New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Groups do not allow ICMP #1313

Closed
wazoo opened this Issue Mar 26, 2015 · 6 comments

Comments

Projects
None yet
5 participants
@wazoo
Copy link

wazoo commented Mar 26, 2015

I was trying to create a security group with the following configuration:

ingress {
  protocol = "icmp"
  security_groups = ["${aws_security_group.sgr_test_nodes.id}"]
}

and I get the following error:

Errors:

  * 'aws_security_group.sgr_test_nodes' error: ingress.2.from_port: required field is not set
  * 'aws_security_group.sgr_test_nodes' error: ingress.2.to_port: required field is not set

While I understand why this error is happening, ICMP doesn't really have a port and if you try to specify one you get this error from amazon:

Error applying plan:

1 error(s) occurred:

* Error revoking security group ingress rules: ICMP code (65535) out of range (InvalidParameterValue)

Is there a specific way to configure ICMP? From looking at resource_aws_security_group.go it didn't look that way so this may be a feature request, maybe a rule type or something so that way we could accomplish the ability to do "all tcp" or whatever without having to specify ports.

@ltcdnunez

This comment has been minimized.

Copy link

ltcdnunez commented Jun 1, 2015

I think I just sorted this out. As it happens, Amazon uses the same interface for CloudFormation and there is some documentation on how to use ICMP. The from_port is the ICMP type number and the to_port is the ICMP code (which does not exist for many types and should be either 0 or -1 in that case). See the Amazon CloudFormation Documentation for details. And here are the ICMP types/codes.

Here's an example of how to allow inbound echo requests:

ingress {
  protocol = 200
  cidr_block = "10.0.1.0/24"
  protocol = "icmp"
  from_port = 8
  to_port = 0
}
@catsby

This comment has been minimized.

Copy link
Member

catsby commented Jun 2, 2015

The from_port is the ICMP type number and the to_port is the ICMP code

That's... disappointing to hear... Network ACLs have an explicit icmp_type and icmp_type code parameter. I came here expecting I needed to add those here, but sadness...

Sounds like the solution for this issue then is to document this on the Security Group and Security Group Rules docs, agreed?

@ltcdnunez

This comment has been minimized.

Copy link

ltcdnunez commented Jun 3, 2015

@catsby I discovered after this that the Network ACL rules break when attempting to use this because of exactly what you're saying about the icmp_type and icmp_code parameters. It looks like you submitted a pull request to fix this for issue #2148, however.

To be clear, ICMP works fine when creating Security Group Rules if you do what I described before, but not in Network ACL in terraform v0.51.0 (and presumably lower). This does appear to mirror the AWS API for Security Group Rules.

@seanknox

This comment has been minimized.

Copy link
Contributor

seanknox commented Mar 8, 2016

For those out there who want to allow incoming ICMP echo ("ping") from any source via a security group, this does the trick:

  ingress {
    from_port = 8
    to_port = 0
    protocol = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }
@stack72

This comment has been minimized.

Copy link
Contributor

stack72 commented Mar 22, 2016

The documentation has been updated to reflect ICMP. I am going to close this issue. If you feel that the documentation is not as clear as it can be, please let us know

Thanks

Paul

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment