Remove existing security group rule created by Elastic Beanstalk

[j...@lazyadm.in]

Hey guys!

I was trying to modify the security created by Elastic Beanstalk. I can add new security rules by using `data` and `resource` using the code below without any issues but our problem is the default security group has a port 80 that is open to public (reason: PCI compliance). That port was automatically added by AWS. I was trying to remove it but I can't find a good example on how to do it using the `aws_security_group_rule`. Can you guys let me know if this is something that TF can't do at the moment? If yes, can you give me some examples?

#################################################
# Modify Elastic Beanstalk Default Security Group
#################################################


data "aws_security_group" "default_eb_sg" {
  vpc_id = "${var.vpc_id}"


  tags {
    Name = "${environment_name}"
  }
}


resource "aws_security_group_rule" "allow_5525" {
  type              = "ingress"
  from_port         = 5525
  to_port           = 5525
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/16"]
  security_group_id = "${data.aws_security_group.default_eb_sg.id}"
}


resource "aws_security_group_rule" "allow_5526" {
  type              = "ingress"
  from_port         = 5526
  to_port           = 5526
  protocol          = "tcp"
  cidr_blocks       = ["10.0.0.0/16"]

  security_group_id = "${data.aws_security_group.default_eb_sg.id}"

}

Thanks a lot!

[Baris Simsek]

I believe you can’t delete default security group before assigning another one. It’s aws behavior.

So first you need to assign your newly created sg as default.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/94f1e952-8ded-494f-b3e8-eb3b7bab93a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bent Terp]

If you import the rule into the state and it does not match any ressource defined in your configuration, then it logically should be deleted when you next apply the config.

Dunno if Beanstalk recreates it though, only one way of finding out.

Hope this helps, otherwise try and get away from using the default security group.

You mentioned PCI.... If you are not yet in production, I would strongly recommend using the EB stack only as inspiration for writing your own Terraform config that builds the entire solution from scratch. Then you have the full documentation of the solution at hand and that should definitely make your PCI review easier.

Also, take a look at this little utility https://github.com/basefarm/aws-session-tool which makes it easier to work with cross-account logins using MFA - this was originally developed for a PCI-DSS compliant implementation and passed the review with thumbs up from the QSA.

Regards,

  Bent