Doco says security_group_rule resource and inline rules are not compatible, but it seems to work?
85 views
Skip to first unread message
shorn....@gmail.com
Dec 21, 2015, 8:04:32 PM12/21/15
to Terraform
The documentation says "you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules."
Given the statement from the doco outlined above, I had expected that the security group would have or the other set of rules, but not both.
The following seems to work for me, the console shows that the nat-server-sg has both cidr block rules inbound rules and the security group based inbound ssh rule.
resource "aws_security_group" "access-nat-server-sg" {
...
inline cidr based rules to allow ingress from private subnets and egress to internet
...
}
resource "aws_security_group" "access-bastion-server-sg" {
...
inline cidr rules to allow ingress from external places
...}
resource "aws_security_group_rule" "ssh-bastion-to-nat" { type = "ingress" from_port = 22 to_port = 22 protocol = "tcp" security_group_id = "${aws_security_group.access-nat-server-sg.id}" source_security_group_id = "${aws_security_group.access-bastion-server-sg.id}"}
Given the statement from the doco outlined above, I had expected that the security group would have or the other set of rules, but not both.
Is the documentation just out of date? Happy to raise an issue if so.
Or is something going to break further down the line when I start churning security groups around?
Or is it just that it happens to work in this version, but the doco is there to stop me using it because it may stop working in future versions?
Using AWS provider with TF 0.6.8.
Clint Shryock
Dec 22, 2015, 10:29:20 AM12/22/15
to terrafo...@googlegroups.com
Hello –
I believe the docs may need a change from "you cannot" to "you should not". As you guessed, something is very likely to break as you use the rules more.
The Security Group Rule resource behaves a bit differently.. it queries the Security Group and looks for a rule that matches it's properties. If found, it concludes that it exists and moves on. Security Group Rules are meant to ensure a security group has "at least these rules".
In-line rules for security groups are meant to enforce "these rules, and only these rules". It's possible there has been some drift since the documentation was written and needs to be reviewed, but I hope this explains some things.
Let me know if you have further questions
Regards,
Clint
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/68b4d2de-2cfa-432d-aed7-c635fd582015%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Clint
shorn....@gmail.com
Dec 22, 2015, 7:16:38 PM12/22/15
to Terraform
Makes sense, the thing about the rule is interesting. Seems like important information - OTOH I understand you'd want to avoid putting every implementation detail into the documentation.
Thanks for the help. I'll stop being lazy and go make those rules :)
Reply all
Reply to author
Forward
0 new messages