Use security groups modules. Get: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

[imgarylai]

I'm using your awesome modules to build up my infrastructure. However, I have issue while setting up security groups.

I have setup VPC by using https://github.com/terraform-aws-modules/terraform-aws-vpc
And I use this module to setup security groups, but I get error messages like this:

Error: Error applying plan:

4 error(s) occurred:

* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[3]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.3: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule
* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[2]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.2: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule
* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[0]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.0: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule
* module.web_security_group.module.sg.aws_security_group_rule.ingress_rules[1]: 1 error(s) occurred:

* aws_security_group_rule.ingress_rules.1: One of ['cidr_blocks', 'ipv6_cidr_blocks', 'self', 'source_security_group_id', 'prefix_list_ids'] must be set to create an AWS Security Group Rule

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

This is my tf file. I haven't put many things yet. And I guess, the ingress_rules if I don't set anything specifically, are those values in error messages set by default in the auto_values.tf ?

provider "aws" {
  profile = "${var.profile}"
  region  = "${var.region}"
  version = "~> 1.16"
}

locals {
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
}

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "${var.name}"
  cidr = "10.0.0.0/16"

  azs             = "${local.availability_zones}"
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Terraform   = "true"
    Environment = "${var.environment}"
  }
}

data "aws_security_group" "default" {
  name   = "default"
  vpc_id = "${module.vpc.vpc_id}"
}

module "web_security_group" {
  source = "terraform-aws-modules/security-group/aws//modules/web"
  name   = "web_security_group"
  vpc_id = "${module.vpc.vpc_id}"
}

[antonbabenko]

Glad that you like these modules.

The error you are receiving is because you are creating named security group, which means it open some ports and it requires explicit specification of CIDR blocks (or other properties as listed in the error) to be associated with those ports. Normally you specify CIDR blocks like this:

module "web_security_group" {
  source = "terraform-aws-modules/security-group/aws//modules/web"
  name   = "web_security_group"
  vpc_id = "${module.vpc.vpc_id}"

  ingress_cidr_blocks = ["0.0.0.0/0"]
}

[imgarylai]

@antonbabenko Thanks for your explanation, but there are things I am not quite clear.

I try to create this sg according to its documentation.

Since name is a required variable, I definitely need to create a named security group for using this web module, right? However, the documents says, ingress_cidr_blocks is not a required variable. Should I use them together? Is there a way to create a named sg without specifying the ingress_cidr_blocks?

Or do I just misunderstood something? I guess I should add ingress_cidr_blocks anyway, because, for example, psql sg, I definitely want its ingress_cidr_blocks in my private subnet, right?

[antonbabenko]

In fact, those arguments are marked as optional because they can be defined in a variety of combinations so that at least one is required.

ingress_cidr_blocks, ingress_with_cidr_blocks, ingress_with_source_security_group_id - these are typically the options you need to choose from. See complete example for all possible values.

[imgarylai]

I solve the issue and understand the idea of your module.
Really appreciate your help.

[smeeklai]

In case you'd like to create a security group without specifying a CIDR range, add

ingress_with_self = [
    {
      rule = "all-all"
    },
]

under the security-group module.

Note that you might want to change the rule in case you want to be more limit about the access

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.