aws_security_group using aws_instance public IPs

James Santos

unread,

Feb 3, 2020, 8:48:35 PM2/3/20

to Terraform

Hello, has anyone ever seen a solution for this use case:

resource "aws_security_group" "sg_api" {

ingress {

from_port = 80

to_port = 80

protocol = "tcp"

cidr_blocks = ["${formatlist("%v/32", aws_instance.clients.*.public_ip)}"]

}

I saw this issue brought up before (https://github.com/hashicorp/terraform/issues/640) but haven't seen a solution for it yet.

Thanks,

- James

Lowe Schmidt

unread,

Feb 4, 2020, 2:18:20 AM2/4/20

to Terraform

What version are you using ?

--

Lowe Schmidt | +46 723 867 157

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/86b38fb9-36fa-41c3-9b6a-b5a4ca6b8437%40googlegroups.com.

James Santos

unread,

Feb 4, 2020, 1:30:23 PM2/4/20

to Terraform

Hey Lowe, terraform version is 0.12.18
Any help would be appreciated.

Lowe Schmidt

unread,

Feb 4, 2020, 3:32:04 PM2/4/20

to Terraform

This should work (haven't tried).

https://www.terraform.io/docs/configuration/expressions.html#splat-expressions

But you should probably extract the security_group_rule to its own resource.

resource "aws_security_group" "sg_api" {

ingress {

from_port = 80

to_port = 80

protocol = "tcp"

cidr_blocks = [

"${aws_instance_clients[*].public_ip}/32"

]

}

--

Lowe Schmidt | +46 723 867 157

On Tue, 4 Feb 2020 at 19:30, James Santos <james....@gmail.com> wrote:

Hey Lowe, terraform version is 0.12.18
Any help would be appreciated.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/1438fa1d-b87b-4fd2-b2f2-f64d7e623398%40googlegroups.com.

Rajeev Jaggavarapu

unread,

Feb 5, 2020, 4:41:37 AM2/5/20

to Terraform

aws_instance.clients.*.public_ip

This is a list

If you are using .12.x you can use dynamic block.

https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each/

Lowe Schmidt

unread,

Feb 5, 2020, 10:46:50 AM2/5/20

to Terraform

The aws_instance.clients[*].public_ip is a short hand for the for expression iterating over every client.

--

Lowe Schmidt | +46 723 867 157

--

This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/f8ef078a-c1d6-49c9-ac4f-0b8281d43af6%40googlegroups.com.

James Santos

unread,

Feb 6, 2020, 11:04:59 AM2/6/20

to Terraform

Thanks, Lowe and Rajeev, I will give those a try.

The problem I see is a possible case of: "which comes first, the chicken or the egg"

I'm trying to add the ec2 instance's public IP to a security group (SG) that I want to assign to the instance. Terraform is giving a cycle error since it cannot create the instance without the SG but it cannot create the SG since it doesn't have the public IP to add to the SG since the instance is not created yet.

- James

On Wednesday, February 5, 2020 at 10:46:50 AM UTC-5, Lowe Schmidt wrote:

The aws_instance.clients[*].public_ip is a short hand for the for expression iterating over every client.

--
Lowe Schmidt | +46 723 867 157

On Wed, 5 Feb 2020 at 10:41, Rajeev Jaggavarapu <rajeev.j...@srijan.net> wrote:

aws_instance.clients.*.public_ip

This is a list
If you are using .12.x you can use dynamic block.

https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each/

On Tuesday, February 4, 2020 at 7:18:35 AM UTC+5:30, James Santos wrote:
Hello, has anyone ever seen a solution for this use case:

resource "aws_security_group" "sg_api" {
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["${formatlist("%v/32", aws_instance.clients.*.public_ip)}"]
}
}

I saw this issue brought up before (https://github.com/hashicorp/terraform/issues/640) but haven't seen a solution for it yet.

Thanks,
- James

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.

GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terrafo...@googlegroups.com.

Lowe Schmidt

unread,

Feb 6, 2020, 12:52:19 PM2/6/20

to Terraform

If you have a cyclic dependency in your graph, you need to split out the resources. In this case, you can have a `aws_security_group` and multiple `aws_security_group_rule`, that way, you can create the instances, attach the security group and then create the rules for your security group.

See https://www.terraform.io/docs/providers/aws/r/security_group_rule.html

--

Lowe Schmidt | +46 723 867 157

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/51c32485-4b8c-4134-8f6a-2585d130a779%40googlegroups.com.

James Santos

unread,

Feb 8, 2020, 10:17:25 AM2/8/20

to Terraform

Thanks, Lowe. The use of the aws_security_group_rule worked!! Thanks again. I can move forward now. Really appreciate it.

Just fyi, instead of cidr_blocks = ["${aws_instance.clients[*].public_ip}/32"]

I had to use cidr_blocks = ["${element(aws_instance.bootcamp.*.public_ip, count.index)}/32"]

with the count variable defined earlier.

The former was giving an: "Error: Invalid template interpolation value .... aws_instance.clients is tuple with 2 elements ... Cannot include the given value in a string template: striing required".

Thanks,

- James

On Thursday, February 6, 2020 at 12:52:19 PM UTC-5, Lowe Schmidt wrote:

If you have a cyclic dependency in your graph, you need to split out the resources. In this case, you can have a `aws_security_group` and multiple `aws_security_group_rule`, that way, you can create the instances, attach the security group and then create the rules for your security group.

See https://www.terraform.io/docs/providers/aws/r/security_group_rule.html
--
Lowe Schmidt | +46 723 867 157

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/51c32485-4b8c-4134-8f6a-2585d130a779%40googlegroups.com.

Reply all

Reply to author

Forward