-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Resource: aws_security_group_rules #1824
Conversation
Looking forward to this change |
# Conflicts: # aws/provider.go # website/docs/r/security_group.html.markdown
hi, |
Once this pull request is merged and the new version is released, the Terraform website will have examples of the new rules resource. But basically it is like resource "aws_security_group_rules" "foo" {
security_group_id = "${aws_security_group.my_security_group.id}"
ingress {
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = [ "0.0.0.0/0" ]
}
egress {
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = [ "0.0.0.0/0" ]
}
} But once again, this pull request isn't merged yet, so at this point, this won't work unless you make your own build of the Terraform aws provider. So feel free to pester HashiCorp to hurry up and click the "Merge" button. |
This is more or less a blocker when attempting to import existing infrastructure into a TF config that uses |
Really need this. Security groups that reference each other directly is an absolute requirement, and the only reason we haven't migrated our SG creation to Terraform yet.. |
@radeksimko It has been 5 months... can I get a review? I know there is a merge conflict now, but only because it has taken this long... I'll resolve the conflict once I get a review. |
Are there any updates on this? Would love to see this merged. |
¯\_(ツ)_/¯ |
It hurts to see code of this importance just being ignored! 😞 @radeksimko |
Why not yet merged? |
This would be a HUGE help, any chance we can get some traction on this? |
👍 This continues to be a major problem with managing security groups via terraform. |
Pretty please. |
👍 Badly need this... |
@deftflux we really appreciate the work done on this PR, and I know first hand about many of the rough edges around security groups. I apologize for the lack of an update here, especially with the amount of work you have put in. We are waiting to see what kind of effects the improved Terraform 0.12 syntax (specifically for and for-each) has on solving issues with security groups. After 0.12, the plan is to take a step back and approach this more holistically to make sure we cover all the cases (circular referencing, self referencing, rule flattening / diffing) etc. The current set of resources are a minefield of issues, you enumerate quite a few of them, but there are many more not covered in your write up, and we worry adding another model to define / manage rules just confuses the situation more. This resource may be the appropriate way to implement this, but we think that needs to be coupled with deprecating some of the other methods and covering all the cases with preferably a single design and we need to make sure we are considering all those possibilities (and the new iteration features) when we design it. |
@paultyng Thanks for the feedback! Yeah, I had a feeling the new HCL features had something to do with the delay here. Unfortunately, from what I've read of the new features, I don't think that they alone will solve this issue. It would certainly make writing inline rules better, but would not solve the circular dependency problem with inline rules or the incomplete information problem with individual rule resources. Without significant changes to Terraform itself, I don't think there's any other way to provide a method that solves both problems. But as you alluded to, it doesn't cover all use cases, so we can't deprecate the other methods. One or both problems would have to be solved with changes to Terraform in order to open up more possibilities here. So some way of resolving circular dependencies between resources (perhaps some kind of partial apply of a resource with known arguments followed by one or more additional applies as more arguments become known) and/or some way of sharing information between certain resources (perhaps the concept of some kind of sub-resource, where the parent resource is responsible for applying them and knows about all sub-resources). Anyways, it's nice to know that it's on your radar at least. Looking forward to seeing what you come up with. |
Hi @deftflux @paultyng this is a great discussion, and I would like to follow up once Terraform 0.12 has been released. For now, I am going to add the Cheers |
This sucks. Thanks for ignoring this awesome and necessary feature admins |
Honestly, closing the PR is not a good way to say "we would like to follow up on this." Yeah, it's not a sexy feature, why it's needed is complicated, but it's absolutely necessary to actually manage SGs effectively. Why not keep it open, label it, and continue to talk about how it can be prioritized and get into the next release? |
I opened #9032 to continue the discussion with these changes against master. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This was originally over at hashicorp/terraform#14332 before builtin providers were split out. So here it is for the split AWS provider.
I wrote and ran acceptance tests and everything, so it is ready to merge. I could not, however, verify one classic (pre-VPC) test because our AWS account was created post-VPC and does not support the classic style.
The following is the original pull request write-up:
I am fixing a long-standing issue with Terraform managing AWS security group rules. Currently, there are two ways to configure security group rules, and they each have serious short-comings:
aws_security_group
resource.aws_security_group
resource will not manage one or both types of rules. In other words, there is no way to define that a security group should have no ingress rules and/or no egress rules. Upon applying, Terraform will not remove any of those rules.aws_security_group_rule
resources.Now for my solution:
aws_security_group_rules
resource. (Note thes
; that's "rules" plural.) This solution takes the best of the two approaches above and then some:aws_security_group_rule
, there is no circular dependency in Terraform's dependency graph when rules from two security groups refer to each other. Terraform will simply create the security groups first, then create the rules.aws_security_group
, the resource has enough information to verify that the rules in AWS exactly match the rules defined in the configuration. Any manual changes done outside of Terraform will be undone.aws_security_group
, does not have to support other resources managing the rules instead, a rules resource that defines no ingress and/or no egress rules can be understood to mean that none should exist. This is an advantage over both previous approaches.aws_security_group
, this solution would be much less verbose than having to define manyaws_security_group_rule
resources. Only one separate resource section with one specification of the security group ID is required to define the rules. Other than that, the syntax matches that of the inline rules withinaws_security_group
.Yes, this involves adding yet another resource for defining AWS security group rules. But all three of these can still have a distinct purpose:
aws_security_group
is obviously necessary for defining a security group that is managed by Terraform. The optional ability to define security group rules inline may remain for those who never refer to other security groups within their rules.aws_security_group_rule
would only be safely used for adding a rule to an existing security group while preserving any rules that already exist in that group that are somehow managed elsewhere. There may be some out there who might want to do this, but due to the short-comings of this approach, I would strongly recommend deprecating this, or at least pointing users to the new rules resource as the standard approach.aws_security_group_rules
would be the standard approach for defining the exact set of rules that should belong to a given security group.