Use conditional for AWS SecurityGroups
1,275 views
Skip to first unread message
Igor David
Mar 8, 2018, 7:02:46 AM3/8/18
to Terraform
Is it possible to use Terraform conditional with AWS Security groups like this:
securitygroup= ["${substr(terraform.workspace) == "PD" ? module1 : module2}"]
We want to create and attach Security group based of module1 only if terraform.workspace begins with "PD", and we don't want to create Security group defined in module2 if it's not required (doesn't match "PD").
We have tried this and the problem is that Terraform doesn't assign security group built by module1 if security group of module2 is not already created. Once we create both resources, it recognize and attach module1 okay, but then we are duplicating number of Security groups.
Looks like Terraform requires both resources active and created in it's conditionals?
Thanks in advance!
Clint Shryock
Mar 8, 2018, 10:05:29 AM3/8/18
to terrafo...@googlegroups.com
Hey there!
It's hard to say much without seeing more configuration. If you could share some mock up (so you don't share your actual config) that may help.
It sounds like you could use this conditional in a `count` attribute:
```
resource "aws_security_group" "mod1_group" {
count = "${substr(terraform.workspace) == "PD" ? 1 : 0}"
# details..
}
```
If I understand your scenario correctly, that kind of syntax should only create the Security Group if that substring matches.
Let us know if that works!
Cheers,
Clint
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/4c253591-8d40-4176-b9b7-2b296bce21ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Igor David
Mar 8, 2018, 11:13:58 AM3/8/18
to Terraform
Hi Clint,
Thanks for your reply!
We are trying to do exactly what you described and it doesn't work - SecurityGroups got created but the one which should be attached is not attached to EC2 instance, looks like Terraform expects that both SecurityGroups from Conditional exists.
We use it like this (security groups and EC2 instance are being used as modules):
* Security group 1 resource
```
resource "aws_security_group" "SG1" {
count = "${substr(terraform.workspace,0,2) == "PD" ? 1 : 0 }"
name = "SG_NAME1"
}
```
* Security group 2 resource
```
resource "aws_security_group" "SG2" {
count = "${substr(terraform.workspace,0,2) != "PD" ? 1 : 0 }"
name = "SG_NAME2"
}
```
* EC2 instance resource
```
resource "aws_instance" "instance" {
vpc_security_group_ids = ["${var.securitygroup}"]
```
* Use them via modules
```
module "SG1" {
source = "modules/SecurityGroup1"
}
```
```
module "SG2" {
source = "modules/SecurityGroup2"
}
```
* Define EC2 instance
```
module "ec2_instance" {
source = "../../modules/EC2"
securitygroup_role= ["${substr(terraform.workspace,0,2) == "PD" ? "${module.SG1" : "${module.SG2 }" }", "${split(",", "${lookup(var.default_sg, var.vpc)}")}" ]
```
When we run this, Terraform creates BOTH SG1 and SG2 and doesn't attach any of those to EC2 instance, but just default_sg.
When we remove "count" line in module like this
```
resource "aws_security_group" "SG1" {
name = "SG_NAME1"
}
```
```
resource "aws_security_group" "SG2" {
name = "SG_NAME2"
}
```
it then creates BOTH SG1 and SG2 and attach the correct one, but in that case we have duplication of SGs.
Thanks in advance!
Kind regards,
Igor
Thanks for your reply!
We are trying to do exactly what you described and it doesn't work - SecurityGroups got created but the one which should be attached is not attached to EC2 instance, looks like Terraform expects that both SecurityGroups from Conditional exists.
We use it like this (security groups and EC2 instance are being used as modules):
* Security group 1 resource
```
resource "aws_security_group" "SG1" {
count = "${substr(terraform.workspace,0,2) == "PD" ? 1 : 0 }"
name = "SG_NAME1"
}
```
* Security group 2 resource
```
resource "aws_security_group" "SG2" {
count = "${substr(terraform.workspace,0,2) != "PD" ? 1 : 0 }"
name = "SG_NAME2"
}
```
* EC2 instance resource
```
resource "aws_instance" "instance" {
vpc_security_group_ids = ["${var.securitygroup}"]
```
* Use them via modules
```
module "SG1" {
source = "modules/SecurityGroup1"
}
```
```
module "SG2" {
source = "modules/SecurityGroup2"
}
```
* Define EC2 instance
```
module "ec2_instance" {
source = "../../modules/EC2"
securitygroup_role= ["${substr(terraform.workspace,0,2) == "PD" ? "${module.SG1" : "${module.SG2 }" }", "${split(",", "${lookup(var.default_sg, var.vpc)}")}" ]
```
When we run this, Terraform creates BOTH SG1 and SG2 and doesn't attach any of those to EC2 instance, but just default_sg.
