Terraform AWS Security group self reference

Question

I am using terraform for AWS resource provisioning. I need to self reference "mySG". from Terraform documentation i can use

 ingress {
          from_port = 0
          to_port = 0
          protocol = -1
          self = true
      }

but how about the different Protocols? Using Console There are below historic inbound rules available:

      Type      Protocol         PortRange      Source
1. All TCP      TCP             0-65535         mySG 
2. All UDP       UDP              0-65535         mySG 
3. Custom TCP    TCP             1856            mySG

(is Third entry required?, considering first entry for all port) does the ingress rule described above takes care of all 3 entries? If not the what should be the terraform syntax.

setting protocol to -1 covers both TCP and UDP. Security groups are layer 3, so those are the only two protocols it manages. — jordanm, Apr 13 '20 at 16:53
@jordanm https://stackoverflow.com/a/61192693/154527 is a valid answer to your question and you should accept it. — Alain O'Dea, Apr 14 '20 at 03:37
Thanks Datise, it worked for me. Even the modeler approach for different environments (Dev, UAT, PROD) also worked. Thanks! — Kamlendra Sharma, Apr 24 '20 at 07:47

score 8 · Accepted Answer · answered Apr 13 '20 at 16:52

You can implement a self referential group by splitting the sec group from the rules using the resources aws_security_group and aws_security_group_rule respectively. Doing this, combined with your 3 existing rules, would loosely look like this terraform:

resource "aws_security_group" "sec_group" {
  name   = "sec_group"
  vpc_id = "${local.vpc_id}"
}

resource "aws_security_group_rule" "sec_group_allow_tcp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_udp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "udp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_1865" {
  type              = "ingress"
  from_port         = 1865 // first part of port range 
  to_port           = 1865 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

Note that the rule takes a protocol type, from port/to port (for the range), and an optional source_security_group_id to specify

Thanks @Datise, this worked for me. I would like to add one more example of all port for icmp. resource "aws_security_group_rule" "All_all_icmp_ports_for_self_SG_all" { count = tonumber(var.groupcount) type = "ingress" from_port = -1 to_port = -1 protocol = "icmp" security_group_id = aws_security_group.internal_security_group[count.index].id source_security_group_id = aws_security_group.internal_security_group[count.index].id } — Kamlendra Sharma, Oct 18 '20 at 05:52

Terraform AWS Security group self reference

1 Answers1