
egul...@gmail.com
Sep 23, 2016, 2:15:59 PM9/23/16
to Terraform
Hello everyone,
I have problem that I can't figure it out. I need to update SG's with ingress rules after their creation but it doesn't look like I'm doing it right. I've research online and tested 'depends_on' but this still fails.
I have problem that I can't figure it out. I need to update SG's with ingress rules after their creation but it doesn't look like I'm doing it right. I've research online and tested 'depends_on' but this still fails.
I have application.tf template where I'm creating NAT instance, NATSG, App instance, APPSG. Once NATSG & APPSG are created, I need to update their rules to allow traffic and the problem is that 'first tf apply' creates them but after that if I run 'tf plan' terraform is showing me that it will remove these additional 'security_group_rules' that it just created (which doesn't make sense to me) but looking at sg_rule there is that sentence:
At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.
and I think I can't specify security_group and security_group_rule resources in the same .tf file.
Have anyone had problem like that before and overcome it with some solution? I've checked over a dozen modules and nobody seems to be doing complex things like that.
Any advice appreciated.
Thank you
Thank you
David Maze
Sep 23, 2016, 4:07:30 PM9/23/16
to Terraform
On Friday, September 23, 2016 at 2:15:59 PM UTC-4, egul...@gmail.com wrote:
looking at sg_rule there is that sentence:At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.and I think I can't specify security_group and security_group_rule resources in the same .tf file.
More concretely: you can't both declare security group rules inside a security_group, and also have separate security_group_rule declarations for the same group. Doesn't matter if they're in the same file or not.
Bad:
resource "aws_security_group" "sg" {
ingress { ... port = 80 ... }
}
resource "aws_security_group_rule" "https_too" {
type = "ingress"
from_port = 443
to_port = 443
security_group_id = "${aws_security_group.sg.id}"
}
Good:
resource "aws_security_group" "sg" {
# no ingress or egress rules
}
resource "aws_security_group_rule" "http" { ... port = 80 ... security_group_id = "${aws_security_group.sg.id}" }
resource "aws_security_group_rule" "https" { ... port = 443 ... security_group_id="${aws_security_group.sg.id}" }
My experience has generally been that it's more predictable to declare anything where there's a resource A, a resource B, and an attach-A-to-B resource always as three separate parts and not as resource "A" { B { ... } }, for exactly the case you describe: if you need to add more rules or attach more devices or whatever else, Terraform's behavior is more obvious when the attachment is separate.
Reply all
Reply to author
Forward
0 new messages