When we remove "count" line in module like this
```
resource "aws_security_group" "SG1" {
name = "SG_NAME1"
}
```
```
resource "aws_security_group" "SG2" {
name = "SG_NAME2"
}
```
it then creates BOTH SG1 and SG2 and attach the correct one, but in that case we have duplication of SGs.
Thanks in advance!
Kind regards,
Igor
On Thursday, March 8, 2018 at 3:05:29 PM UTC, Clint Shryock wrote:
Hey there!It's hard to say much without seeing more configuration. If you could share some mock up (so you don't share your actual config) that may help.It sounds like you could use this conditional in a `count` attribute:```resource "aws_security_group" "mod1_group" {count = "${substr(terraform.workspace) == "PD" ? 1 : 0}"# details..}```If I understand your scenario correctly, that kind of syntax should only create the Security Group if that substring matches.Let us know if that works!Cheers,Clint
On Thu, Mar 8, 2018 at 6:02 AM, Igor David <david...@gmail.com> wrote:
Is it possible to use Terraform conditional with AWS Security groups like this:
securitygroup= ["${substr(terraform.workspace) == "PD" ? module1 : module2}"]
We want to create and attach Security group based of module1 only if terraform.workspace begins with "PD", and we don't want to create Security group defined in module2 if it's not required (doesn't match "PD").
We have tried this and the problem is that Terraform doesn't assign security group built by module1 if security group of module2 is not already created. Once we create both resources, it recognize and attach module1 okay, but then we are duplicating number of Security groups.
Looks like Terraform requires both resources active and created in it's conditionals?
Thanks in advance!
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
Clint Shryock
Mar 8, 2018, 12:27:09 PM3/8/18
to terrafo...@googlegroups.com
Hey Igor thanks for the info – I've created a gist to try and reproduce this, but I'm not having any luck.
Is it possible "terraform.workspace" is not what it should be?
Cheers,
Clint
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/4975c627-56a7-411a-98fb-637b6a7d5aea%40googlegroups.com.
Igor David
Mar 9, 2018, 6:06:44 AM3/9/18
to terrafo...@googlegroups.com
Thanks Clint for checking this, we really appreciate it.
Can you please add EC2 instance to your test and put conditional for Security groups, so if one variable exist it creates and attach SG1, and if it doesn't exists then create and attach SG2?
That is when the problem actually occurs, because SG1 is not attached to EC2 instance if it's specified in conditional.
In your case you can just add EC2 instance and put conditional to security group.
In your case you can just add EC2 instance and put conditional to security group.
This is snipped from our code:
```
module "EC2" {
source = "modules/EC2"
securitygroup= ["${substr(terraform.workspace,0,2) == "PD" ? "${module.SG1.SG_ID}" : "${module.SG2.SG_ID }" }", "${split(",", "${lookup(var.default_sg, var.vpc)}")}" ]
}
```
We want to attach SG1 if terraform.workspace is starting with PD, we want to attach SG2 if terraform.workspace doesn't start with PD, and we want always to include default SecurityGroups (var.default_sg based on our VPC)
In your case it would be something like this:
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}resource "aws_instance" "web" {
ami = "${data.aws_ami.ubuntu.id}"
instance_type = "t2.nano"
vpc_security_group_ids = ["${substr(var.name,0,3) == "cts" ? "${"aws_security_group.g1.id}" : "${aws_security_group.g1.id}" }" ]
}So basically, it doesn't attach SG1 to EC2 instance as looks like Terraform expects that second SG2 is also created. To prove this, we have removed "count" from our Security groups and it properly attach only SG1 only if they both are created, but then we are duplicating number of SGs.
Does this gives you enough troubleshooting info?
Thanks again.
Kind regards,
Igor
You received this message because you are subscribed to a topic in the Google Groups "Terraform" group.To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/CAMN_gXEXun4sreM2ETVweh0NoEdxJELf6gyZNZXeCN_ZO5%2BkSg%40mail.gmail.com.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/terraform-tool/TR9yBK0lObM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to terraform-tool+unsubscribe@googlegroups.com.
Message has been deleted
Igor David
Mar 12, 2018, 9:47:44 AM3/12/18
to Terraform
(looks like my previous e-mail was deleted, maybe I did it by accident)
Hi Clint,
Looks like this is a known bug in Terraform:
https://github.com/hashicorp/terraform/issues/15605
Until the bug is fixed, are there any workaround recommendations to apply, where one of the resource conditionals are not being created (security group) and thus not allowing EC2 instance to attach first security group?
Thanks,
Igor
Hi Clint,
Looks like this is a known bug in Terraform:
https://github.com/hashicorp/terraform/issues/15605
Until the bug is fixed, are there any workaround recommendations to apply, where one of the resource conditionals are not being created (security group) and thus not allowing EC2 instance to attach first security group?
Thanks,
Igor
Reply all
Reply to author
Forward
0 new messages