2

for resource aws_security_group , i want to add egress block to run only if ingress rules are created. Below i have applied condition for the egress block using count then tried with for_each , but I am getting error : An argument named "count" or "for_each" is not expected here respectively. Can someone please help how can i achieve this

code

  egress {
    #for_each             = (length(split(",", var.ingress_ports_udp)) != 0 && length(split(",", var.ingress_ports_udp)) != 0) ? ["1"] : []
    from_port         = 0
    to_port           = 0
    protocol          = "-1"
    cidr_blocks       = ["0.0.0.0/0"]
  }
Abhishek Solanki
  • 374
  • 1
  • 14

1 Answers1

3

You're looking for the dynamic block. It would look something like this:

resource "aws_security_group" "mygroup" {
  name        = "mygroup"
  vpc_id      = aws_vpc.main.id

  dynamic "egress" {
    for_each = (condition) ? [1] : []
    content {
      from_port         = 0
      to_port           = 0
      protocol          = "-1"
      cidr_blocks       = ["0.0.0.0/0"]
    }
  }
}

Your condition looks quite odd. First off, you're checking exactly the same condition twice (length(split(",", var.ingress_ports_udp)) != 0 appears to be duplicated), and second, split will never return a list of length 0 anyways (if an empty string is given, it will return a list with one element, which is itself an empty string). You can see this on the split documentation page, third example:

> split(",", "")
[
  "",
]

So your condition will never be false, no matter what the value of var.ingress_ports_udp is. You can use compact(split(",", var.ingress_ports_udp)) to deal with this (compact will remove any list elements that are empty strings).

I'd recommend passing var.ingress_ports_udp in as a list of numbers, instead of as a string that you split within the module. Then you can simply use length(var.ingress_ports_udp) > 0 ? [1] : [].

Jordan
  • 3,998
  • 9
  • 45
  • 81