Associating pre-existing Security Group Rules to resource.aws_security_group_rule

[nateww]

Terraform Version

We're using 0.8.8, but the behavior is identical in 0.9.3/0.9.4

Affected Resource(s)

resource.aws_security_group and resource.aws_security_group_rule

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

TF file representing an existing AWS security group

resource "aws_security_group" "prod_stuffs" {
  vpc_id      = "${var.aws_vpc}"
  name        = "Security Group for Production Stuff"
  description = "Allows access to stuff"

  tags {
    Terraform   = "true"
  }
}

# No Egress rules are necessary since these are added to existing nodes

resource "aws_security_group_rule" "stuff_allow_tcp" {
  type              = "ingress"
  from_port         = 12345
  to_port           = 12345
  protocol          = "tcp"
  cidr_blocks       = "${list(lookup(var.subnets_cidrs, "yellow"))}"
  security_group_id = "${aws_security_group.prod_stuffs.id}"
}

I'd like to add a new rule, so I appened the following to the end of the above file:

resource "aws_security_group_rule" "stuff_allow_icmp" {
  type              = "ingress"
  from_port         = 8
  to_port           = 0
  protocol          = "icmp"
  cidr_blocks       = "${list(lookup(var.remote_cidrs, "other-vpc"))}"
  security_group_id = "${aws_security_group.prod_stuffs.id}"
}

Expected Behavior

We manually added the above rule (as well as an egress rule that allows all traffic).

Because of already reported issues with TF and AWS security groups (and that fact that we've been bitten hard by these bugs in the last few months), we will NOT use TF to modify either security groups and rules nor apply security-group to resources, which leaves our instances with the inability to communicate and our services. fail.

Therefore, we added our new rule manually via the AWS CLI. However, there is no way to associate the newly added rule to TF. TF knows the new rules exist, but it neither reports that the security-group is out-of-sync with TF, nor do I know to associate the above rule with the existing SG.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Create Security Group using Terraform
2. Realize that Security Group needs new rules
3. Manually add the new rule to the existing SG using the AWS CLI
4. Edit the TF file that was used to create the SG by adding a new rule, and attempt to associate the newly added resource.aws_security_group_rule to the AWS rule.

In addition, we have new rules in place on the security group, and I would have expected TF to complain about existing rules that should be removed as they are not represented in the definition files provided to terraform.

Note, here is the (redacted) output of the terraform state, which shows both the existing and new rules, of while only one matches the TF files.

% terraform state show aws_security_group.prod_stuffs
id                                            = sg-15b3096e
description                                   = Allows profile access to stuff
egress.#                                      = 1
egress.482069346.cidr_blocks.#                = 1
egress.482069346.cidr_blocks.0                = 0.0.0.0/0
egress.482069346.from_port                    = 0
egress.482069346.prefix_list_ids.#            = 0
egress.482069346.protocol                     = -1
egress.482069346.security_groups.#            = 0
egress.482069346.self                         = false
egress.482069346.to_port                      = 0
ingress.#                                     = 3
ingress.2145115223.cidr_blocks.#              = 1
ingress.2145115223.cidr_blocks.0              = 10.10.1.0/24
ingress.2145115223.from_port                  = 8
ingress.2145115223.protocol                   = icmp
ingress.2145115223.security_groups.#          = 0
ingress.2145115223.self                       = false
ingress.2145115223.to_port                    = -1
ingress.3696632892.cidr_blocks.#              = 1
ingress.3696632892.cidr_blocks.0              = 10.0.2.0/24
ingress.3696632892.from_port                  = 19389
ingress.3696632892.protocol                   = tcp
ingress.3696632892.security_groups.#          = 0
ingress.3696632892.self                       = false
ingress.3696632892.to_port                    = 19389
ingress.4127962015.cidr_blocks.#              = 0
ingress.4127962015.from_port                  = 19389
ingress.4127962015.protocol                   = tcp
ingress.4127962015.security_groups.#          = 1
ingress.4127962015.security_groups.2968368645 = sg-a720c8c8
ingress.4127962015.self                       = false
ingress.4127962015.to_port                    = 19389
name                                          = Security Group for Production Profile
owner_id                                      = 382513426234
tags.%                                        = 3
tags.Environment                              = staging
tags.Name                                     = Production Profile Proxy Security Group
tags.Terraform                                = true
vpc_id                                        = vpc-asdfasdfadf

References

#11011
#12252 - We've switched to using separate aws_security_group_rule and aws_security_group_rule for both documentation purposes, and because of this.
#13314
#13827

[meyertime]

My pull request #14332 would improve this. Using a single aws_security_group_rules resource to define all rules will make Terraform manage all the rules within a security group (like inline rules in aws_security_group) but still allow two security groups to refer to each other in their rules without creating a circular dependency (like when using aws_security_group_rule).

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.