Creating ENI and security group attachments separately leaves the default security group on the ENI #9323
Labels
bug
Addresses a defect in current functionality.
service/ec2
Issues and PRs that pertain to the ec2 service.
This issue was originally opened by @dead10ck as hashicorp/terraform#22051. It was migrated here as a result of the provider split. The original body of the issue is below.
When you define a
aws_network_interface
and its security group attachments separately inaws_network_interface_sg_attachment
s, it first creates the ENI with no security groups, which causes the AWS API to add the VPC's default security group. Then it attaches the other security groups to the existing ENI, but it leaves the default security group in place.This can lead to a situation where the user thinks they have defined all the exact security groups they wanted attached to the ENI, but in fact, there is one more.
What's worse is that the default security group essentially says "allow all traffic on any port for anything else in the default security group," which means all EC2 nodes created with this pattern will inadvertently have full network access to each other.
The text was updated successfully, but these errors were encountered: