aws_security_group: Can not add IPv6 address. InvalidParameterValue: CIDR block ::/0 is malformed

[sandnabba]

Hi!

I'm trying to add an IPv6 address in a aws_security_group. But terraform fails with "Error authorizing security group egress rules: InvalidParameterValue: CIDR block ::/0 is malformed"

Terraform Version

Terraform v0.9.4

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["::/0"]
  }
}

Debug Output

terraform apply

1 error(s) occurred:

* module.uptime_probes.aws_security_group.uptime_probe_sg: 1 error(s) occurred:

* aws_security_group.uptime_probe_sg: Error authorizing security group egress rules: InvalidParameterValue: CIDR block ::/0 is malformed
	status code: 400, request id: 9f209ba4-802e-4619-9f5a-38613cc7ebc5

Workaround

1. Comment out the IPv6 egress-block in the terraform configuration
2. Run 'terraform apply' to create the security group without the IPv6 block
3. Open the AWS console, and add the IPv6 block manually.
4. 'terraform plan' should now report 'Infrastructure is up-to-date.'

[stack72]

Hi @sandnabba

Thanks for reporting your issue here. The following configuration will work for you in this case:

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["::/0"]
  }
}

Notice the use of ipv6_cidr_blocks rather than cidr_blocks

Paul

[realflash]

@stack72 Your proposed configuration doesn't work - it results in InvalidParameterValue: CIDR block 0.0.0.0/0 is malformed (probably as expected). I think you meant:

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["::/0"]
  }
}

[stack72]

Sorry @realflash, you are correct. This is what happens trying to write a response on my phone :)

[luckymagic7]

@stack72
Hi, I think it's ipv6_cidr_block not ipv6_cidr_blocks. When I try terraform apply

invalid or unknown key: ipv6_cidr_blocks

comes out.

Using ipv6_cidr_block solves it.

Ref: https://www.terraform.io/docs/providers/aws/r/network_acl_rule.html

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.