Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Groups do not allow ICMP #1313

Closed
wazoo opened this issue Mar 26, 2015 · 6 comments
Closed

Security Groups do not allow ICMP #1313

wazoo opened this issue Mar 26, 2015 · 6 comments

Comments

@wazoo
Copy link

@wazoo wazoo commented Mar 26, 2015

I was trying to create a security group with the following configuration:

ingress {
  protocol = "icmp"
  security_groups = ["${aws_security_group.sgr_test_nodes.id}"]
}

and I get the following error:

Errors:

  * 'aws_security_group.sgr_test_nodes' error: ingress.2.from_port: required field is not set
  * 'aws_security_group.sgr_test_nodes' error: ingress.2.to_port: required field is not set

While I understand why this error is happening, ICMP doesn't really have a port and if you try to specify one you get this error from amazon:

Error applying plan:

1 error(s) occurred:

* Error revoking security group ingress rules: ICMP code (65535) out of range (InvalidParameterValue)

Is there a specific way to configure ICMP? From looking at resource_aws_security_group.go it didn't look that way so this may be a feature request, maybe a rule type or something so that way we could accomplish the ability to do "all tcp" or whatever without having to specify ports.

@ltcdnunez
Copy link

@ltcdnunez ltcdnunez commented Jun 1, 2015

I think I just sorted this out. As it happens, Amazon uses the same interface for CloudFormation and there is some documentation on how to use ICMP. The from_port is the ICMP type number and the to_port is the ICMP code (which does not exist for many types and should be either 0 or -1 in that case). See the Amazon CloudFormation Documentation for details. And here are the ICMP types/codes.

Here's an example of how to allow inbound echo requests:

ingress {
  protocol = 200
  cidr_block = "10.0.1.0/24"
  protocol = "icmp"
  from_port = 8
  to_port = 0
}
@catsby
Copy link
Member

@catsby catsby commented Jun 2, 2015

The from_port is the ICMP type number and the to_port is the ICMP code

That's... disappointing to hear... Network ACLs have an explicit icmp_type and icmp_type code parameter. I came here expecting I needed to add those here, but sadness...

Sounds like the solution for this issue then is to document this on the Security Group and Security Group Rules docs, agreed?

@ltcdnunez
Copy link

@ltcdnunez ltcdnunez commented Jun 3, 2015

@catsby I discovered after this that the Network ACL rules break when attempting to use this because of exactly what you're saying about the icmp_type and icmp_code parameters. It looks like you submitted a pull request to fix this for issue #2148, however.

To be clear, ICMP works fine when creating Security Group Rules if you do what I described before, but not in Network ACL in terraform v0.51.0 (and presumably lower). This does appear to mirror the AWS API for Security Group Rules.

@seanknox
Copy link
Contributor

@seanknox seanknox commented Mar 8, 2016

For those out there who want to allow incoming ICMP echo ("ping") from any source via a security group, this does the trick:

  ingress {
    from_port = 8
    to_port = 0
    protocol = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }
@stack72
Copy link
Contributor

@stack72 stack72 commented Mar 22, 2016

The documentation has been updated to reflect ICMP. I am going to close this issue. If you feel that the documentation is not as clear as it can be, please let us know

Thanks

Paul

@hashibot
Copy link

@hashibot hashibot bot commented Mar 29, 2020

I'm going to lock this issue because it has been closed for 30 days . This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@hashibot hashibot bot locked and limited conversation to collaborators Mar 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants